Edit tour

Windows Analysis Report
magicline4nx_setup.exe

Overview

General Information

Sample Name:	magicline4nx_setup.exe
Analysis ID:	755310
MD5:	7cec32c04fdae116ab0f7f4fd8372abd
SHA1:	8b87b2536fc29ced5a2a242bf0ae1d9d3b5b2d2b
SHA256:	aee4831c12dc0cb1c46544cb2319f018d9f16c7a23592008a580a7a605e7ca1f
Infos:

Detection

GuLoader, UACMe

Score:	90
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Compliance

Score:	33
Range:	0 - 100

Signatures

Detected unpacking (changes PE section rights)

Yara detected GuLoader

Yara detected UACMe UAC Bypass tool

Uses netsh to modify the Windows network and firewall settings

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to evade debugger and weak emulator (self modifying code)

DLL side loading technique detected

Modifies Internet Explorer zone settings

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

PE file contains section with special chars

Hides threads from debuggers

Overwrites Mozilla Firefox settings

Installs new ROOT certificates

Changes security center settings (notifications, updates, antivirus, firewall)

Modifies the windows firewall

Drops certificate files (DER)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Stores files to the Windows start menu directory

Contains functionality to dynamically determine API calls

EXE planting / hijacking vulnerabilities found

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Checks if the current process is being debugged

Checks for debuggers (devices)

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Creates files inside the system directory

PE file contains sections with non-standard names

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality to call native functions

Found dropped PE file which has not been started or loaded

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Entry point lies outside standard sections

Enables debug privileges

AV process strings found (often used to terminate AV products)

PE file contains an invalid checksum

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains capabilities to detect virtual machines

Uses taskkill to terminate processes

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

System is w10x64_ra

magicline4nx_setup.exe (PID: 5736 cmdline: C:\Users\user\Desktop\magicline4nx_setup.exe MD5: 7CEC32C04FDAE116AB0F7F4FD8372ABD)

cmd.exe (PID: 6204 cmdline: "C:\Windows\System32\cmd.exe" /C taskkill /f /im NTSMagicLineNP.exe MD5: 4943BA1A9B41D69643F69685E35B2943)

conhost.exe (PID: 6212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)

taskkill.exe (PID: 6260 cmdline: taskkill /f /im NTSMagicLineNP.exe MD5: 07D18817187E87CFC6AB2A4670061AE0)

sc.exe (PID: 6288 cmdline: sc stop MagicLine4NXSVC MD5: 3A070609B1569EDEBABDC6466E8FA36C)

conhost.exe (PID: 6296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)

sc.exe (PID: 6380 cmdline: sc delete MagicLine4NXSVC MD5: 3A070609B1569EDEBABDC6466E8FA36C)

conhost.exe (PID: 6392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)

cmd.exe (PID: 6436 cmdline: "C:\Windows\System32\cmd.exe" /C taskkill /f /im MagicLine4NX.exe MD5: 4943BA1A9B41D69643F69685E35B2943)

conhost.exe (PID: 6444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)

taskkill.exe (PID: 6484 cmdline: taskkill /f /im MagicLine4NX.exe MD5: 07D18817187E87CFC6AB2A4670061AE0)

certmgr.exe (PID: 6512 cmdline: "C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certmgr.exe" -add dreamsecurity-rootca.der -c -s -r localMachine Root MD5: 3A73031809C7DC0BB9BCE2F366345101)

conhost.exe (PID: 6520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)

cscript.exe (PID: 6564 cmdline: cscript" "C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\ImportCAtoFirefoxCheck.vbs" "MagicLine4NX MD5: 86EF3CCA8FF54D585BC29699EE1ADC00)

conhost.exe (PID: 6572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)

certutil.exe (PID: 6652 cmdline: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe" -L -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default" -n "Dreamsecurity ROOT CA MD5: F2F7AA96E4E4BFCB04643ECADEDB3A14)

conhost.exe (PID: 6660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)

certutil.exe (PID: 6712 cmdline: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe" -L -d sql:"C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\tjbwzv1u.default-release" -n "Dreamsecurity ROOT CA MD5: F2F7AA96E4E4BFCB04643ECADEDB3A14)

conhost.exe (PID: 6720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)

cscript.exe (PID: 6820 cmdline: cscript" "C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\ImportCAtoFirefox.vbs" "MagicLine4NX MD5: 86EF3CCA8FF54D585BC29699EE1ADC00)

conhost.exe (PID: 6828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)

certutil.exe (PID: 6908 cmdline: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe" -A -n "Dreamsecurity ROOT CA" -i "C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\dreamsecurity-rootca.der" -t "CT,c,C" -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default MD5: F2F7AA96E4E4BFCB04643ECADEDB3A14)

conhost.exe (PID: 6916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)

certutil.exe (PID: 7088 cmdline: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe" -A -n "Dreamsecurity ROOT CA" -i "C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\dreamsecurity-rootca.der" -t "CT,c,C" -d sql:"C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\tjbwzv1u.default-release MD5: F2F7AA96E4E4BFCB04643ECADEDB3A14)

conhost.exe (PID: 7108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)

netsh.exe (PID: 6480 cmdline: netsh advfirewall firewall delete rule name="MagicLine4NX" program="C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe" MD5: 718A726FCC5EFCE3529E7A244D87F13F)

conhost.exe (PID: 6440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)

netsh.exe (PID: 6540 cmdline: netsh advfirewall firewall add rule name="MagicLine4NX" dir=in action=allow program="C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe" enable=yes MD5: 718A726FCC5EFCE3529E7A244D87F13F)

conhost.exe (PID: 6544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)

CheckNetIsolation.exe (PID: 6668 cmdline: CheckNetIsolation LoopbackExempt -a -n="Microsoft.MicrosoftEdge_8wekyb3d8bbwe" MD5: 2FBEB635ADD6F73B226EE4BE660201BB)

conhost.exe (PID: 6664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)

CheckNetIsolation.exe (PID: 6732 cmdline: CheckNetIsolation LoopbackExempt -a -n="Microsoft.Windows.Spartan_cw5n1h2txyewy" MD5: 2FBEB635ADD6F73B226EE4BE660201BB)

conhost.exe (PID: 5772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)

MagicLine4NX.exe (PID: 5700 cmdline: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe MD5: A98F6351876129FED4A6CA7DB7CBD721)

MagicLine4NXServices.exe (PID: 6760 cmdline: "C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe" -install MD5: 877F2A6FC5DA85AA4C9B38943EF21EAE)

conhost.exe (PID: 6620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)

sc.exe (PID: 1156 cmdline: sc start MagicLine4NXSVC MD5: 3A070609B1569EDEBABDC6466E8FA36C)

conhost.exe (PID: 1392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)

svchost.exe (PID: 5992 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc MD5: 9520A99E77D6196D0D09833146424113)

svchost.exe (PID: 6936 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p -s DoSvc MD5: 9520A99E77D6196D0D09833146424113)

svchost.exe (PID: 6996 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 9520A99E77D6196D0D09833146424113)

SgrmBroker.exe (PID: 7040 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: C51AA0BB954EA45E85572E6CC29BA6F4)

svchost.exe (PID: 7068 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc MD5: 9520A99E77D6196D0D09833146424113)

svchost.exe (PID: 6272 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: 9520A99E77D6196D0D09833146424113)

svchost.exe (PID: 6348 cmdline: C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc MD5: 9520A99E77D6196D0D09833146424113)

MagicLine4NXServices.exe (PID: 1936 cmdline: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe MD5: 877F2A6FC5DA85AA4C9B38943EF21EAE)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\CertManager.dll	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x19e020:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x19e020:$c1: Elevation:Administrator!new: 0x1a44f8:$c1: Elevation:Administrator!new:
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\CertManager.dll	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000003.1579576184.0000000000501000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GuLoader_3	Yara detected GuLoader	Joe Security
0000002B.00000002.2510440514.000000006E10E000.00000002.00000001.01000000.0000001F.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x1820:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x1820:$c1: Elevation:Administrator!new: 0x7cf8:$c1: Elevation:Administrator!new:
0000002B.00000002.2510440514.000000006E10E000.00000002.00000001.01000000.0000001F.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000000.00000003.1580731607.0000000000553000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GuLoader_3	Yara detected GuLoader	Joe Security
0000002B.00000003.1506828790.0000000005DFB000.00000004.00000800.00020000.00000000.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x19e040:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x19e040:$c1: Elevation:Administrator!new: 0x1a4518:$c1: Elevation:Administrator!new:
0000002B.00000003.1506828790.0000000005DFB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0000002B.00000002.2433205884.0000000000918000.00000040.00000001.01000000.0000001B.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x14bde0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x14bde0:$c1: Elevation:Administrator!new:
0000002B.00000002.2433205884.0000000000918000.00000040.00000001.01000000.0000001B.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000000.00000003.1209899240.0000000000542000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GuLoader_3	Yara detected GuLoader	Joe Security
0000002B.00000003.1486681414.00000000058B0000.00000004.00001000.00020000.00000000.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x242de0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x242de0:$c1: Elevation:Administrator!new:
0000002B.00000003.1486681414.00000000058B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
Process Memory Space: magicline4nx_setup.exe PID: 5736	JoeSecurity_GuLoader_3	Yara detected GuLoader	Joe Security
Process Memory Space: MagicLine4NX.exe PID: 5700	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
43.2.MagicLine4NX.exe.6df70000.5.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x19e020:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x19e020:$c1: Elevation:Administrator!new: 0x1a44f8:$c1: Elevation:Administrator!new:
43.2.MagicLine4NX.exe.6df70000.5.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Cryptography

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certmgr.exe	Code function: 13_2_00221829 GetModuleHandleA,CryptInitOIDFunctionSet,CryptInstallOIDFunctionAddress,	13_2_00221829
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certmgr.exe	Code function: 13_2_00221A91 strtok,strtok,strtok,SetLastError,CryptEncodeObject,CryptEncodeObject,CryptEncodeObject,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertSetCRLContextProperty,CertSetCRLContextProperty,CertSetCRLContextProperty,CertEnumCertificatesInStore,CertFreeCertificateContext,	13_2_00221A91
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6E019960 legacy_SetCryptFunctions,	17_2_6E019960

Exploits

Yara detected UACMe UAC Bypass tool

Source: Yara match	File source: 43.2.MagicLine4NX.exe.6df70000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002B.00000002.2510440514.000000006E10E000.00000002.00000001.01000000.0000001F.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000003.1506828790.0000000005DFB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000002.2433205884.0000000000918000.00000040.00000001.01000000.0000001B.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000003.1486681414.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MagicLine4NX.exe PID: 5700, type: MEMORYSTR
Source: Yara match	File source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\CertManager.dll, type: DROPPED

Privilege Escalation

EXE planting / hijacking vulnerabilities found

Source: C:\Users\user\Desktop\magicline4nx_setup.exe	EXE: cscript.exe	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	EXE: netsh.exe	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	EXE: sc.exe	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	EXE: CheckNetIsolation.exe	Jump to behavior

Compliance

EXE planting / hijacking vulnerabilities found

Source: C:\Users\user\Desktop\magicline4nx_setup.exe	EXE: cscript.exe	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	EXE: netsh.exe	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	EXE: sc.exe	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	EXE: CheckNetIsolation.exe	Jump to behavior

Uses 32bit PE files

Source: magicline4nx_setup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Creates install or setup log file

Source: C:\Users\user\Desktop\magicline4nx_setup.exe

File created: C:\Users\user\AppData\Local\DreamSecurity\MagicLine4NX\logs\install-202211281523.log

Jump to behavior

PE / OLE file has a valid certificate

Source: magicline4nx_setup.exe

Static PE information: certificate valid

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: magicline4nx_setup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Binary contains paths to debug symbols

Source:	Binary string: CertMgr.pdb source: certmgr.exe, certmgr.exe, 0000000D.00000000.1265517894.0000000000221000.00000020.00000001.01000000.0000000A.sdmp, certmgr.exe, 0000000D.00000002.1269714571.0000000000221000.00000020.00000001.01000000.0000000A.sdmp, certmgr.exe.0.dr
Source:	Binary string: F:\DEV\svn\MagicLineNP\trunk\Code\window\MagicLineNXServices\lib\Win32\Release\MagicLine4NXServices.pdb source: MagicLine4NXServices.exe, 0000002C.00000003.1486510887.0000000005140000.00000004.00001000.00020000.00000000.sdmp, MagicLine4NXServices.exe, 0000002C.00000002.1498312164.0000000000771000.00000040.00000001.01000000.0000001C.sdmp
Source:	Binary string: C:\openssl-1.0.1u\out32dll\ssleay32.pdbfk7RCMA0GCSqGSIb3DQEBCwUAMEoxCzAJBgN8 source: MagicLine4NX.exe, 0000002B.00000002.2480365493.0000000005C88000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\projects\01.MagicAPI\DSToolkitV3\proj\vs2008\bin32\DSCToolkitV30-v3.4.2.20.pdb source: MagicLine4NX.exe, 0000002B.00000003.1521469654.0000000005DF8000.00000004.00000800.00020000.00000000.sdmp, MagicLine4NX.exe, 0000002B.00000002.2523885578.000000006E490000.00000002.00000001.01000000.0000001D.sdmp, DSCToolkitV30-v3.4.2.20.dll.0.dr
Source:	Binary string: F:\DEV\svn\MagicLineNP\trunk\Code\window\LocalServerNTS\NTSMagicLineNP\NTSMagicLineNP\lib\Win32\Release\MagicLine4NX.pdb source: MagicLine4NX.exe, 0000002B.00000002.2445190032.0000000000A9F000.00000040.00000001.01000000.0000001B.sdmp, MagicLine4NX.exe, 0000002B.00000003.1486681414.00000000058B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: WaaSMedicSvc.pdb source: waasmedic.20221128_142248_759.etl.34.dr
Source:	Binary string: C:\openssl-1.0.1u\out32dll\ssleay32.pdb source: MagicLine4NX.exe, 0000002B.00000002.2480365493.0000000005C88000.00000004.00000020.00020000.00000000.sdmp, ssleay32.dll.0.dr
Source:	Binary string: C:\openssl-1.0.1u\out32dll\libeay32.pdb source: libeay32.dll.0.dr

Spreading

Source: C:\Windows\SysWOW64\cscript.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFDD673 FindFirstFileExA,	17_2_6DFDD673
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6E02F393 FindFirstFileExA,	17_2_6E02F393
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E159CF0 __mbsinc,FindFirstFileA,GetLastError,	19_2_6E159CF0
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E17300F FindFirstFileExA,	19_2_6E17300F
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E1952CD FindFirstFileExA,	19_2_6E1952CD
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E282291 FindFirstFileExA,	19_2_6E282291

Networking

Source: certutil.exe, 00000013.00000003.1313979753.000000000103A000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1372715520.0000000001C88000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1362708452.00000000022CA000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1369652151.00000000022D2000.00000004.00000800.00020000.00000000.sdmp, cert9.db-journal.30.dr, cert9.db.30.dr	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: magicline4nx_setup.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: certutil.exe, 00000013.00000003.1313979753.000000000103A000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1372715520.0000000001C88000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1362708452.00000000022CA000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1369652151.00000000022D2000.00000004.00000800.00020000.00000000.sdmp, cert9.db-journal.30.dr, cert9.db.30.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: magicline4nx_setup.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: certutil.exe, 00000013.00000003.1313979753.000000000103A000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1372715520.0000000001C88000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1362708452.00000000022CA000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1369652151.00000000022D2000.00000004.00000800.00020000.00000000.sdmp, cert9.db-journal.30.dr, cert9.db.30.dr	String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: certmgr.exe, 0000000D.00000002.1270248784.000000000109D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: certmgr.exe, 0000000D.00000002.1270248784.000000000109D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: certutil.exe, 00000013.00000003.1313979753.000000000103A000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1372715520.0000000001C88000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1362708452.00000000022CA000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1369652151.00000000022D2000.00000004.00000800.00020000.00000000.sdmp, cert9.db-journal.30.dr, cert9.db.30.dr	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: certutil.exe, 00000013.00000003.1313979753.000000000103A000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1372715520.0000000001C88000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1362708452.00000000022CA000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1369652151.00000000022D2000.00000004.00000800.00020000.00000000.sdmp, cert9.db-journal.30.dr, cert9.db.30.dr	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: MagicLine4NXServices.exe.0.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: magicline4nx_setup.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: certutil.exe, 00000013.00000003.1313979753.000000000103A000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1372715520.0000000001C88000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1362708452.00000000022CA000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1369652151.00000000022D2000.00000004.00000800.00020000.00000000.sdmp, cert9.db-journal.30.dr, cert9.db.30.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: magicline4nx_setup.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: magicline4nx_setup.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: certutil.exe, 00000013.00000003.1313979753.000000000103A000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1372715520.0000000001C88000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1362708452.00000000022CA000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1369652151.00000000022D2000.00000004.00000800.00020000.00000000.sdmp, cert9.db-journal.30.dr, cert9.db.30.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: certutil.exe, 00000013.00000003.1313979753.000000000103A000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1372715520.0000000001C88000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1362708452.00000000022CA000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1369652151.00000000022D2000.00000004.00000800.00020000.00000000.sdmp, cert9.db-journal.30.dr, cert9.db.30.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
Source: magicline4nx_setup.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: certutil.exe, 00000013.00000003.1313979753.000000000103A000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1372715520.0000000001C88000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1362708452.00000000022CA000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1369652151.00000000022D2000.00000004.00000800.00020000.00000000.sdmp, cert9.db-journal.30.dr, cert9.db.30.dr	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: MagicLine4NX.exe, 0000002B.00000003.1506828790.0000000005DFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ids.smartcert.kr
Source: magicline4nx_setup.exe, MagicLine4NX_Uninstall.exe.0.dr	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: magicline4nx_setup.exe, MagicLine4NX_Uninstall.exe.0.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: cert9.db.30.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: magicline4nx_setup.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: magicline4nx_setup.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: certutil.exe, 00000013.00000003.1313979753.000000000103A000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1372715520.0000000001C88000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1362708452.00000000022CA000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1369652151.00000000022D2000.00000004.00000800.00020000.00000000.sdmp, cert9.db-journal.30.dr, cert9.db.30.dr	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: MagicLine4NXServices.exe.0.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: MagicLine4NX.exe, 0000002B.00000002.2510440514.000000006E10E000.00000002.00000001.01000000.0000001F.sdmp, MagicLine4NX.exe, 0000002B.00000003.1506828790.0000000005DFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pcro.mobilesign.net/mini_cert_install.html
Source: MagicLine4NX.exe, 0000002B.00000002.2510440514.000000006E10E000.00000002.00000001.01000000.0000001F.sdmp, MagicLine4NX.exe, 0000002B.00000003.1506828790.0000000005DFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pcro.mobilesign.net/mini_cert_install.html679865F99D3C364AE1795B826BF546FAB3AC7343
Source: MagicLine4NX.exe, 0000002B.00000002.2510440514.000000006E10E000.00000002.00000001.01000000.0000001F.sdmp, MagicLine4NX.exe, 0000002B.00000003.1506828790.0000000005DFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://rootca.kisa.or.kr/kor/hsm/hsm.jsp
Source: MagicLine4NX.exe, 0000002B.00000002.2510440514.000000006E10E000.00000002.00000001.01000000.0000001F.sdmp, MagicLine4NX.exe, 0000002B.00000003.1506828790.0000000005DFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://rootca.kisa.or.kr/kor/hsm/hsm.jspPKCS#11.DriverDriver
Source: magicline4nx_setup.exe, MagicLine4NXServices.exe.0.dr	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: magicline4nx_setup.exe, MagicLine4NXServices.exe.0.dr	String found in binary or memory: http://t2.symcb.com0
Source: magicline4nx_setup.exe, MagicLine4NXServices.exe.0.dr	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: magicline4nx_setup.exe, MagicLine4NXServices.exe.0.dr	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: magicline4nx_setup.exe, MagicLine4NXServices.exe.0.dr	String found in binary or memory: http://tl.symcd.com0&
Source: MagicLine4NXServices.exe.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: MagicLine4NXServices.exe.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: MagicLine4NXServices.exe.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: svchost.exe, 0000001B.00000002.1458155402.00000168B2013000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: magicline4nx_setup.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: nspr4.dll.0.dr, plds4.dll.0.dr	String found in binary or memory: http://www.mozilla.org/MPL/
Source: certutil.exe, 00000011.00000002.1304484929.000000006E14C000.00000002.00000001.01000000.00000013.sdmp, certutil.exe, 00000013.00000002.1320842301.000000006E19C000.00000002.00000001.01000000.00000013.sdmp, certutil.exe, 00000018.00000002.1354269108.000000006E1BC000.00000002.00000001.01000000.00000013.sdmp, plds4.dll.0.dr	String found in binary or memory: http://www.mozilla.org/MPL/(
Source: libplds4.dll.0.dr, libnspr4.dll.0.dr, libplc4.dll.0.dr	String found in binary or memory: http://www.mozilla.org/MPL/Copyright
Source: certutil.exe, 00000011.00000002.1304886701.000000006E19A000.00000002.00000001.01000000.00000014.sdmp, certutil.exe, 00000013.00000002.1320516598.000000006E17A000.00000002.00000001.01000000.00000014.sdmp, nspr4.dll.0.dr	String found in binary or memory: http://www.mozilla.org/MPL/NSPR_FD_CACHE_SIZE_LOWNSPR_FD_CACHE_SIZE_HIGH;
Source: MagicLine4NX.exe, 0000002B.00000002.2487204433.000000000616E000.00000002.00000001.01000000.00000023.sdmp, MagicLine4NX.exe, 0000002B.00000003.1534700572.0000000005DF0000.00000004.00000800.00020000.00000000.sdmp, MagicLine4NX.exe, 0000002B.00000002.2482809862.000000000603E000.00000002.00000001.01000000.00000022.sdmp, ssleay32.dll.0.dr, libeay32.dll.0.dr	String found in binary or memory: http://www.openssl.org/V
Source: MagicLine4NX.exe, 0000002B.00000002.2485841132.0000000006112000.00000002.00000001.01000000.00000023.sdmp, MagicLine4NX.exe, 0000002B.00000003.1534700572.0000000005DF0000.00000004.00000800.00020000.00000000.sdmp, libeay32.dll.0.dr	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: MagicLine4NX.exe, 0000002B.00000002.2485841132.0000000006112000.00000002.00000001.01000000.00000023.sdmp, MagicLine4NX.exe, 0000002B.00000003.1534700572.0000000005DF0000.00000004.00000800.00020000.00000000.sdmp, libeay32.dll.0.dr	String found in binary or memory: http://www.openssl.org/support/faq.html....................rbwb.rndC:HOMERANDFILEPRNG
Source: MagicLine4NX.exe, 0000002B.00000002.2433205884.0000000000918000.00000040.00000001.01000000.0000001B.sdmp, MagicLine4NX.exe, 0000002B.00000003.1486681414.00000000058B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.ubikey.co.kr/infovine/download.html
Source: MagicLine4NX.exe, 0000002B.00000002.2433205884.0000000000918000.00000040.00000001.01000000.0000001B.sdmp, MagicLine4NX.exe, 0000002B.00000003.1486681414.00000000058B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.ubikey.co.kr/infovine/download.html1.4.0.2609100003www.dreamsecurity.comcenter.smartcert.
Source: svchost.exe, 00000002.00000002.2426719982.0000010A84C41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000002.00000002.2426719982.0000010A84C41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000002.00000002.2426719982.0000010A84C41000.00000004.00000020.00020000.00000000.sdmp, CDPGlobalSettings.cdp.2.dr	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 00000002.00000002.2426719982.0000010A84C41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.comds
Source: svchost.exe, 0000001B.00000003.1452377834.00000168B206A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000002.00000002.2426719982.0000010A84C41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bn2-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000001B.00000003.1454329560.00000168B2046000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 0000001B.00000002.1458385356.00000168B202B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.1461738208.00000168B2074000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1452471311.00000168B2069000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1455339476.00000168B2045000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1451546459.00000168B2072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000001B.00000002.1460315787.00000168B205C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1455845312.00000168B205B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000001B.00000003.1452377834.00000168B206A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000001B.00000003.1452709266.00000168B2062000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.1460766990.00000168B2065000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000001B.00000002.1460315787.00000168B205C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1455845312.00000168B205B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000001B.00000003.1451546459.00000168B2072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000001B.00000003.1452471311.00000168B2069000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1451546459.00000168B2072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 0000001B.00000003.1452377834.00000168B206A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000001B.00000002.1458385356.00000168B202B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000001B.00000002.1460315787.00000168B205C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1455845312.00000168B205B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000001B.00000003.1452377834.00000168B206A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 0000001B.00000003.1452709266.00000168B2062000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.1458385356.00000168B202B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.1460766990.00000168B2065000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000001B.00000003.1452377834.00000168B206A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000001B.00000003.1452377834.00000168B206A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000001B.00000003.1452377834.00000168B206A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000001B.00000002.1458385356.00000168B202B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000001B.00000002.1459496867.00000168B2042000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1456581081.00000168B2041000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000001B.00000003.1452471311.00000168B2069000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Stops/
Source: svchost.exe, 0000001B.00000003.1452377834.00000168B206A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000001B.00000003.1452709266.00000168B2062000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.1460652418.00000168B2063000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1454329560.00000168B2046000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000001B.00000003.1451838018.00000168B204D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000001B.00000003.1451546459.00000168B2072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000001B.00000003.1452709266.00000168B2062000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000001B.00000003.1453797692.00000168B205E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1455339476.00000168B2045000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
Source: svchost.exe, 0000001B.00000003.1456646604.00000168B2047000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000001B.00000003.1452377834.00000168B206A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000001B.00000003.1350499738.00000168B2036000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 0000001B.00000003.1452709266.00000168B2062000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.1458385356.00000168B202B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1452471311.00000168B2069000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.1460766990.00000168B2065000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000001B.00000003.1452471311.00000168B2069000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/roadshield.ashx?bucket=
Source: svchost.exe, 00000002.00000002.2426719982.0000010A84C41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://global.notify.windows.com/v2/register/xplatform/device
Source: MagicLine4NX.exe, 0000002B.00000002.2433205884.0000000000918000.00000040.00000001.01000000.0000001B.sdmp, MagicLine4NX.exe, 0000002B.00000003.1486681414.00000000058B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mobi.yessign.or.kr/mobisignInstall.htm
Source: MagicLine4NX.exe, 0000002B.00000002.2433205884.0000000000918000.00000040.00000001.01000000.0000001B.sdmp, MagicLine4NX.exe, 0000002B.00000003.1486681414.00000000058B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mobi.yessign.or.kr/mobisignInstall.htmsiteCode6070059serviceOptubikeyUbikeylParamUbikeyWPara
Source: svchost.exe, 0000001B.00000003.1456581081.00000168B2041000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000001B.00000002.1459384486.00000168B203F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1455339476.00000168B2045000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000001B.00000003.1456496932.00000168B2044000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1454329560.00000168B2046000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000001B.00000002.1458385356.00000168B202B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000001B.00000003.1350499738.00000168B2036000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000001B.00000003.1456789529.00000168B206D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1451717440.00000168B206C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: svchost.exe, 0000001B.00000003.1456496932.00000168B2044000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1454329560.00000168B2046000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1456646604.00000168B2047000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
Source: certutil.exe, 00000013.00000003.1313979753.000000000103A000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1372715520.0000000001C88000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1362708452.00000000022CA000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1369652151.00000000022D2000.00000004.00000800.00020000.00000000.sdmp, magicline4nx_setup.exe, cert9.db-journal.30.dr, cert9.db.30.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: magicline4nx_setup.exe, MagicLine4NXServices.exe.0.dr	String found in binary or memory: https://www.thawte.com/cps0/
Source: magicline4nx_setup.exe, MagicLine4NXServices.exe.0.dr	String found in binary or memory: https://www.thawte.com/repository0W

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe

Code function: 19_2_6E15AFD0 recvfrom,WSAGetLastError,select,select,recvfrom,WSAGetLastError,

19_2_6E15AFD0

E-Banking Fraud

Drops certificate files (DER)

Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\dreamsecurity.com.der			Jump to dropped file
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\dreamsecurity-rootca.der			Jump to dropped file

System Summary

PE file contains section with special chars

Source: MagicLine4NX.exe.0.dr	Static PE information: section name:
Source: MagicLine4NX.exe.0.dr	Static PE information: section name: .idata
Source: MagicLine4NX.exe.0.dr	Static PE information: section name:
Source: MagicLine4NXServices.exe.0.dr	Static PE information: section name:
Source: MagicLine4NXServices.exe.0.dr	Static PE information: section name: .idata
Source: MagicLine4NXServices.exe.0.dr	Static PE information: section name:

Detected potential crypto function

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFD1DE0	17_2_6DFD1DE0
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DF9AD80	17_2_6DF9AD80
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFA7570	17_2_6DFA7570
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFBA560	17_2_6DFBA560
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFA2549	17_2_6DFA2549
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFBED20	17_2_6DFBED20
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFA4D10	17_2_6DFA4D10
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFCE4F0	17_2_6DFCE4F0
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFA6450	17_2_6DFA6450
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DF93C40	17_2_6DF93C40
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFD0400	17_2_6DFD0400
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFCF7F0	17_2_6DFCF7F0
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFD47F0	17_2_6DFD47F0
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFA9F50	17_2_6DFA9F50
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFD0F30	17_2_6DFD0F30
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFD5F15	17_2_6DFD5F15
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFA6710	17_2_6DFA6710
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFA2F10	17_2_6DFA2F10
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFD5717	17_2_6DFD5717
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFA56F0	17_2_6DFA56F0
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFCDEE6	17_2_6DFCDEE6
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFA4E80	17_2_6DFA4E80
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFC5670	17_2_6DFC5670
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFA0E60	17_2_6DFA0E60
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFD1650	17_2_6DFD1650
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFD2640	17_2_6DFD2640
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFA6E30	17_2_6DFA6E30
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFD0630	17_2_6DFD0630
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFB8E20	17_2_6DFB8E20
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFCDE20	17_2_6DFCDE20
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFBA1C0	17_2_6DFBA1C0
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFCD9C0	17_2_6DFCD9C0
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFD49A0	17_2_6DFD49A0
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFC4160	17_2_6DFC4160
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFA7130	17_2_6DFA7130
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFE1935	17_2_6DFE1935
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFD3110	17_2_6DFD3110
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFD0110	17_2_6DFD0110
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFA60D0	17_2_6DFA60D0
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFA30C0	17_2_6DFA30C0
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFCC870	17_2_6DFCC870
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DF93060	17_2_6DF93060
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFD5041	17_2_6DFD5041
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFD0810	17_2_6DFD0810
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFA1800	17_2_6DFA1800
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFBC000	17_2_6DFBC000
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFABBD0	17_2_6DFABBD0
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFD1BD0	17_2_6DFD1BD0
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFD23C0	17_2_6DFD23C0
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFD4BA0	17_2_6DFD4BA0
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFD6375	17_2_6DFD6375
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFD5377	17_2_6DFD5377
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFA8360	17_2_6DFA8360
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFA2350	17_2_6DFA2350
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFD5B27	17_2_6DFD5B27
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFB3320	17_2_6DFB3320
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFA6B10	17_2_6DFA6B10
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFBB2B0	17_2_6DFBB2B0
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFD2A80	17_2_6DFD2A80
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFA7A40	17_2_6DFA7A40
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFA5210	17_2_6DFA5210
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFCF210	17_2_6DFCF210
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6E023E60	17_2_6E023E60
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6E022F00	17_2_6E022F00
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6E014410	17_2_6E014410
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6E01AA70	17_2_6E01AA70
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6E0152F0	17_2_6E0152F0
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6E034118	17_2_6E034118
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6E01A180	17_2_6E01A180
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6E021180	17_2_6E021180
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6E0161C0	17_2_6E0161C0
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6E0AFC00	17_2_6E0AFC00
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6E070C10	17_2_6E070C10
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6E08CC30	17_2_6E08CC30
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E15EE40	19_2_6E15EE40
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E161EC7	19_2_6E161EC7
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E16EFB2	19_2_6E16EFB2
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E14BFC0	19_2_6E14BFC0
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E161C9F	19_2_6E161C9F
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E14BB90	19_2_6E14BB90
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E174BBA	19_2_6E174BBA
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E17885A	19_2_6E17885A
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E14A910	19_2_6E14A910
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E15C970	19_2_6E15C970
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E14E7B0	19_2_6E14E7B0
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E164418	19_2_6E164418
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E154430	19_2_6E154430
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E149210	19_2_6E149210
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E1663D0	19_2_6E1663D0
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E16F0DF	19_2_6E16F0DF
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E19A8B8	19_2_6E19A8B8
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E284E40	19_2_6E284E40
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E206C50	19_2_6E206C50
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E210890	19_2_6E210890
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E27C794	19_2_6E27C794
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E1DA590	19_2_6E1DA590
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E1E0310	19_2_6E1E0310
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E22C340	19_2_6E22C340
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E1E43E0	19_2_6E1E43E0
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E1D5E00	19_2_6E1D5E00
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E1DDE70	19_2_6E1DDE70
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E287E8C	19_2_6E287E8C
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E287FB9	19_2_6E287FB9

Tries to load missing DLLs

Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll	Jump to behavior
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	Section loaded: httptx.dll
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	Section loaded: ssleay32.dll
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	Section loaded: libeay32.dll

Uses 32bit PE files

Source: magicline4nx_setup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Yara signature match

Source: 43.2.MagicLine4NX.exe.6df70000.5.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0000002B.00000002.2510440514.000000006E10E000.00000002.00000001.01000000.0000001F.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0000002B.00000003.1506828790.0000000005DFB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0000002B.00000002.2433205884.0000000000918000.00000040.00000001.01000000.0000001B.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0000002B.00000003.1486681414.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\CertManager.dll, type: DROPPED	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841

Creates files inside the system directory

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\ConnectedDevicesPlatform\L.user.cdp

Jump to behavior

Found potential string decryption / allocating functions

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: String function: 6E1F1590 appears 39 times
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: String function: 6E158FE0 appears 31 times
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: String function: 6E14CFF0 appears 42 times
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: String function: 6E15E6E0 appears 39 times
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: String function: 6E026580 appears 35 times
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: String function: 6E143E80 appears 56 times

Contains functionality to call native functions

Source: C:\Users\user\Desktop\magicline4nx_setup.exe

Code function: 0_2_100010D0 GetVersionExA,LoadLibraryW,GetProcAddress,LocalAlloc,LocalAlloc,NtQuerySystemInformation,LocalFree,LocalAlloc,FreeLibrary,WideCharToMultiByte,lstrcmpiA,LocalFree,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenA,lstrcpynA,lstrcmpiA,CloseHandle,FreeLibrary,

0_2_100010D0

Source: MagicLine4NX.exe.0.dr	Static PE information: Section: pnesegkq ZLIB complexity 0.9936557897361153
Source: MagicLine4NX.exe.0.dr	Static PE information: Section: oygmmjtk ZLIB complexity 1.021484375
Source: MagicLine4NXServices.exe.0.dr	Static PE information: Section: ZLIB complexity 1.0002202994890235
Source: MagicLine4NXServices.exe.0.dr	Static PE information: Section: yqheebrs ZLIB complexity 0.9939886508819651
Source: MagicLine4NXServices.exe.0.dr	Static PE information: Section: intuqfii ZLIB complexity 1.021484375

Source: magicline4nx_setup.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Uninstall.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX_Uninstall.exe
Source: MagicLine4NX.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe

Source: C:\Users\user\Desktop\magicline4nx_setup.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MagicLine4NX

Jump to behavior

Source: classification engine

Classification label: mal90.phis.troj.spyw.expl.evad.winEXE@66/58@0/1

Source: C:\Users\user\Desktop\magicline4nx_setup.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe

Code function: 19_2_6E158150 MapViewOfFile,GetLastError,FormatMessageA,GetLastError,

19_2_6E158150

Source: C:\Users\user\Desktop\magicline4nx_setup.exe

Process created: C:\Windows\SysWOW64\cscript.exe cscript" "C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\ImportCAtoFirefoxCheck.vbs" "MagicLine4NX

Source: C:\Users\user\Desktop\magicline4nx_setup.exe

File created: C:\Program Files (x86)\DreamSecurity

Jump to behavior

Source: C:\Users\user\Desktop\magicline4nx_setup.exe

File read: C:\Users\user\Desktop\magicline4nx_setup.exe

Jump to behavior

Source: C:\Users\user\Desktop\magicline4nx_setup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\magicline4nx_setup.exe C:\Users\user\Desktop\magicline4nx_setup.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C taskkill /f /im NTSMagicLineNP.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im NTSMagicLineNP.exe
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop MagicLine4NXSVC
Source: C:\Windows\SysWOW64\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Windows\SysWOW64\sc.exe sc delete MagicLine4NXSVC
Source: C:\Windows\SysWOW64\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C taskkill /f /im MagicLine4NX.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im MagicLine4NX.exe
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certmgr.exe "C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certmgr.exe" -add dreamsecurity-rootca.der -c -s -r localMachine Root
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certmgr.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript" "C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\ImportCAtoFirefoxCheck.vbs" "MagicLine4NX
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe" -L -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default" -n "Dreamsecurity ROOT CA
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe" -L -d sql:"C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\tjbwzv1u.default-release" -n "Dreamsecurity ROOT CA
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript" "C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\ImportCAtoFirefox.vbs" "MagicLine4NX
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe" -A -n "Dreamsecurity ROOT CA" -i "C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\dreamsecurity-rootca.der" -t "CT,c,C" -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe" -A -n "Dreamsecurity ROOT CA" -i "C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\dreamsecurity-rootca.der" -t "CT,c,C" -d sql:"C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\tjbwzv1u.default-release
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall delete rule name="MagicLine4NX" program="C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe"
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="MagicLine4NX" dir=in action=allow program="C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe" enable=yes
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Windows\SysWOW64\CheckNetIsolation.exe CheckNetIsolation LoopbackExempt -a -n="Microsoft.MicrosoftEdge_8wekyb3d8bbwe"
Source: C:\Windows\SysWOW64\CheckNetIsolation.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Windows\SysWOW64\CheckNetIsolation.exe CheckNetIsolation LoopbackExempt -a -n="Microsoft.Windows.Spartan_cw5n1h2txyewy"
Source: C:\Windows\SysWOW64\CheckNetIsolation.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe "C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe" -install
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Windows\SysWOW64\sc.exe sc start MagicLine4NXSVC
Source: C:\Windows\SysWOW64\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C taskkill /f /im NTSMagicLineNP.exe	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop MagicLine4NXSVC	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Windows\SysWOW64\sc.exe sc delete MagicLine4NXSVC	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C taskkill /f /im MagicLine4NX.exe	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certmgr.exe "C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certmgr.exe" -add dreamsecurity-rootca.der -c -s -r localMachine Root	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript" "C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\ImportCAtoFirefoxCheck.vbs" "MagicLine4NX	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript" "C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\ImportCAtoFirefox.vbs" "MagicLine4NX	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall delete rule name="MagicLine4NX" program="C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe"	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="MagicLine4NX" dir=in action=allow program="C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe" enable=yes	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Windows\SysWOW64\CheckNetIsolation.exe CheckNetIsolation LoopbackExempt -a -n="Microsoft.MicrosoftEdge_8wekyb3d8bbwe"	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Windows\SysWOW64\CheckNetIsolation.exe CheckNetIsolation LoopbackExempt -a -n="Microsoft.Windows.Spartan_cw5n1h2txyewy"	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe "C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe" -install	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Windows\SysWOW64\sc.exe sc start MagicLine4NXSVC	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im NTSMagicLineNP.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im MagicLine4NX.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe" -L -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default" -n "Dreamsecurity ROOT CA	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe" -L -d sql:"C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\tjbwzv1u.default-release" -n "Dreamsecurity ROOT CA	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe" -A -n "Dreamsecurity ROOT CA" -i "C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\dreamsecurity-rootca.der" -t "CT,c,C" -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe" -A -n "Dreamsecurity ROOT CA" -i "C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\dreamsecurity-rootca.der" -t "CT,c,C" -d sql:"C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\tjbwzv1u.default-release	Jump to behavior

Source: C:\Users\user\Desktop\magicline4nx_setup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "NTSMagicLineNP.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MagicLine4NX.exe")

Source: C:\Users\user\Desktop\magicline4nx_setup.exe

File created: C:\Users\user\AppData\Local\Temp\nsi7880.tmp

Jump to behavior

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe

Code function: 17_2_6DF91120 GlobalMemoryStatus,GetLogicalDrives,GetComputerNameA,GetCurrentProcess,GetCurrentProcessId,GetCurrentThreadId,GetVolumeInformationA,GetDiskFreeSpaceA,

17_2_6DF91120

Source: certutil.exe, certutil.exe, 00000011.00000002.1304105554.000000006E121000.00000002.00000001.01000000.00000015.sdmp, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: certutil.exe, 0000001E.00000003.1374967152.00000000015D5000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000002.1379466690.0000000001528000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1375631766.00000000015D5000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000002.1380446029.00000000015D4000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1371252459.00000000015B6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1373372397.00000000015D5000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1374664130.00000000015D5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL a3 FROM nssPublic WHERE id=$ID;
Source: certutil.exe, 0000001E.00000003.1376833795.0000000001550000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1377756336.0000000001553000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL id FROM nssPublic WHERE a0=$DATA0 AND a3=$DATA1;
Source: certutil.exe, certutil.exe, 00000011.00000002.1304105554.000000006E121000.00000002.00000001.01000000.00000015.sdmp, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: certutil.exe, certutil.exe, 00000011.00000002.1304105554.000000006E121000.00000002.00000001.01000000.00000015.sdmp, softokn3.dll.0.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: certutil.exe, 00000011.00000002.1303638387.000000006E0CF000.00000002.00000001.01000000.00000016.sdmp, sqlite3.dll.0.dr	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: certutil.exe, 0000001E.00000003.1377708586.00000000015AA000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1375917887.00000000015AA000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1372903585.00000000015AA000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1371011223.000000000159B000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1375126215.00000000015AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL * FROM metaData LIMIT 0;
Source: certutil.exe, certutil.exe, 00000011.00000002.1303638387.000000006E0CF000.00000002.00000001.01000000.00000016.sdmp, sqlite3.dll.0.dr	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: certutil.exe, 0000001E.00000002.1379466690.0000000001528000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL a3 FROM nssPublic WHERE id=$ID;ION=5507ProgramData=C:\
Source: certutil.exe, certutil.exe, 00000011.00000002.1303638387.000000006E0CF000.00000002.00000001.01000000.00000016.sdmp, sqlite3.dll.0.dr	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: certutil.exe, certutil.exe, 00000011.00000002.1304105554.000000006E121000.00000002.00000001.01000000.00000015.sdmp, softokn3.dll.0.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: certutil.exe, certutil.exe, 00000011.00000002.1303638387.000000006E0CF000.00000002.00000001.01000000.00000016.sdmp, sqlite3.dll.0.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: certutil.exe, certutil.exe, 00000011.00000002.1304105554.000000006E121000.00000002.00000001.01000000.00000015.sdmp, softokn3.dll.0.dr	Binary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
Source: certutil.exe, 0000001E.00000002.1379466690.0000000001528000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL id FROM nssPublic WHERE a1=$DATA0 AND a0=$DATA1 AND a81=$DATA2 AND a82=$DATA3;T
Source: certutil.exe, certutil.exe, 00000011.00000002.1303638387.000000006E0CF000.00000002.00000001.01000000.00000016.sdmp, sqlite3.dll.0.dr	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: certutil.exe, 0000001E.00000002.1379466690.0000000001528000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL id FROM nssPublic WHERE a1=$DATA0 AND a0=$DATA1 AND a81=$DATA2 AND a82=$DATA3;
Source: certutil.exe, certutil.exe, 00000011.00000002.1304105554.000000006E121000.00000002.00000001.01000000.00000015.sdmp, softokn3.dll.0.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: certutil.exe, 00000013.00000003.1314265380.0000000000A58000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000013.00000003.1317206279.0000000000A58000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000013.00000003.1313534896.0000000000A59000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000013.00000003.1312561794.0000000000A4B000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000013.00000003.1314508844.0000000000A58000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000013.00000003.1315248578.0000000000A58000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000013.00000003.1315435474.0000000000A58000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL * FROM nssPublic LIMIT 0;
Source: certutil.exe, 0000001E.00000002.1379466690.0000000001528000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL id FROM nssPublic WHERE a1=$DATA0 AND a0=$DATA1 AND a81=$DATA2 AND a82=$DATA3;e4NX\cert\plc4.dll
Source: certutil.exe, 0000001E.00000003.1377708586.00000000015AA000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1375917887.00000000015AA000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1372903585.00000000015AA000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1371011223.000000000159B000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1375126215.00000000015AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL * FROM metaData LIMIT 0;S
Source: certutil.exe, certutil.exe, 00000011.00000002.1304105554.000000006E121000.00000002.00000001.01000000.00000015.sdmp, softokn3.dll.0.dr	Binary or memory string: SELECT ALL id FROM %s;
Source: certutil.exe, certutil.exe, 00000011.00000002.1304105554.000000006E121000.00000002.00000001.01000000.00000015.sdmp, softokn3.dll.0.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: certutil.exe, certutil.exe, 00000011.00000002.1304105554.000000006E121000.00000002.00000001.01000000.00000015.sdmp, softokn3.dll.0.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: certutil.exe, certutil.exe, 00000011.00000002.1303638387.000000006E0CF000.00000002.00000001.01000000.00000016.sdmp, sqlite3.dll.0.dr	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: certutil.exe, certutil.exe, 00000011.00000002.1303638387.000000006E0CF000.00000002.00000001.01000000.00000016.sdmp, sqlite3.dll.0.dr	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: certutil.exe, certutil.exe, 00000011.00000002.1304105554.000000006E121000.00000002.00000001.01000000.00000015.sdmp, softokn3.dll.0.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1392:120:WilError_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6572:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6660:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6664:120:WilError_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6572:120:WilError_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6720:120:WilError_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6620:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6444:120:WilError_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5772:120:WilError_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6212:120:WilError_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6444:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7108:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6440:120:WilError_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6664:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6620:120:WilError_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6520:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6660:120:WilError_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6296:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6212:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6916:120:WilError_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6520:120:WilError_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6720:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6392:120:WilError_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6916:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6392:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6828:120:WilError_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7108:120:WilError_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6440:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5772:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6828:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6296:120:WilError_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6544:120:WilError_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6544:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1392:304:WilStaging_02

Source: C:\Users\user\Desktop\magicline4nx_setup.exe

File written: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\ENG.ini

Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Submission file is bigger than most known malware samples

Source: magicline4nx_setup.exe

Static file information: File size 10774328 > 1048576

PE / OLE file has a valid certificate

Source: magicline4nx_setup.exe

Static PE information: certificate valid

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: magicline4nx_setup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Binary contains paths to debug symbols

Source:	Binary string: CertMgr.pdb source: certmgr.exe, certmgr.exe, 0000000D.00000000.1265517894.0000000000221000.00000020.00000001.01000000.0000000A.sdmp, certmgr.exe, 0000000D.00000002.1269714571.0000000000221000.00000020.00000001.01000000.0000000A.sdmp, certmgr.exe.0.dr
Source:	Binary string: F:\DEV\svn\MagicLineNP\trunk\Code\window\MagicLineNXServices\lib\Win32\Release\MagicLine4NXServices.pdb source: MagicLine4NXServices.exe, 0000002C.00000003.1486510887.0000000005140000.00000004.00001000.00020000.00000000.sdmp, MagicLine4NXServices.exe, 0000002C.00000002.1498312164.0000000000771000.00000040.00000001.01000000.0000001C.sdmp
Source:	Binary string: C:\openssl-1.0.1u\out32dll\ssleay32.pdbfk7RCMA0GCSqGSIb3DQEBCwUAMEoxCzAJBgN8 source: MagicLine4NX.exe, 0000002B.00000002.2480365493.0000000005C88000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\projects\01.MagicAPI\DSToolkitV3\proj\vs2008\bin32\DSCToolkitV30-v3.4.2.20.pdb source: MagicLine4NX.exe, 0000002B.00000003.1521469654.0000000005DF8000.00000004.00000800.00020000.00000000.sdmp, MagicLine4NX.exe, 0000002B.00000002.2523885578.000000006E490000.00000002.00000001.01000000.0000001D.sdmp, DSCToolkitV30-v3.4.2.20.dll.0.dr
Source:	Binary string: F:\DEV\svn\MagicLineNP\trunk\Code\window\LocalServerNTS\NTSMagicLineNP\NTSMagicLineNP\lib\Win32\Release\MagicLine4NX.pdb source: MagicLine4NX.exe, 0000002B.00000002.2445190032.0000000000A9F000.00000040.00000001.01000000.0000001B.sdmp, MagicLine4NX.exe, 0000002B.00000003.1486681414.00000000058B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: WaaSMedicSvc.pdb source: waasmedic.20221128_142248_759.etl.34.dr
Source:	Binary string: C:\openssl-1.0.1u\out32dll\ssleay32.pdb source: MagicLine4NX.exe, 0000002B.00000002.2480365493.0000000005C88000.00000004.00000020.00020000.00000000.sdmp, ssleay32.dll.0.dr
Source:	Binary string: C:\openssl-1.0.1u\out32dll\libeay32.pdb source: libeay32.dll.0.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	Unpacked PE file: 43.2.MagicLine4NX.exe.820000.0.unpack :EW;.rsrc:W;.idata :W; :EW;pnesegkq:EW;oygmmjtk:EW; vs :ER;.rsrc:W;f::W; :EW;pnesegkq:EW;oygmmjtk:EW;
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	Unpacked PE file: 44.2.MagicLine4NXServices.exe.770000.0.unpack :EW;.rsrc:W;.idata :W; :EW;yqheebrs:EW;intuqfii:EW; vs :ER;.rsrc:W;W:W; :EW;yqheebrs:EW;intuqfii:EW;

Yara detected GuLoader

Source: Yara match	File source: 00000000.00000003.1579576184.0000000000501000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1580731607.0000000000553000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1209899240.0000000000542000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: magicline4nx_setup.exe PID: 5736, type: MEMORYSTR

Uses code obfuscation techniques (call, push, ret)

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFD9536 push ecx; ret	17_2_6DFD9549
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6E0265C6 push ecx; ret	17_2_6E0265D9
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E15E726 push ecx; ret	19_2_6E15E739
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E192436 push ecx; ret	19_2_6E192449

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\magicline4nx_setup.exe

0_2_100010D0

PE file contains sections with non-standard names

Source: MagicLine4NX.exe.0.dr	Static PE information: section name:
Source: MagicLine4NX.exe.0.dr	Static PE information: section name: .idata
Source: MagicLine4NX.exe.0.dr	Static PE information: section name:
Source: MagicLine4NX.exe.0.dr	Static PE information: section name: pnesegkq
Source: MagicLine4NX.exe.0.dr	Static PE information: section name: oygmmjtk
Source: MagicLine4NXServices.exe.0.dr	Static PE information: section name:
Source: MagicLine4NXServices.exe.0.dr	Static PE information: section name: .idata
Source: MagicLine4NXServices.exe.0.dr	Static PE information: section name:
Source: MagicLine4NXServices.exe.0.dr	Static PE information: section name: yqheebrs
Source: MagicLine4NXServices.exe.0.dr	Static PE information: section name: intuqfii

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: oygmmjtk

PE file contains an invalid checksum

Source: libeay32.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x128361
Source: libplds4.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0xecc0
Source: System.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x773f
Source: NsisUtil.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x117e5
Source: libplc4.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0xfc66
Source: nsldap32v50.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x2490d
Source: nssdbm3.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x3d5b9
Source: smime3.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x31fee
Source: certutil.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x3f02c
Source: MagicCrypto32V21.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x68cbe
Source: nssutil3.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x3fedb
Source: freebl3.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x70c11
Source: plc4.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x18993
Source: version.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x6c99
Source: MagicLine4NX_Uninstall.exe.0.dr	Static PE information: real checksum: 0xa4d58e should be: 0x24b0e
Source: ssleay32.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x42eba
Source: nsExec.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x42dc
Source: KillProcDLL.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0xad9e
Source: softokn3.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x3ee84
Source: nspr4.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x52d80
Source: sqlite3.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x9f03d
Source: libnspr4.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x3b16e
Source: DumpLog.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0xcb85
Source: nss3.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0xe6abb
Source: plds4.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x16b3d

Source: initial sample	Static PE information: section name: pnesegkq entropy: 7.955837403140946
Source: initial sample	Static PE information: section name: oygmmjtk entropy: 7.238849092285538
Source: initial sample	Static PE information: section name: entropy: 7.985957605567069
Source: initial sample	Static PE information: section name: yqheebrs entropy: 7.955595621686765
Source: initial sample	Static PE information: section name: intuqfii entropy: 7.263983528026377

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certmgr.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0BAFEC00CC085C92F94FD1F2DECA2374C72EFFDA Blob

Jump to behavior

Drops PE files

Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\nssdbm3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\libeay32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicCrypto32V21.dll	Jump to dropped file
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\smime3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\nst78C0.tmp\nsExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\nssutil3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\libplds4.dll	Jump to dropped file
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\ssleay32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\nspr4.dll	Jump to dropped file
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\nsldap32v50.dll	Jump to dropped file
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certmgr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	Jump to dropped file
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\plds4.dll	Jump to dropped file
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\CertManager.dll	Jump to dropped file
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	Jump to dropped file
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\nst78C0.tmp\DumpLog.dll	Jump to dropped file
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\nst78C0.tmp\NsisUtil.dll	Jump to dropped file
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\nst78C0.tmp\version.dll	Jump to dropped file
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\libnspr4.dll	Jump to dropped file
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\nst78C0.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\libplc4.dll	Jump to dropped file
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\DSCToolkitV30-v3.4.2.20.dll	Jump to dropped file
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\plc4.dll	Jump to dropped file
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\softokn3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Jump to dropped file
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX_Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\nst78C0.tmp\KillProcDLL.dll	Jump to dropped file
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\httptx.dll	Jump to dropped file
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Users\user\AppData\Local\Temp\nst78C0.tmp\nsProcess.dll	Jump to dropped file

Creates install or setup log file

Source: C:\Users\user\Desktop\magicline4nx_setup.exe

File created: C:\Users\user\AppData\Local\DreamSecurity\MagicLine4NX\logs\install-202211281523.log

Jump to behavior

Boot Survival

Stores files to the Windows start menu directory

Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MagicLine4NX	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MagicLine4NX\MagicLine4NX.lnk	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MagicLine4NX\Uninstall.lnk	Jump to behavior

Source: C:\Users\user\Desktop\magicline4nx_setup.exe

Process created: C:\Windows\SysWOW64\sc.exe sc stop MagicLine4NXSVC

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	File opened: HKEY_USERS.DEFAULT\Software\Wine
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	Special instruction interceptor: First address: 00000000008D991D instructions caused by: Self-modifying code
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	Special instruction interceptor: First address: 00000000008D99C2 instructions caused by: Self-modifying code
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	Special instruction interceptor: First address: 0000000000D45584 instructions caused by: Self-modifying code
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	Special instruction interceptor: First address: 0000000000D45A76 instructions caused by: Self-modifying code
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	Special instruction interceptor: First address: 0000000000BB9E00 instructions caused by: Self-modifying code
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	Special instruction interceptor: First address: 0000000000A4EEA4 instructions caused by: Self-modifying code
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	Special instruction interceptor: First address: 0000000000A56696 instructions caused by: Self-modifying code
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	Special instruction interceptor: First address: 0000000000AC9B24 instructions caused by: Self-modifying code
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	Special instruction interceptor: First address: 0000000000DC496B instructions caused by: Self-modifying code

Tries to detect virtualization through RDTSC time measurements

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D0ED44 second address: 0000000000D0ED4D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D0ED4D second address: 0000000000D0ED53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D0ED53 second address: 0000000000D0ED74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jng 00007F4BEC76D8D0h 0x0000000b jmp 00007F4BEC76D8C4h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D0ED74 second address: 0000000000D0ED85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 jp 00007F4BEC3895D6h 0x0000000e pushad 0x0000000f popad 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D20AB0 second address: 0000000000D20AB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D2115B second address: 0000000000D21169 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007F4BEC3895D6h 0x0000000e rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D24091 second address: 0000000000D240BD instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F4BEC76D8BCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d add ecx, 1EA912FAh 0x00000013 push 00000000h 0x00000015 mov edx, 01049759h 0x0000001a mov esi, edx 0x0000001c push FFEEB69Fh 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D240BD second address: 0000000000D240C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D240C1 second address: 0000000000D2410F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ecx 0x0000000a popad 0x0000000b add dword ptr [esp], 001149E1h 0x00000012 mov esi, dword ptr [ebp+120B3AF5h] 0x00000018 push 00000003h 0x0000001a mov edx, 70E684E2h 0x0000001f push 00000000h 0x00000021 push ebx 0x00000022 mov ecx, dword ptr [ebp+120B1AC8h] 0x00000028 pop ecx 0x00000029 push 00000003h 0x0000002b mov dh, 15h 0x0000002d push B0457F99h 0x00000032 pushad 0x00000033 pushad 0x00000034 jmp 00007F4BEC76D8C0h 0x00000039 jl 00007F4BEC76D8B6h 0x0000003f popad 0x00000040 push edi 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D24196 second address: 0000000000D2420A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pushad 0x00000009 popad 0x0000000a pop ebx 0x0000000b jl 00007F4BEC3895E7h 0x00000011 jmp 00007F4BEC3895E1h 0x00000016 popad 0x00000017 nop 0x00000018 push 00000000h 0x0000001a push esi 0x0000001b call 00007F4BEC3895D8h 0x00000020 pop esi 0x00000021 mov dword ptr [esp+04h], esi 0x00000025 add dword ptr [esp+04h], 00000017h 0x0000002d inc esi 0x0000002e push esi 0x0000002f ret 0x00000030 pop esi 0x00000031 ret 0x00000032 push 00000000h 0x00000034 mov cl, D1h 0x00000036 call 00007F4BEC3895D9h 0x0000003b push eax 0x0000003c pushad 0x0000003d je 00007F4BEC3895D6h 0x00000043 jmp 00007F4BEC3895E0h 0x00000048 popad 0x00000049 pop eax 0x0000004a push eax 0x0000004b pushad 0x0000004c jl 00007F4BEC3895DCh 0x00000052 push eax 0x00000053 push edx 0x00000054 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D2420A second address: 0000000000D24216 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jg 00007F4BEC76D8B6h 0x0000000c rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D2435F second address: 0000000000D2442C instructions: 0x00000000 rdtsc 0x00000002 jp 00007F4BEC3895ECh 0x00000008 jmp 00007F4BEC3895E6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 js 00007F4BEC3895E0h 0x00000016 nop 0x00000017 mov edi, 00C3469Ch 0x0000001c push 00000000h 0x0000001e movsx esi, ax 0x00000021 mov dword ptr [ebp+120B1C3Fh], esi 0x00000027 push DF7BB84Ch 0x0000002c jnl 00007F4BEC3895DEh 0x00000032 jg 00007F4BEC3895D8h 0x00000038 push edx 0x00000039 pop edx 0x0000003a add dword ptr [esp], 20844834h 0x00000041 push esi 0x00000042 mov dword ptr [ebp+120B19B0h], eax 0x00000048 pop edi 0x00000049 mov dx, ax 0x0000004c push 00000003h 0x0000004e add dword ptr [ebp+120B1BCBh], edi 0x00000054 push 00000000h 0x00000056 mov dword ptr [ebp+120B1B78h], eax 0x0000005c mov esi, edx 0x0000005e push 00000003h 0x00000060 jmp 00007F4BEC3895DFh 0x00000065 call 00007F4BEC3895D9h 0x0000006a jmp 00007F4BEC3895E3h 0x0000006f push eax 0x00000070 jmp 00007F4BEC3895DBh 0x00000075 mov eax, dword ptr [esp+04h] 0x00000079 jmp 00007F4BEC3895DBh 0x0000007e mov eax, dword ptr [eax] 0x00000080 push eax 0x00000081 push edx 0x00000082 jnc 00007F4BEC3895D8h 0x00000088 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D2442C second address: 0000000000D24431 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D24431 second address: 0000000000D2444C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F4BEC3895D6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 jp 00007F4BEC3895E0h 0x00000017 push eax 0x00000018 push edx 0x00000019 push edx 0x0000001a pop edx 0x0000001b rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D41C31 second address: 0000000000D41C4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F4BEC76D8B6h 0x0000000a jc 00007F4BEC76D8B6h 0x00000010 push eax 0x00000011 pop eax 0x00000012 popad 0x00000013 pushad 0x00000014 push edx 0x00000015 pop edx 0x00000016 ja 00007F4BEC76D8B6h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D41C4F second address: 0000000000D41C5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F4BEC3895D6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D41C5A second address: 0000000000D41C66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jno 00007F4BEC76D8B6h 0x0000000c rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D41C66 second address: 0000000000D41C6C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D1C20B second address: 0000000000D1C213 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D1C213 second address: 0000000000D1C22B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnc 00007F4BEC3895DCh 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f push esi 0x00000010 pop esi 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D1C22B second address: 0000000000D1C23B instructions: 0x00000000 rdtsc 0x00000002 jns 00007F4BEC76D8BAh 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D3FA96 second address: 0000000000D3FAA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D3FAA0 second address: 0000000000D3FAA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D3FAA7 second address: 0000000000D3FAAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D3FAAD second address: 0000000000D3FAEE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 je 00007F4BEC76D8B6h 0x0000000f jmp 00007F4BEC76D8BDh 0x00000014 jmp 00007F4BEC76D8C1h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c jnp 00007F4BEC76D8C6h 0x00000022 pushad 0x00000023 push esi 0x00000024 pop esi 0x00000025 jns 00007F4BEC76D8B6h 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D3FD73 second address: 0000000000D3FD7E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F4BEC3895D6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D3FD7E second address: 0000000000D3FDA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4BEC76D8C5h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 je 00007F4BEC76D8B6h 0x00000017 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D3FDA5 second address: 0000000000D3FDAB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D3FEEE second address: 0000000000D3FEF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D3FEF2 second address: 0000000000D3FEF8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D3FEF8 second address: 0000000000D3FF25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b pop esi 0x0000000c pushad 0x0000000d jnp 00007F4BEC76D8B6h 0x00000013 push eax 0x00000014 pop eax 0x00000015 jmp 00007F4BEC76D8C3h 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D400C7 second address: 0000000000D400DB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F4BEC3895DAh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D400DB second address: 0000000000D400DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 00000000008DA074 second address: 00000000008D9963 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F4BEC3895E0h 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e clc 0x0000000f push dword ptr [ebp+141D0551h] 0x00000015 clc 0x00000016 call dword ptr [ebp+141D1A56h] 0x0000001c pushad 0x0000001d jmp 00007F4BEC3895DAh 0x00000022 xor eax, eax 0x00000024 mov dword ptr [ebp+141D187Dh], ebx 0x0000002a mov edx, dword ptr [esp+28h] 0x0000002e jng 00007F4BEC3895ECh 0x00000034 pushad 0x00000035 movzx ecx, bx 0x00000038 popad 0x00000039 mov dword ptr [ebp+141D3893h], eax 0x0000003f sub dword ptr [ebp+141D187Dh], ebx 0x00000045 mov esi, 0000003Ch 0x0000004a add dword ptr [ebp+141D187Dh], ebx 0x00000050 add esi, dword ptr [esp+24h] 0x00000054 mov dword ptr [ebp+141D187Dh], ebx 0x0000005a jmp 00007F4BEC3895E4h 0x0000005f lodsw 0x00000061 cmc 0x00000062 add eax, dword ptr [esp+24h] 0x00000066 cld 0x00000067 mov ebx, dword ptr [esp+24h] 0x0000006b or dword ptr [ebp+141D1759h], eax 0x00000071 push eax 0x00000072 pushad 0x00000073 pushad 0x00000074 push eax 0x00000075 push edx 0x00000076 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 00000000008D9963 second address: 00000000008D996E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 00000000008D996E second address: 00000000008D9972 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D40254 second address: 0000000000D40274 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jl 00007F4BEC76D8C4h 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F4BEC76D8BCh 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D40274 second address: 0000000000D40278 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D40278 second address: 0000000000D4028E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jng 00007F4BEC76D8B6h 0x0000000d jns 00007F4BEC76D8B6h 0x00000013 push eax 0x00000014 pop eax 0x00000015 popad 0x00000016 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D4028E second address: 0000000000D40294 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A27EC0 second address: 0000000000A27EC5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D40294 second address: 0000000000D40298 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A27EC5 second address: 0000000000A27ECB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D40673 second address: 0000000000D40680 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push esi 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A27ECB second address: 0000000000A27EE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F4BEC76D8B6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jc 00007F4BEC76D8B6h 0x00000015 push esi 0x00000016 pop esi 0x00000017 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D40680 second address: 0000000000D4068A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A27EE2 second address: 0000000000A27EE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D4068A second address: 0000000000D4068F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A27176 second address: 0000000000A2717C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D407D0 second address: 0000000000D40805 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F4BEC3895D6h 0x0000000a pop ecx 0x0000000b push edi 0x0000000c push ecx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 pop ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F4BEC3895DBh 0x00000019 jmp 00007F4BEC3895E6h 0x0000001e rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A2717C second address: 0000000000A2718D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jnp 00007F4BEC76D8B6h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D40967 second address: 0000000000D40971 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A2718D second address: 0000000000A27191 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D40971 second address: 0000000000D40975 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A27191 second address: 0000000000A27197 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D40975 second address: 0000000000D4098A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F4BEC3895D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d jc 00007F4BEC3895D6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A27197 second address: 0000000000A2719D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D40DE8 second address: 0000000000D40E01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4BEC3895E2h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A2719D second address: 0000000000A271A2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D40E01 second address: 0000000000D40E39 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC3895E6h 0x00000007 je 00007F4BEC3895DAh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jmp 00007F4BEC3895DFh 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A271A2 second address: 0000000000A271BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edi 0x00000008 push ebx 0x00000009 jnl 00007F4BEC76D8B6h 0x0000000f pop ebx 0x00000010 pushad 0x00000011 jnp 00007F4BEC76D8B6h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D40E39 second address: 0000000000D40E48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4BEC3895DBh 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A271BB second address: 0000000000A271C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D40E48 second address: 0000000000D40E5E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC3895E2h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A27492 second address: 0000000000A27496 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D40E5E second address: 0000000000D40E6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jno 00007F4BEC3895D6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A2760E second address: 0000000000A27614 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D41ABB second address: 0000000000D41ABF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D41ABF second address: 0000000000D41AC5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A2A4B7 second address: 0000000000A2A4DF instructions: 0x00000000 rdtsc 0x00000002 jo 00007F4BEC3895E2h 0x00000008 jmp 00007F4BEC3895DCh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 push eax 0x00000014 push edx 0x00000015 jl 00007F4BEC3895DCh 0x0000001b rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A2A4DF second address: 0000000000A2A4F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4BEC76D8C5h 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A2A6B3 second address: 0000000000A2A6B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A2A6B7 second address: 0000000000A2A6C1 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F4BEC76D8B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A2A6C1 second address: 0000000000A2A742 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC3895DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ebx 0x0000000b push edi 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e pop edi 0x0000000f pop ebx 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 push eax 0x00000015 jmp 00007F4BEC3895DDh 0x0000001a pop eax 0x0000001b mov eax, dword ptr [eax] 0x0000001d jmp 00007F4BEC3895DBh 0x00000022 mov dword ptr [esp+04h], eax 0x00000026 jnc 00007F4BEC3895E2h 0x0000002c pop eax 0x0000002d pushad 0x0000002e jmp 00007F4BEC3895DFh 0x00000033 mov eax, edi 0x00000035 popad 0x00000036 lea ebx, dword ptr [ebp+1432434Bh] 0x0000003c mov dword ptr [ebp+141D1773h], edx 0x00000042 xchg eax, ebx 0x00000043 jmp 00007F4BEC3895DDh 0x00000048 push eax 0x00000049 push edx 0x0000004a pushad 0x0000004b pushad 0x0000004c popad 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D459D6 second address: 0000000000D459DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D459DD second address: 0000000000D459F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4BEC3895DFh 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A2A781 second address: 0000000000A2A809 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 nop 0x00000007 mov edi, dword ptr [ebp+141D377Fh] 0x0000000d push 00000000h 0x0000000f movsx ecx, ax 0x00000012 push 7B6C4C17h 0x00000017 push edx 0x00000018 push ebx 0x00000019 push esi 0x0000001a pop esi 0x0000001b pop ebx 0x0000001c pop edx 0x0000001d xor dword ptr [esp], 7B6C4C97h 0x00000024 mov edi, eax 0x00000026 push 00000003h 0x00000028 jmp 00007F4BEC76D8C1h 0x0000002d push 00000000h 0x0000002f sub dword ptr [ebp+141D193Ch], eax 0x00000035 push 00000003h 0x00000037 xor dword ptr [ebp+141D1B3Eh], edx 0x0000003d call 00007F4BEC76D8C8h 0x00000042 mov dword ptr [ebp+141D23E6h], eax 0x00000048 pop edi 0x00000049 call 00007F4BEC76D8B9h 0x0000004e push eax 0x0000004f push edx 0x00000050 pushad 0x00000051 push edi 0x00000052 pop edi 0x00000053 jmp 00007F4BEC76D8C1h 0x00000058 popad 0x00000059 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D459F0 second address: 0000000000D459F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A2A809 second address: 0000000000A2A818 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push ecx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A2A818 second address: 0000000000A2A856 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ecx 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jmp 00007F4BEC3895E6h 0x00000011 mov eax, dword ptr [eax] 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 jmp 00007F4BEC3895E0h 0x0000001b ja 00007F4BEC3895D6h 0x00000021 popad 0x00000022 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A2A856 second address: 0000000000A2A870 instructions: 0x00000000 rdtsc 0x00000002 je 00007F4BEC76D8B8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 jc 00007F4BEC76D8C4h 0x00000016 push eax 0x00000017 push edx 0x00000018 push edi 0x00000019 pop edi 0x0000001a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D45C14 second address: 0000000000D45C18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A2A870 second address: 0000000000A2A874 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D4BF80 second address: 0000000000D4BF84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D4C0F1 second address: 0000000000D4C101 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F4BEC76D8BEh 0x0000000c push esi 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D4C3C7 second address: 0000000000D4C3CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D4C3CC second address: 0000000000D4C3D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D4C3D1 second address: 0000000000D4C405 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F4BEC3895D6h 0x0000000a ja 00007F4BEC3895D6h 0x00000010 popad 0x00000011 jne 00007F4BEC3895D8h 0x00000017 pushad 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F4BEC3895E7h 0x00000022 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D4C405 second address: 0000000000D4C410 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007F4BEC76D8B6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D4C6A0 second address: 0000000000D4C6A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D4C6A4 second address: 0000000000D4C6AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D4C6AE second address: 0000000000D4C6B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D4C6B2 second address: 0000000000D4C6B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D4C928 second address: 0000000000D4C92E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D4C92E second address: 0000000000D4C932 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D4E1CA second address: 0000000000D4E1CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D4E1CE second address: 0000000000D4E1E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC76D8C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D4E3AE second address: 0000000000D4E3B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D4E3B2 second address: 0000000000D4E3BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D4E3BB second address: 0000000000D4E3D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007F4BEC3895DCh 0x0000000f rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D4E6B0 second address: 0000000000D4E6B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D4E6B7 second address: 0000000000D4E6BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D4E6BD second address: 0000000000D4E6C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D4ED63 second address: 0000000000D4ED67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D4ED67 second address: 0000000000D4ED6D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D50057 second address: 0000000000D500B8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jl 00007F4BEC3895DEh 0x0000000d jnp 00007F4BEC3895D8h 0x00000013 push edx 0x00000014 pop edx 0x00000015 nop 0x00000016 mov edi, dword ptr [ebp+120B3AD5h] 0x0000001c mov esi, dword ptr [ebp+120B2278h] 0x00000022 push 00000000h 0x00000024 jmp 00007F4BEC3895DDh 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push esi 0x0000002e call 00007F4BEC3895D8h 0x00000033 pop esi 0x00000034 mov dword ptr [esp+04h], esi 0x00000038 add dword ptr [esp+04h], 0000001Ah 0x00000040 inc esi 0x00000041 push esi 0x00000042 ret 0x00000043 pop esi 0x00000044 ret 0x00000045 mov edi, 77D5641Bh 0x0000004a push eax 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f push eax 0x00000050 push edx 0x00000051 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D500B8 second address: 0000000000D500BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D500BC second address: 0000000000D500D0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC3895E0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D53CED second address: 0000000000D53D09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F4BEC76D8C4h 0x0000000d rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D53D09 second address: 0000000000D53D83 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F4BEC3895DBh 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push eax 0x0000000f call 00007F4BEC3895D8h 0x00000014 pop eax 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 add dword ptr [esp+04h], 00000015h 0x00000021 inc eax 0x00000022 push eax 0x00000023 ret 0x00000024 pop eax 0x00000025 ret 0x00000026 push 00000000h 0x00000028 mov esi, dword ptr [ebp+120B19B0h] 0x0000002e clc 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push ecx 0x00000034 call 00007F4BEC3895D8h 0x00000039 pop ecx 0x0000003a mov dword ptr [esp+04h], ecx 0x0000003e add dword ptr [esp+04h], 00000019h 0x00000046 inc ecx 0x00000047 push ecx 0x00000048 ret 0x00000049 pop ecx 0x0000004a ret 0x0000004b jmp 00007F4BEC3895DDh 0x00000050 or dword ptr [ebp+120B2712h], edi 0x00000056 push eax 0x00000057 pushad 0x00000058 pushad 0x00000059 pushad 0x0000005a popad 0x0000005b pushad 0x0000005c popad 0x0000005d popad 0x0000005e push eax 0x0000005f push edx 0x00000060 pushad 0x00000061 popad 0x00000062 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D5490D second address: 0000000000D54911 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D54911 second address: 0000000000D54915 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D56793 second address: 0000000000D56797 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D56797 second address: 0000000000D567C2 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F4BEC3895D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F4BEC3895E7h 0x0000000f popad 0x00000010 push edx 0x00000011 je 00007F4BEC3895DEh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D567C2 second address: 0000000000D567CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D567CB second address: 0000000000D567D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D58973 second address: 0000000000D58977 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D58E8B second address: 0000000000D58E9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4BEC3895E0h 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D58E9F second address: 0000000000D58F0A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ecx 0x0000000c call 00007F4BEC76D8B8h 0x00000011 pop ecx 0x00000012 mov dword ptr [esp+04h], ecx 0x00000016 add dword ptr [esp+04h], 0000001Bh 0x0000001e inc ecx 0x0000001f push ecx 0x00000020 ret 0x00000021 pop ecx 0x00000022 ret 0x00000023 jmp 00007F4BEC76D8C1h 0x00000028 push 00000000h 0x0000002a mov di, 2F21h 0x0000002e push 00000000h 0x00000030 jmp 00007F4BEC76D8C2h 0x00000035 xchg eax, esi 0x00000036 jp 00007F4BEC76D8BEh 0x0000003c push eax 0x0000003d pushad 0x0000003e pushad 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D59F08 second address: 0000000000D59F0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D59F0C second address: 0000000000D59F2D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC76D8C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D59F2D second address: 0000000000D59F31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D59FA5 second address: 0000000000D59FAA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D52FCD second address: 0000000000D52FD7 instructions: 0x00000000 rdtsc 0x00000002 je 00007F4BEC3895D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D54622 second address: 0000000000D54626 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D54626 second address: 0000000000D54638 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 js 00007F4BEC3895E4h 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D5F5A0 second address: 0000000000D5F5BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC76D8C8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D5F5BC second address: 0000000000D5F648 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC3895DFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push esi 0x0000000d call 00007F4BEC3895D8h 0x00000012 pop esi 0x00000013 mov dword ptr [esp+04h], esi 0x00000017 add dword ptr [esp+04h], 00000018h 0x0000001f inc esi 0x00000020 push esi 0x00000021 ret 0x00000022 pop esi 0x00000023 ret 0x00000024 mov edi, dword ptr [ebp+120B3BE5h] 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push eax 0x0000002f call 00007F4BEC3895D8h 0x00000034 pop eax 0x00000035 mov dword ptr [esp+04h], eax 0x00000039 add dword ptr [esp+04h], 00000016h 0x00000041 inc eax 0x00000042 push eax 0x00000043 ret 0x00000044 pop eax 0x00000045 ret 0x00000046 push 00000000h 0x00000048 push 00000000h 0x0000004a push ebx 0x0000004b call 00007F4BEC3895D8h 0x00000050 pop ebx 0x00000051 mov dword ptr [esp+04h], ebx 0x00000055 add dword ptr [esp+04h], 0000001Ch 0x0000005d inc ebx 0x0000005e push ebx 0x0000005f ret 0x00000060 pop ebx 0x00000061 ret 0x00000062 and edi, dword ptr [ebp+120B1A7Ch] 0x00000068 xchg eax, esi 0x00000069 push ecx 0x0000006a push eax 0x0000006b push edx 0x0000006c pushad 0x0000006d popad 0x0000006e rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D5F648 second address: 0000000000D5F65E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 ja 00007F4BEC76D8C4h 0x0000000e push eax 0x0000000f push edx 0x00000010 jnc 00007F4BEC76D8B6h 0x00000016 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D60702 second address: 0000000000D60708 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D60708 second address: 0000000000D6070C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D626A4 second address: 0000000000D626A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D626A9 second address: 0000000000D626D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC76D8C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007F4BEC76D8BEh 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 pop eax 0x00000014 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D626D2 second address: 0000000000D6270E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC3895E2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b pushad 0x0000000c mov si, B16Bh 0x00000010 mov al, 4Ch 0x00000012 popad 0x00000013 push 00000000h 0x00000015 mov edi, dword ptr [ebp+120B2A0Bh] 0x0000001b xor dword ptr [ebp+120B2A71h], edx 0x00000021 push 00000000h 0x00000023 mov dword ptr [ebp+120B267Bh], esi 0x00000029 xchg eax, esi 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D6270E second address: 0000000000D62719 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F4BEC76D8B6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D62719 second address: 0000000000D6274B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F4BEC3895E2h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f jmp 00007F4BEC3895E5h 0x00000014 pop esi 0x00000015 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D652D7 second address: 0000000000D652DD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D652DD second address: 0000000000D652E7 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F4BEC3895DCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D66277 second address: 0000000000D6627B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D6627B second address: 0000000000D66293 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC3895DDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D66293 second address: 0000000000D66297 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D66297 second address: 0000000000D662A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC3895DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D662A6 second address: 0000000000D662AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D662AC second address: 0000000000D662B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D6736D second address: 0000000000D6737F instructions: 0x00000000 rdtsc 0x00000002 jc 00007F4BEC76D8B8h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D6737F second address: 0000000000D67383 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D67383 second address: 0000000000D67396 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC76D8BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D67396 second address: 0000000000D67418 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebx 0x0000000b call 00007F4BEC3895D8h 0x00000010 pop ebx 0x00000011 mov dword ptr [esp+04h], ebx 0x00000015 add dword ptr [esp+04h], 00000018h 0x0000001d inc ebx 0x0000001e push ebx 0x0000001f ret 0x00000020 pop ebx 0x00000021 ret 0x00000022 push edi 0x00000023 mov edi, dword ptr [ebp+120B1CB5h] 0x00000029 pop ebx 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push edi 0x0000002f call 00007F4BEC3895D8h 0x00000034 pop edi 0x00000035 mov dword ptr [esp+04h], edi 0x00000039 add dword ptr [esp+04h], 00000015h 0x00000041 inc edi 0x00000042 push edi 0x00000043 ret 0x00000044 pop edi 0x00000045 ret 0x00000046 mov ebx, dword ptr [ebp+120B3C51h] 0x0000004c push 00000000h 0x0000004e mov edi, dword ptr [ebp+120B3D55h] 0x00000054 xchg eax, esi 0x00000055 jnc 00007F4BEC3895E0h 0x0000005b push eax 0x0000005c push ebx 0x0000005d push eax 0x0000005e push edx 0x0000005f jmp 00007F4BEC3895E0h 0x00000064 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D6829E second address: 0000000000D682AF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jc 00007F4BEC76D8C0h 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D71D95 second address: 0000000000D71D9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D71504 second address: 0000000000D7151F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC76D8C7h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D7151F second address: 0000000000D71540 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F4BEC3895E7h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D71540 second address: 0000000000D71544 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D71544 second address: 0000000000D71557 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jns 00007F4BEC3895D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D71683 second address: 0000000000D7168E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F4BEC76D8B6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D7168E second address: 0000000000D716AE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jo 00007F4BEC3895D6h 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F4BEC3895DEh 0x00000011 jno 00007F4BEC3895D6h 0x00000017 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D71950 second address: 0000000000D71956 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D71956 second address: 0000000000D71966 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F4BEC3895DBh 0x0000000a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D71966 second address: 0000000000D7197F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4BEC76D8C4h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D7197F second address: 0000000000D719AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F4BEC3895DEh 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F4BEC3895E8h 0x00000013 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D719AE second address: 0000000000D719C2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F4BEC76D8BDh 0x00000008 pop edi 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D719C2 second address: 0000000000D719C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D75C46 second address: 0000000000D75C4B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D5A1A1 second address: 0000000000D5A1A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D5A1A5 second address: 0000000000D5A23B instructions: 0x00000000 rdtsc 0x00000002 jns 00007F4BEC76D8B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b mov dword ptr [esp], eax 0x0000000e pushad 0x0000000f mov dword ptr [ebp+1221B48Dh], ebx 0x00000015 adc ebx, 5B2483DBh 0x0000001b popad 0x0000001c push dword ptr fs:[00000000h] 0x00000023 jg 00007F4BEC76D8BCh 0x00000029 mov dword ptr fs:[00000000h], esp 0x00000030 sbb di, 6E85h 0x00000035 mov eax, dword ptr [ebp+120B0879h] 0x0000003b push 00000000h 0x0000003d push edx 0x0000003e call 00007F4BEC76D8B8h 0x00000043 pop edx 0x00000044 mov dword ptr [esp+04h], edx 0x00000048 add dword ptr [esp+04h], 00000018h 0x00000050 inc edx 0x00000051 push edx 0x00000052 ret 0x00000053 pop edx 0x00000054 ret 0x00000055 jmp 00007F4BEC76D8C7h 0x0000005a push FFFFFFFFh 0x0000005c mov di, A0E2h 0x00000060 nop 0x00000061 jmp 00007F4BEC76D8C0h 0x00000066 push eax 0x00000067 push eax 0x00000068 push edx 0x00000069 push ebx 0x0000006a pushad 0x0000006b popad 0x0000006c pop ebx 0x0000006d rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D5E78F second address: 0000000000D5E795 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D5F797 second address: 0000000000D5F79B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D5F79B second address: 0000000000D5F7B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC3895E6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D5F7B5 second address: 0000000000D5F7BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F4BEC76D8B6h 0x0000000a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D62952 second address: 0000000000D62976 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC3895E5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d jc 00007F4BEC3895D6h 0x00000013 pop ebx 0x00000014 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D638C4 second address: 0000000000D638CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D638CA second address: 0000000000D638D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F4BEC3895D6h 0x0000000a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D79A1E second address: 0000000000D79A62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jno 00007F4BEC76D8BEh 0x0000000b pop ebx 0x0000000c pushad 0x0000000d je 00007F4BEC76D8C4h 0x00000013 jmp 00007F4BEC76D8C8h 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D66493 second address: 0000000000D66499 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D66499 second address: 0000000000D6649E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D67632 second address: 0000000000D6763D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F4BEC3895D6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D79B7A second address: 0000000000D79B80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D79E45 second address: 0000000000D79E62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4BEC3895E9h 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D7A115 second address: 0000000000D7A119 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D7A119 second address: 0000000000D7A129 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jc 00007F4BEC3895D8h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D7A399 second address: 0000000000D7A39F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D7A39F second address: 0000000000D7A3A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D7A3A3 second address: 0000000000D7A3BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC76D8C8h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D7A50D second address: 0000000000D7A514 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D7F064 second address: 0000000000D7F068 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D7F068 second address: 0000000000D7F06E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D7F06E second address: 0000000000D7F088 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F4BEC76D8B6h 0x0000000a jmp 00007F4BEC76D8C0h 0x0000000f rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D7F088 second address: 0000000000D7F0C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F4BEC3895F8h 0x0000000e jmp 00007F4BEC3895E7h 0x00000013 jmp 00007F4BEC3895DBh 0x00000018 pop edx 0x00000019 pop eax 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d push ecx 0x0000001e pop ecx 0x0000001f push ecx 0x00000020 pop ecx 0x00000021 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D7F0C1 second address: 0000000000D7F0C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D7DAF4 second address: 0000000000D7DB0D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F4BEC3895E1h 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D7DFA5 second address: 0000000000D7DFAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D7DFAB second address: 0000000000D7DFB9 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F4BEC3895D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D7DFB9 second address: 0000000000D7DFBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D7DFBD second address: 0000000000D7DFDF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC3895DCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jc 00007F4BEC3895ECh 0x00000011 push ebx 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 pop ebx 0x00000017 push eax 0x00000018 push edx 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D7DFDF second address: 0000000000D7DFE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D7E953 second address: 0000000000D7E97C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F4BEC3895D6h 0x0000000a jmp 00007F4BEC3895DEh 0x0000000f jmp 00007F4BEC3895DBh 0x00000014 popad 0x00000015 pushad 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D7EAD8 second address: 0000000000D7EAE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D37BB9 second address: 0000000000D37BBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D37BBD second address: 0000000000D37BC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D37BC5 second address: 0000000000D37BD3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jbe 00007F4BEC3895D6h 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D12259 second address: 0000000000D1225F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D1225F second address: 0000000000D12265 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D12265 second address: 0000000000D12269 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D12269 second address: 0000000000D1227B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F4BEC3895D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D1227B second address: 0000000000D1227F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D1227F second address: 0000000000D12283 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D85D44 second address: 0000000000D85D61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4BEC76D8C5h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D85D61 second address: 0000000000D85D77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007F4BEC3895DFh 0x0000000b popad 0x0000000c rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D0D1A7 second address: 0000000000D0D1B1 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F4BEC76D8B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D0D1B1 second address: 0000000000D0D1B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D0D1B6 second address: 0000000000D0D232 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4BEC76D8C9h 0x00000009 jmp 00007F4BEC76D8BCh 0x0000000e jnp 00007F4BEC76D8B6h 0x00000014 popad 0x00000015 jmp 00007F4BEC76D8BAh 0x0000001a pop edx 0x0000001b pop eax 0x0000001c pushad 0x0000001d jmp 00007F4BEC76D8BDh 0x00000022 jmp 00007F4BEC76D8BDh 0x00000027 jl 00007F4BEC76D8D1h 0x0000002d jmp 00007F4BEC76D8C5h 0x00000032 jng 00007F4BEC76D8B6h 0x00000038 push eax 0x00000039 push edx 0x0000003a pushad 0x0000003b popad 0x0000003c rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D57112 second address: 0000000000D57116 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D57548 second address: 0000000000D5754D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D576B0 second address: 0000000000D576B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D5781E second address: 0000000000D57828 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F4BEC76D8B6h 0x0000000a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D57A77 second address: 0000000000D57A83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D57A83 second address: 0000000000D57A88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D57A88 second address: 0000000000D57A92 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F4BEC3895DCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D57EAE second address: 0000000000D57EB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D57FEA second address: 0000000000D57FEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D58267 second address: 0000000000D5827A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 je 00007F4BEC76D8B8h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 push ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D5827A second address: 0000000000D582DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 nop 0x00000007 jmp 00007F4BEC3895E5h 0x0000000c mov di, bx 0x0000000f lea eax, dword ptr [ebp+12250DCDh] 0x00000015 call 00007F4BEC3895E6h 0x0000001a mov edi, dword ptr [ebp+120B3CC1h] 0x00000020 pop ecx 0x00000021 mov ecx, edx 0x00000023 nop 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 push esi 0x00000028 pop esi 0x00000029 jmp 00007F4BEC3895E6h 0x0000002e popad 0x0000002f rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D582DB second address: 0000000000D37BB9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F4BEC76D8B6h 0x00000009 jc 00007F4BEC76D8B6h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 jmp 00007F4BEC76D8C5h 0x00000018 nop 0x00000019 push 00000000h 0x0000001b push esi 0x0000001c call 00007F4BEC76D8B8h 0x00000021 pop esi 0x00000022 mov dword ptr [esp+04h], esi 0x00000026 add dword ptr [esp+04h], 0000001Ah 0x0000002e inc esi 0x0000002f push esi 0x00000030 ret 0x00000031 pop esi 0x00000032 ret 0x00000033 pushad 0x00000034 call 00007F4BEC76D8BEh 0x00000039 jmp 00007F4BEC76D8C0h 0x0000003e pop edi 0x0000003f mov ecx, ebx 0x00000041 popad 0x00000042 lea eax, dword ptr [ebp+12250D89h] 0x00000048 mov edx, esi 0x0000004a push eax 0x0000004b jmp 00007F4BEC76D8C3h 0x00000050 mov dword ptr [esp], eax 0x00000053 call 00007F4BEC76D8BEh 0x00000058 xor dword ptr [ebp+120B1D09h], ebx 0x0000005e pop edi 0x0000005f stc 0x00000060 call dword ptr [ebp+120B248Eh] 0x00000066 push eax 0x00000067 push edx 0x00000068 pushad 0x00000069 pushad 0x0000006a popad 0x0000006b jmp 00007F4BEC76D8BAh 0x00000070 popad 0x00000071 push eax 0x00000072 push edx 0x00000073 jmp 00007F4BEC76D8BAh 0x00000078 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D850BA second address: 0000000000D850BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A48AA5 second address: 0000000000A48AAF instructions: 0x00000000 rdtsc 0x00000002 js 00007F4BEC76D8B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A48AAF second address: 0000000000A48AB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A48AB5 second address: 0000000000A48AB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A48AB9 second address: 0000000000A48ABD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A48ABD second address: 0000000000A48AF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jno 00007F4BEC76D8B6h 0x0000000f js 00007F4BEC76D8B6h 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push ecx 0x00000019 pushad 0x0000001a pushad 0x0000001b popad 0x0000001c jp 00007F4BEC76D8B6h 0x00000022 jbe 00007F4BEC76D8B6h 0x00000028 popad 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007F4BEC76D8BFh 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A48AF9 second address: 0000000000A48AFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D8523D second address: 0000000000D85243 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D854CA second address: 0000000000D854D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D854D0 second address: 0000000000D854D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D858D4 second address: 0000000000D858DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a popad 0x0000000b rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A47741 second address: 0000000000A4777D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC76D8C8h 0x00000007 jmp 00007F4BEC76D8C4h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 push edx 0x00000011 pop edx 0x00000012 jng 00007F4BEC76D8B6h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A4777D second address: 0000000000A47785 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A478F3 second address: 0000000000A47900 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F4BEC76D8B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A47900 second address: 0000000000A47906 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A47906 second address: 0000000000A47912 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F4BEC76D8B6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A411A9 second address: 0000000000A411B3 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F4BEC3895D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D8A0C1 second address: 0000000000D8A0CB instructions: 0x00000000 rdtsc 0x00000002 jp 00007F4BEC76D8B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D8A0CB second address: 0000000000D8A0D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 js 00007F4BEC3895D6h 0x0000000c rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D8A0D7 second address: 0000000000D8A0DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A484B3 second address: 0000000000A484C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4BEC3895DEh 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A484C7 second address: 0000000000A484D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jne 00007F4BEC76D8B6h 0x00000010 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D89D6B second address: 0000000000D89D87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4BEC3895E6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D89D87 second address: 0000000000D89DA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 jmp 00007F4BEC76D8C4h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A504F3 second address: 0000000000A504FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F4BEC3895D6h 0x0000000a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A17CD3 second address: 0000000000A17CDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A17CDA second address: 0000000000A17CF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4BEC3895E2h 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A5518C second address: 0000000000A5519C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 jg 00007F4BEC76D8B6h 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A5519C second address: 0000000000A551A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A551A2 second address: 0000000000A551AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F4BEC76D8B6h 0x0000000a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A551AC second address: 0000000000A551B6 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F4BEC3895D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A551B6 second address: 0000000000A551BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A555DC second address: 0000000000A555E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A55A0D second address: 0000000000A55A24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F4BEC76D8BEh 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A55A24 second address: 0000000000A55A3E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F4BEC3895E0h 0x0000000f rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A57DE8 second address: 0000000000A57DF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F4BEC76D8B6h 0x0000000a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A57DF2 second address: 0000000000A57DF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A5828A second address: 0000000000A58290 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A588E6 second address: 0000000000A588F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F4BEC3895D6h 0x0000000a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A5896A second address: 0000000000A589A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F4BEC76D8C8h 0x0000000b popad 0x0000000c mov dword ptr [esp], ebx 0x0000000f movsx esi, cx 0x00000012 jnc 00007F4BEC76D8BCh 0x00000018 and esi, 13A5240Bh 0x0000001e nop 0x0000001f js 00007F4BEC76D8BEh 0x00000025 push edi 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A58B79 second address: 0000000000A58B7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A58B7D second address: 0000000000A58B83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A58C58 second address: 0000000000A58C5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A58EE5 second address: 0000000000A58EE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A58FB2 second address: 0000000000A58FB7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A58FB7 second address: 0000000000A58FC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A58FC5 second address: 0000000000A58FEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop esi 0x00000006 nop 0x00000007 mov esi, 6445E480h 0x0000000c xchg eax, ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F4BEC3895E6h 0x00000014 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A5BAE8 second address: 0000000000A5BAED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A5DBAA second address: 0000000000A5DBB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jc 00007F4BEC3895D6h 0x0000000d rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A5DBB7 second address: 0000000000A5DBDE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC76D8C8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edi 0x0000000c jnc 00007F4BEC76D8BCh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A5E5BD second address: 0000000000A5E653 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 jmp 00007F4BEC3895E8h 0x0000000b pop esi 0x0000000c popad 0x0000000d nop 0x0000000e call 00007F4BEC3895E8h 0x00000013 pop edi 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push esi 0x00000019 call 00007F4BEC3895D8h 0x0000001e pop esi 0x0000001f mov dword ptr [esp+04h], esi 0x00000023 add dword ptr [esp+04h], 00000018h 0x0000002b inc esi 0x0000002c push esi 0x0000002d ret 0x0000002e pop esi 0x0000002f ret 0x00000030 sbb edi, 331EA68Eh 0x00000036 push 00000000h 0x00000038 jmp 00007F4BEC3895E7h 0x0000003d push eax 0x0000003e push eax 0x0000003f push edx 0x00000040 jmp 00007F4BEC3895E8h 0x00000045 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A61688 second address: 0000000000A616AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC76D8C4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F4BEC76D8BAh 0x00000013 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A616AF second address: 0000000000A616B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A616B3 second address: 0000000000A616B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A616B9 second address: 0000000000A61725 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ebp 0x0000000c call 00007F4BEC3895D8h 0x00000011 pop ebp 0x00000012 mov dword ptr [esp+04h], ebp 0x00000016 add dword ptr [esp+04h], 0000001Bh 0x0000001e inc ebp 0x0000001f push ebp 0x00000020 ret 0x00000021 pop ebp 0x00000022 ret 0x00000023 mov ebx, 71E2FC80h 0x00000028 jns 00007F4BEC3895DCh 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push edx 0x00000033 call 00007F4BEC3895D8h 0x00000038 pop edx 0x00000039 mov dword ptr [esp+04h], edx 0x0000003d add dword ptr [esp+04h], 00000017h 0x00000045 inc edx 0x00000046 push edx 0x00000047 ret 0x00000048 pop edx 0x00000049 ret 0x0000004a push 00000000h 0x0000004c mov dword ptr [ebp+14333BB3h], ebx 0x00000052 xchg eax, esi 0x00000053 pushad 0x00000054 push eax 0x00000055 push edx 0x00000056 push eax 0x00000057 push edx 0x00000058 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A61725 second address: 0000000000A61729 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A61729 second address: 0000000000A6172D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A6172D second address: 0000000000A61745 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F4BEC76D8C0h 0x0000000d rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A61745 second address: 0000000000A61749 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A6677B second address: 0000000000A66794 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC76D8BAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jbe 00007F4BEC76D8B6h 0x00000014 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A66794 second address: 0000000000A6679A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A67713 second address: 0000000000A6771A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A6771A second address: 0000000000A6775F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 jmp 00007F4BEC3895DBh 0x0000000c nop 0x0000000d or dword ptr [ebp+141D2338h], edi 0x00000013 push 00000000h 0x00000015 push edx 0x00000016 mov ebx, dword ptr [ebp+141D1885h] 0x0000001c pop ebx 0x0000001d push 00000000h 0x0000001f and ebx, dword ptr [ebp+141D28CFh] 0x00000025 push eax 0x00000026 push eax 0x00000027 push edx 0x00000028 jo 00007F4BEC3895E7h 0x0000002e jmp 00007F4BEC3895E1h 0x00000033 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A69D1A second address: 0000000000A69D20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A6ADFE second address: 0000000000A6AE17 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC3895E5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A6FE00 second address: 0000000000A6FE64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ebx 0x00000008 mov dword ptr [esp], eax 0x0000000b mov dword ptr [ebp+141D19E9h], ecx 0x00000011 push 00000000h 0x00000013 push eax 0x00000014 mov dword ptr [ebp+143355DAh], ecx 0x0000001a pop ebx 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push ecx 0x00000020 call 00007F4BEC76D8B8h 0x00000025 pop ecx 0x00000026 mov dword ptr [esp+04h], ecx 0x0000002a add dword ptr [esp+04h], 00000017h 0x00000032 inc ecx 0x00000033 push ecx 0x00000034 ret 0x00000035 pop ecx 0x00000036 ret 0x00000037 jmp 00007F4BEC76D8BEh 0x0000003c push eax 0x0000003d jc 00007F4BEC76D8CFh 0x00000043 push eax 0x00000044 push edx 0x00000045 jmp 00007F4BEC76D8C1h 0x0000004a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A5D901 second address: 0000000000A5D926 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F4BEC3895D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F4BEC3895E7h 0x00000013 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A5E31F second address: 0000000000A5E323 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A5E323 second address: 0000000000A5E33C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F4BEC3895E1h 0x0000000d rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A5E33C second address: 0000000000A5E340 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A618D0 second address: 0000000000A618D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A7B259 second address: 0000000000A7B25D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A7B25D second address: 0000000000A7B27C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4BEC3895E4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A7B27C second address: 0000000000A7B288 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F4BEC76D8B6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A7A9F2 second address: 0000000000A7A9FC instructions: 0x00000000 rdtsc 0x00000002 js 00007F4BEC3895D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A7AB4E second address: 0000000000A7AB59 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jns 00007F4BEC76D8B6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A7EE87 second address: 0000000000A7EE8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A7EE8B second address: 0000000000A7EE94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D8E2A1 second address: 0000000000D8E2A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D8E2A9 second address: 0000000000D8E2AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D8E2AF second address: 0000000000D8E2DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F4BEC3895D6h 0x0000000a popad 0x0000000b push ecx 0x0000000c jmp 00007F4BEC3895E2h 0x00000011 jbe 00007F4BEC3895D6h 0x00000017 pop ecx 0x00000018 pushad 0x00000019 je 00007F4BEC3895D6h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D8E441 second address: 0000000000D8E467 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC76D8C4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a pushad 0x0000000b push eax 0x0000000c jne 00007F4BEC76D8B6h 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D8E467 second address: 0000000000D8E46D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D8FFEB second address: 0000000000D8FFF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F4BEC76D8B6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D91DD8 second address: 0000000000D91DDE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D91DDE second address: 0000000000D91DEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007F4BEC76D8B6h 0x0000000e rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D91B01 second address: 0000000000D91B07 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D94B97 second address: 0000000000D94B9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D94B9D second address: 0000000000D94BA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D94BA1 second address: 0000000000D94BB3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC76D8BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D94CEF second address: 0000000000D94D09 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F4BEC3895E4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D94D09 second address: 0000000000D94D0E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D94D0E second address: 0000000000D94D14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D94D14 second address: 0000000000D94D3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push edi 0x0000000d jmp 00007F4BEC76D8BAh 0x00000012 jbe 00007F4BEC76D8B6h 0x00000018 pop edi 0x00000019 pushad 0x0000001a jl 00007F4BEC76D8B6h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A840D7 second address: 0000000000A840DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A8462B second address: 0000000000A8462F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A8462F second address: 0000000000A84635 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A88092 second address: 0000000000A88098 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A88098 second address: 0000000000A8809C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A881FC second address: 0000000000A88206 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F4BEC76D8BCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A88206 second address: 0000000000A88222 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F4BEC3895DCh 0x0000000a js 00007F4BEC3895D6h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push ecx 0x00000015 jnc 00007F4BEC3895D6h 0x0000001b pop ecx 0x0000001c rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A88222 second address: 0000000000A88249 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC76D8BAh 0x00000007 push eax 0x00000008 push edx 0x00000009 jbe 00007F4BEC76D8B6h 0x0000000f jmp 00007F4BEC76D8C3h 0x00000014 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A883A4 second address: 0000000000A883A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A886CA second address: 0000000000A886D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A886D4 second address: 0000000000A886DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A88818 second address: 0000000000A8881E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A8881E second address: 0000000000A88833 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jmp 00007F4BEC3895DBh 0x0000000f rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A87D84 second address: 0000000000A87D9B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC76D8BCh 0x00000007 pushad 0x00000008 jno 00007F4BEC76D8B6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D99F7B second address: 0000000000D99F95 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC3895DDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jng 00007F4BEC3895D6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D99F95 second address: 0000000000D99FB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F4BEC76D8BEh 0x0000000b popad 0x0000000c jbe 00007F4BEC76D8BCh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D99FB2 second address: 0000000000D99FBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D9889D second address: 0000000000D988C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007F4BEC76D8BFh 0x0000000b popad 0x0000000c jmp 00007F4BEC76D8BEh 0x00000011 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D988C1 second address: 0000000000D988C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D98FFC second address: 0000000000D99021 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4BEC76D8C7h 0x00000009 pop ecx 0x0000000a pushad 0x0000000b jl 00007F4BEC76D8B6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D99021 second address: 0000000000D9903D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F4BEC3895E2h 0x0000000f rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D57CBE second address: 0000000000D57CC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F4BEC76D8B6h 0x0000000a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A65838 second address: 0000000000A6583C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A679F0 second address: 0000000000A679F5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A88CC2 second address: 0000000000A88CD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jo 00007F4BEC3895D6h 0x0000000d jnl 00007F4BEC3895D6h 0x00000013 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A8914F second address: 0000000000A89173 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F4BEC76D8CFh 0x00000008 jmp 00007F4BEC76D8C9h 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A89173 second address: 0000000000A89188 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jg 00007F4BEC3895D6h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A89188 second address: 0000000000A8918E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A8DA55 second address: 0000000000A8DA5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A8DA5B second address: 0000000000A8DA5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A8DA5F second address: 0000000000A8DA65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A8DEB3 second address: 0000000000A8DEB8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A8DEB8 second address: 0000000000A8DF07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edi 0x00000007 pushad 0x00000008 push edx 0x00000009 pop edx 0x0000000a jmp 00007F4BEC3895E6h 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushad 0x00000017 jmp 00007F4BEC3895DDh 0x0000001c push esi 0x0000001d push edx 0x0000001e pop edx 0x0000001f jmp 00007F4BEC3895DAh 0x00000024 pop esi 0x00000025 push ebx 0x00000026 jns 00007F4BEC3895D6h 0x0000002c pop ebx 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A8DF07 second address: 0000000000A8DF15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4BEC76D8BAh 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A8DF15 second address: 0000000000A8DF19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A8E050 second address: 0000000000A8E055 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A8E1B5 second address: 0000000000A8E1C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 ja 00007F4BEC3895D6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A8E1C7 second address: 0000000000A8E1EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4BEC76D8C6h 0x00000009 pop ecx 0x0000000a jc 00007F4BEC76D8C2h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A8E1EA second address: 0000000000A8E1F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A8E1F0 second address: 0000000000A8E1F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A8E1F8 second address: 0000000000A8E208 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4BEC3895DCh 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A8E4B6 second address: 0000000000A8E4C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 jg 00007F4BEC5CA3C6h 0x0000000c je 00007F4BEC5CA3C6h 0x00000012 popad 0x00000013 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A41B7D second address: 0000000000A41B81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A8D5E8 second address: 0000000000A8D5EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop ecx 0x00000007 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A8D5EF second address: 0000000000A8D61B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BED30CDB6h 0x00000007 pushad 0x00000008 jns 00007F4BED30CDA6h 0x0000000e jl 00007F4BED30CDA6h 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push edi 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A93BD8 second address: 0000000000A93BE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F4BEC5CA3C6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A6C0E4 second address: 0000000000A6C0EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A56C43 second address: 0000000000A56C5F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC5CA3D8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A56C5F second address: 0000000000A56C65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A56C65 second address: 0000000000A56C69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A56C69 second address: 0000000000A56C6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A56C6D second address: 0000000000A56C80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jng 00007F4BEC5CA3C6h 0x00000013 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A56C80 second address: 0000000000A56C86 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A56C86 second address: 0000000000A56C9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4BEC5CA3D3h 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A56C9D second address: 0000000000A56CB7 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F4BED30CDA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 jp 00007F4BED30CDB4h 0x00000016 push eax 0x00000017 push edx 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A56CB7 second address: 0000000000A56CBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A56CBB second address: 0000000000A56CCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 jp 00007F4BED30CDAEh 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A56CCC second address: 0000000000A56CDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 mov dword ptr [esp+04h], eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A56CDB second address: 0000000000A56CF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4BED30CDB2h 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A56CF1 second address: 0000000000A56D32 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 push 00000000h 0x0000000b push ecx 0x0000000c call 00007F4BEC5CA3C8h 0x00000011 pop ecx 0x00000012 mov dword ptr [esp+04h], ecx 0x00000016 add dword ptr [esp+04h], 0000001Dh 0x0000001e inc ecx 0x0000001f push ecx 0x00000020 ret 0x00000021 pop ecx 0x00000022 ret 0x00000023 call 00007F4BEC5CA3C9h 0x00000028 jl 00007F4BEC5CA3D0h 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 popad 0x00000032 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A56D32 second address: 0000000000A56D3E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A56D3E second address: 0000000000A56D45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A56D45 second address: 0000000000A56D63 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jmp 00007F4BED30CDAAh 0x00000011 mov eax, dword ptr [eax] 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A56D63 second address: 0000000000A56D67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A56D67 second address: 0000000000A56D6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A56E61 second address: 0000000000A56E6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A56E6F second address: 0000000000A56E73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A56E73 second address: 0000000000A56E77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A6CFE8 second address: 0000000000A6CFEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A57132 second address: 0000000000A57136 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A57136 second address: 0000000000A571B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F4BED30CDB8h 0x0000000c jns 00007F4BED30CDA6h 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 push esi 0x00000016 jmp 00007F4BED30CDB8h 0x0000001b pop esi 0x0000001c nop 0x0000001d js 00007F4BED30CDAAh 0x00000023 jmp 00007F4BED30CDAEh 0x00000028 push 00000004h 0x0000002a mov di, ax 0x0000002d push eax 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 jmp 00007F4BED30CDB3h 0x00000036 jng 00007F4BED30CDA6h 0x0000003c popad 0x0000003d rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A575A6 second address: 0000000000A57628 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop edx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push edi 0x00000010 call 00007F4BEC5CA3C8h 0x00000015 pop edi 0x00000016 mov dword ptr [esp+04h], edi 0x0000001a add dword ptr [esp+04h], 0000001Bh 0x00000022 inc edi 0x00000023 push edi 0x00000024 ret 0x00000025 pop edi 0x00000026 ret 0x00000027 mov di, EB30h 0x0000002b push 0000001Eh 0x0000002d push 00000000h 0x0000002f push edx 0x00000030 call 00007F4BEC5CA3C8h 0x00000035 pop edx 0x00000036 mov dword ptr [esp+04h], edx 0x0000003a add dword ptr [esp+04h], 0000001Dh 0x00000042 inc edx 0x00000043 push edx 0x00000044 ret 0x00000045 pop edx 0x00000046 ret 0x00000047 movsx ecx, di 0x0000004a nop 0x0000004b jmp 00007F4BEC5CA3D8h 0x00000050 push eax 0x00000051 push eax 0x00000052 pushad 0x00000053 jl 00007F4BEC5CA3C6h 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A6EEBD second address: 0000000000A6EF37 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F4BED30CDBCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ebp 0x0000000e call 00007F4BED30CDA8h 0x00000013 pop ebp 0x00000014 mov dword ptr [esp+04h], ebp 0x00000018 add dword ptr [esp+04h], 00000015h 0x00000020 inc ebp 0x00000021 push ebp 0x00000022 ret 0x00000023 pop ebp 0x00000024 ret 0x00000025 mov bl, 08h 0x00000027 mov bl, 81h 0x00000029 push dword ptr fs:[00000000h] 0x00000030 mov dword ptr [ebp+141D180Ch], ecx 0x00000036 mov dword ptr fs:[00000000h], esp 0x0000003d sub dword ptr [ebp+141D339Ch], ebx 0x00000043 mov eax, dword ptr [ebp+141D0069h] 0x00000049 or di, 08B6h 0x0000004e push FFFFFFFFh 0x00000050 mov edi, edx 0x00000052 nop 0x00000053 push eax 0x00000054 push edx 0x00000055 push eax 0x00000056 push edx 0x00000057 jmp 00007F4BED30CDAAh 0x0000005c rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A6EF37 second address: 0000000000A6EF50 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC5CA3D5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A6EF50 second address: 0000000000A6EF6F instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F4BED30CDB0h 0x00000008 jmp 00007F4BED30CDAAh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push ebx 0x00000013 jnc 00007F4BED30CDA6h 0x00000019 pop ebx 0x0000001a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A6EF6F second address: 0000000000A6EF8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4BEC5CA3D7h 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DA09A8 second address: 0000000000DA09AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DA09AE second address: 0000000000DA09B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DA09B4 second address: 0000000000DA09B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DA09B8 second address: 0000000000DA0A0C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC5CA3D7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F4BEC5CA3D9h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F4BEC5CA3D9h 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DA0A0C second address: 0000000000DA0A24 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F4BED30CDB0h 0x0000000d rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DA0A24 second address: 0000000000DA0A84 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F4BEC5CA3D5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F4BEC5CA3D7h 0x00000011 jmp 00007F4BEC5CA3D2h 0x00000016 jng 00007F4BEC5CA3C6h 0x0000001c popad 0x0000001d pushad 0x0000001e jg 00007F4BEC5CA3C6h 0x00000024 jmp 00007F4BEC5CA3CBh 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D9EBBA second address: 0000000000D9EBBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D9EED1 second address: 0000000000D9EED7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D9EED7 second address: 0000000000D9EEE0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D9EEE0 second address: 0000000000D9EEE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D9EEE8 second address: 0000000000D9EEF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007F4BED30CDA6h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D9EEF7 second address: 0000000000D9EEFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D9EEFB second address: 0000000000D9EF01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D9F1B9 second address: 0000000000D9F1BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D9F4CF second address: 0000000000D9F4D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D9F4D3 second address: 0000000000D9F4D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D9F4D7 second address: 0000000000D9F510 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F4BED30CDA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F4BED30CDB8h 0x00000014 jnl 00007F4BED30CDB2h 0x0000001a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D9F510 second address: 0000000000D9F52F instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F4BEC5CA3CEh 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F4BEC5CA3CDh 0x0000000f rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A6FFC5 second address: 0000000000A6FFCB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A6FFCB second address: 0000000000A6FFCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A7008E second address: 0000000000A70092 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A579FA second address: 0000000000A57AAC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC5CA3D2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov ecx, 6F846E13h 0x0000000f lea eax, dword ptr [ebp+143502CEh] 0x00000015 push 00000000h 0x00000017 push ebx 0x00000018 call 00007F4BEC5CA3C8h 0x0000001d pop ebx 0x0000001e mov dword ptr [esp+04h], ebx 0x00000022 add dword ptr [esp+04h], 00000016h 0x0000002a inc ebx 0x0000002b push ebx 0x0000002c ret 0x0000002d pop ebx 0x0000002e ret 0x0000002f mov edx, dword ptr [ebp+141D35EFh] 0x00000035 mov cx, si 0x00000038 push eax 0x00000039 pushad 0x0000003a jmp 00007F4BEC5CA3D8h 0x0000003f ja 00007F4BEC5CA3CCh 0x00000045 popad 0x00000046 mov dword ptr [esp], eax 0x00000049 call 00007F4BEC5CA3D2h 0x0000004e push eax 0x0000004f mov dword ptr [ebp+141D1A77h], ecx 0x00000055 pop edi 0x00000056 pop ecx 0x00000057 lea eax, dword ptr [ebp+1435028Ah] 0x0000005d call 00007F4BEC5CA3CBh 0x00000062 sub dword ptr [ebp+141DB355h], ecx 0x00000068 pop edi 0x00000069 xor edx, 187D65F5h 0x0000006f nop 0x00000070 pushad 0x00000071 push eax 0x00000072 push edx 0x00000073 push eax 0x00000074 push edx 0x00000075 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A57AAC second address: 0000000000A57AB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A57AB0 second address: 0000000000A57AB9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A57AB9 second address: 0000000000A57ABF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A57ABF second address: 0000000000A41B7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 jne 00007F4BEC5CA3CEh 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push edx 0x00000011 call 00007F4BEC5CA3C8h 0x00000016 pop edx 0x00000017 mov dword ptr [esp+04h], edx 0x0000001b add dword ptr [esp+04h], 0000001Bh 0x00000023 inc edx 0x00000024 push edx 0x00000025 ret 0x00000026 pop edx 0x00000027 ret 0x00000028 mov edi, dword ptr [ebp+141D3743h] 0x0000002e call dword ptr [ebp+141D269Eh] 0x00000034 jnp 00007F4BEC5CA3E0h 0x0000003a jmp 00007F4BEC5CA3CCh 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A70F62 second address: 0000000000A70F66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A70F66 second address: 0000000000A70F6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A92F75 second address: 0000000000A92F7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A92F7B second address: 0000000000A92F86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A92F86 second address: 0000000000A92F8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A92F8C second address: 0000000000A92F90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A92F90 second address: 0000000000A92F96 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D9F7EC second address: 0000000000D9F7F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A930E5 second address: 0000000000A9311D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 je 00007F4BED3126C6h 0x00000009 je 00007F4BED3126C6h 0x0000000f pop ecx 0x00000010 pushad 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 jmp 00007F4BED3126D8h 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push eax 0x0000001c push edx 0x0000001d je 00007F4BED3126CCh 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A9311D second address: 0000000000A93121 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A93512 second address: 0000000000A9351C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A9351C second address: 0000000000A9353A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4BEC530E96h 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A9353A second address: 0000000000A93540 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A96899 second address: 0000000000A968A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 js 00007F4BEC530E88h 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A99308 second address: 0000000000A9930F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A98C3D second address: 0000000000A98C41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A9B225 second address: 0000000000A9B229 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A9B229 second address: 0000000000A9B231 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A9B231 second address: 0000000000A9B252 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4BED3126D7h 0x00000009 jl 00007F4BED3126C6h 0x0000000f rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A9B252 second address: 0000000000A9B26A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC530E94h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D9FDCD second address: 0000000000D9FDD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D9FDD3 second address: 0000000000D9FDD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000D9FDD9 second address: 0000000000D9FDDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A9F4FC second address: 0000000000A9F50D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4BEC530E8Dh 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A9EDD4 second address: 0000000000A9EDDA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A9EDDA second address: 0000000000A9EDE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A9EF1C second address: 0000000000A9EF3B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BED3126D5h 0x00000007 jnl 00007F4BED3126C6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000AA2F49 second address: 0000000000AA2F6B instructions: 0x00000000 rdtsc 0x00000002 jng 00007F4BEC530E86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d js 00007F4BEC530E86h 0x00000013 jbe 00007F4BEC530E86h 0x00000019 popad 0x0000001a ja 00007F4BEC530E8Eh 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000AA2F6B second address: 0000000000AA2F82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop eax 0x0000000a popad 0x0000000b jnp 00007F4BED3126DAh 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 pop esi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000AA2F82 second address: 0000000000AA2F86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A57337 second address: 0000000000A5733B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A5733B second address: 0000000000A573ED instructions: 0x00000000 rdtsc 0x00000002 js 00007F4BEC530E88h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e jmp 00007F4BEC530E92h 0x00000013 pushad 0x00000014 jno 00007F4BEC530E86h 0x0000001a push ebx 0x0000001b pop ebx 0x0000001c popad 0x0000001d popad 0x0000001e nop 0x0000001f jmp 00007F4BEC530E98h 0x00000024 mov ebx, dword ptr [ebp+143502C9h] 0x0000002a push 00000000h 0x0000002c push ecx 0x0000002d call 00007F4BEC530E88h 0x00000032 pop ecx 0x00000033 mov dword ptr [esp+04h], ecx 0x00000037 add dword ptr [esp+04h], 00000018h 0x0000003f inc ecx 0x00000040 push ecx 0x00000041 ret 0x00000042 pop ecx 0x00000043 ret 0x00000044 jns 00007F4BEC530E86h 0x0000004a mov edi, ebx 0x0000004c add eax, ebx 0x0000004e push 00000000h 0x00000050 push edx 0x00000051 call 00007F4BEC530E88h 0x00000056 pop edx 0x00000057 mov dword ptr [esp+04h], edx 0x0000005b add dword ptr [esp+04h], 00000016h 0x00000063 inc edx 0x00000064 push edx 0x00000065 ret 0x00000066 pop edx 0x00000067 ret 0x00000068 jg 00007F4BEC530E8Ch 0x0000006e push eax 0x0000006f push eax 0x00000070 push edx 0x00000071 jmp 00007F4BEC530E91h 0x00000076 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000A573ED second address: 0000000000A57481 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4BED3126CCh 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], eax 0x00000010 mov di, 8690h 0x00000014 push 00000004h 0x00000016 push 00000000h 0x00000018 push ecx 0x00000019 call 00007F4BED3126C8h 0x0000001e pop ecx 0x0000001f mov dword ptr [esp+04h], ecx 0x00000023 add dword ptr [esp+04h], 0000001Dh 0x0000002b inc ecx 0x0000002c push ecx 0x0000002d ret 0x0000002e pop ecx 0x0000002f ret 0x00000030 jnl 00007F4BED3126D7h 0x00000036 nop 0x00000037 push edx 0x00000038 jmp 00007F4BED3126D5h 0x0000003d pop edx 0x0000003e push eax 0x0000003f pushad 0x00000040 pushad 0x00000041 jmp 00007F4BED3126D5h 0x00000046 pushad 0x00000047 popad 0x00000048 popad 0x00000049 je 00007F4BED3126CCh 0x0000004f push eax 0x00000050 push edx 0x00000051 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DA00FE second address: 0000000000DA0109 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F4BEC530E86h 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000AA3DC1 second address: 0000000000AA3DCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F4BED3126C6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000AA3DCE second address: 0000000000AA3DD5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000AAA960 second address: 0000000000AAA96C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000AAA96C second address: 0000000000AAA983 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC530E93h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000AA8CA7 second address: 0000000000AA8CAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000AA8CAB second address: 0000000000AA8CE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 pop edi 0x0000000a push eax 0x0000000b pushad 0x0000000c popad 0x0000000d pop eax 0x0000000e pushad 0x0000000f jmp 00007F4BEC530E8Eh 0x00000014 jmp 00007F4BEC530E98h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000AA8F73 second address: 0000000000AA8F77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DA06B7 second address: 0000000000DA06D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F4BEC530E90h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DA06D0 second address: 0000000000DA0701 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F4BED3126C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F4BED3126D9h 0x00000014 pop eax 0x00000015 jns 00007F4BED3126C8h 0x0000001b rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DA476E second address: 0000000000DA4784 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4BEC530E90h 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DA4784 second address: 0000000000DA4788 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000AA97E3 second address: 0000000000AA97EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DABA40 second address: 0000000000DABA44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DABA44 second address: 0000000000DABA4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DABA4A second address: 0000000000DABA68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007F4BED3126D8h 0x0000000b rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DB215F second address: 0000000000DB2195 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4BEC530E90h 0x00000009 popad 0x0000000a pushad 0x0000000b jng 00007F4BEC530E86h 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 jmp 00007F4BEC530E8Bh 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d jl 00007F4BEC530E86h 0x00000023 push ebx 0x00000024 pop ebx 0x00000025 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DB044C second address: 0000000000DB0450 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DB0450 second address: 0000000000DB045E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jbe 00007F4BEC530E86h 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DB0B4B second address: 0000000000DB0B59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a push esi 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DB0FC9 second address: 0000000000DB0FCD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DB0FCD second address: 0000000000DB0FF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F4BED3126D8h 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000AA9D77 second address: 0000000000AA9D7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000AA9D7B second address: 0000000000AA9D7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DAFE95 second address: 0000000000DAFEA5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 pop eax 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a jg 00007F4BEC530E86h 0x00000010 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DB6E8A second address: 0000000000DB6E90 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DB6BA7 second address: 0000000000DB6BD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jg 00007F4BEC530E88h 0x0000000b jmp 00007F4BEC530E91h 0x00000010 pushad 0x00000011 jng 00007F4BEC530E86h 0x00000017 pushad 0x00000018 popad 0x00000019 jg 00007F4BEC530E86h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DC017C second address: 0000000000DC0191 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F4BED3126D0h 0x0000000a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DC0191 second address: 0000000000DC01AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4BEC530E96h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DC06F1 second address: 0000000000DC06F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DC086E second address: 0000000000DC088C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC530E8Bh 0x00000007 jmp 00007F4BEC530E8Fh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DC088C second address: 0000000000DC0894 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DC0894 second address: 0000000000DC0898 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DBF69E second address: 0000000000DBF6A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DC09E2 second address: 0000000000DC09E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DC0B68 second address: 0000000000DC0B9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 jmp 00007F4BED3126D2h 0x0000000c jmp 00007F4BED3126D6h 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DC0D11 second address: 0000000000DC0D28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4BEC530E92h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DC0D28 second address: 0000000000DC0D47 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4BED3126D4h 0x00000008 jno 00007F4BED3126C6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DC0D47 second address: 0000000000DC0D61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F4BEC530E91h 0x0000000e rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DC0D61 second address: 0000000000DC0D7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007F4BED3126D7h 0x0000000b rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DC1182 second address: 0000000000DC11A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F4BEC530E94h 0x0000000f rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DC1480 second address: 0000000000DC149E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F4BED3126D3h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DC149E second address: 0000000000DC14A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	RDTSC instruction interceptor: First address: 0000000000DC14A2 second address: 0000000000DC14DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BED3126D6h 0x00000007 jmp 00007F4BED3126D8h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jl 00007F4BED3126CEh 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000AB2532 second address: 0000000000AB254A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F4BEC3895E3h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000AB254A second address: 0000000000AB256A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F4BEC76D8C7h 0x0000000e rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000AB26A0 second address: 0000000000AB26A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	RDTSC instruction interceptor: First address: 0000000000AB2976 second address: 0000000000AB299F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4BEC76D8C3h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F4BEC76D8BDh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe TID: 6624	Thread sleep time: -68034s >= -30000s
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe TID: 6628	Thread sleep time: -88044s >= -30000s
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe TID: 6612	Thread sleep time: -46023s >= -30000s
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe TID: 6616	Thread sleep time: -58029s >= -30000s
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe TID: 964	Thread sleep count: 34 > 30
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe TID: 964	Thread sleep time: -68034s >= -30000s
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe TID: 6800	Thread sleep time: -42021s >= -30000s
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe TID: 2320	Thread sleep count: 38 > 30
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe TID: 2320	Thread sleep time: -76038s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	Last function: Thread delayed

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe

Window / User API: threadDelayed 415

Found large amount of non-executed APIs

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certmgr.exe	API coverage: 6.2 %
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	API coverage: 2.1 %
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	API coverage: 6.9 %

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicCrypto32V21.dll			Jump to dropped file
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX_Uninstall.exe			Jump to dropped file

Contains capabilities to detect virtual machines

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Source: C:\Windows\SysWOW64\cscript.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior

Source: MagicLine4NX.exe, 0000002B.00000002.2457679120.0000000000D28000.00000040.00000001.01000000.0000001B.sdmp, MagicLine4NXServices.exe, 0000002C.00000002.1509377448.0000000000A32000.00000040.00000001.01000000.0000001C.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: MagicLine4NX.exe, 0000002B.00000002.2464388155.00000000016D3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllp
Source: svchost.exe, 0000001A.00000002.2423245909.00000241FC413000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW\w%SystemRoot%\system32\mswsock.dll\Windows\system;C:\Windows;.;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Windows\Serv
Source: cscript.exe, 00000016.00000003.1384442431.000000000321C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMWar&Prod_VMware_SATA_C
Source: MagicLine4NX.exe, 0000002B.00000002.2457679120.0000000000D28000.00000040.00000001.01000000.0000001B.sdmp, MagicLine4NXServices.exe, 0000002C.00000002.1509377448.0000000000A32000.00000040.00000001.01000000.0000001C.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: svchost.exe, 00000002.00000002.2429760809.0000010A84C6D000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000011.00000002.1300249086.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000013.00000002.1318847140.00000000009D8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000018.00000002.1352328513.0000000000DE8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000002.1379466690.0000000001528000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000023.00000002.1406667750.0000000001358000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000025.00000002.1418215234.0000000001538000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\magicline4nx_setup.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe

Code function: 19_2_6E1480F0 GetSystemInfo,

19_2_6E1480F0

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFDD673 FindFirstFileExA,	17_2_6DFDD673
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6E02F393 FindFirstFileExA,	17_2_6E02F393
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E159CF0 __mbsinc,FindFirstFileA,GetLastError,	19_2_6E159CF0
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E17300F FindFirstFileExA,	19_2_6E17300F
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E1952CD FindFirstFileExA,	19_2_6E1952CD
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E282291 FindFirstFileExA,	19_2_6E282291

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe

System information queried: ModuleInformation

Anti Debugging

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	Open window title or class name: regmonclass
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	Open window title or class name: gbdyllo
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	Open window title or class name: procmon_window_class
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	Open window title or class name: ollydbg
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	Open window title or class name: filemonclass
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Hides threads from debuggers

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	Thread information set: HideFromDebugger
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	Thread information set: HideFromDebugger
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	Thread information set: HideFromDebugger

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\magicline4nx_setup.exe

0_2_100010D0

Contains functionality to read the PEB

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFDADAB mov eax, dword ptr fs:[00000030h]	17_2_6DFDADAB
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFDD448 mov eax, dword ptr fs:[00000030h]	17_2_6DFDD448
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6E029903 mov eax, dword ptr fs:[00000030h]	17_2_6E029903
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6E02F168 mov eax, dword ptr fs:[00000030h]	17_2_6E02F168
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E169038 mov eax, dword ptr fs:[00000030h]	19_2_6E169038
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E1721B7 mov eax, dword ptr fs:[00000030h]	19_2_6E1721B7
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E1721FC mov eax, dword ptr fs:[00000030h]	19_2_6E1721FC
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E194E0D mov eax, dword ptr fs:[00000030h]	19_2_6E194E0D
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E193BDA mov eax, dword ptr fs:[00000030h]	19_2_6E193BDA
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E282066 mov eax, dword ptr fs:[00000030h]	19_2_6E282066
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E27DD30 mov eax, dword ptr fs:[00000030h]	19_2_6E27DD30

Checks if the current process is being debugged

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	Process queried: DebugPort

Checks for debuggers (devices)

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	File opened: NTICE
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	File opened: SICE
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	File opened: SIWVID

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe

Code function: 17_2_6DFDB940 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

17_2_6DFDB940

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe

Code function: 17_2_6DFDE2E8 GetProcessHeap,

17_2_6DFDE2E8

Enables debug privileges

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	Process token adjusted: Debug

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFD8CCC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	17_2_6DFD8CCC
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFDB940 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	17_2_6DFDB940
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6DFD936A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	17_2_6DFD936A
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6E025EFA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	17_2_6E025EFA
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6E02D2FB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	17_2_6E02D2FB
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6E0263FF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	17_2_6E0263FF
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E16AA4D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_6E16AA4D
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E15D6DB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	19_2_6E15D6DB
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E15E55C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_6E15E55C
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E194E40 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_6E194E40
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E19260B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	19_2_6E19260B
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E192265 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_6E192265
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E27887F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	19_2_6E27887F

HIPS / PFW / Operating System Protection Evasion

DLL side loading technique detected

Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: C:\Windows\SysWOW64\version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: C:\Windows\SysWOW64\version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: C:\Windows\SysWOW64\version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: C:\Windows\SysWOW64\version.dll	Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe c:\program files (x86)\dreamsecurity\magicline4nx\cert\certutil.exe" -a -n "dreamsecurity root ca" -i "c:\program files (x86)\dreamsecurity\magicline4nx\cert\dreamsecurity-rootca.der" -t "ct,c,c" -d "c:\users\user\appdata\roaming\mozilla\firefox\profiles\kc1pur8x.default
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe c:\program files (x86)\dreamsecurity\magicline4nx\cert\certutil.exe" -a -n "dreamsecurity root ca" -i "c:\program files (x86)\dreamsecurity\magicline4nx\cert\dreamsecurity-rootca.der" -t "ct,c,c" -d sql:"c:\users\user\appdata\roaming\mozilla\firefox\profiles\tjbwzv1u.default-release
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe c:\program files (x86)\dreamsecurity\magicline4nx\cert\certutil.exe" -a -n "dreamsecurity root ca" -i "c:\program files (x86)\dreamsecurity\magicline4nx\cert\dreamsecurity-rootca.der" -t "ct,c,c" -d "c:\users\user\appdata\roaming\mozilla\firefox\profiles\kc1pur8x.default	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe c:\program files (x86)\dreamsecurity\magicline4nx\cert\certutil.exe" -a -n "dreamsecurity root ca" -i "c:\program files (x86)\dreamsecurity\magicline4nx\cert\dreamsecurity-rootca.der" -t "ct,c,c" -d sql:"c:\users\user\appdata\roaming\mozilla\firefox\profiles\tjbwzv1u.default-release	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C taskkill /f /im NTSMagicLineNP.exe	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop MagicLine4NXSVC	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Windows\SysWOW64\sc.exe sc delete MagicLine4NXSVC	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C taskkill /f /im MagicLine4NX.exe	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certmgr.exe "C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certmgr.exe" -add dreamsecurity-rootca.der -c -s -r localMachine Root	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript" "C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\ImportCAtoFirefoxCheck.vbs" "MagicLine4NX	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript" "C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\ImportCAtoFirefox.vbs" "MagicLine4NX	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall delete rule name="MagicLine4NX" program="C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe"	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="MagicLine4NX" dir=in action=allow program="C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe" enable=yes	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Windows\SysWOW64\CheckNetIsolation.exe CheckNetIsolation LoopbackExempt -a -n="Microsoft.MicrosoftEdge_8wekyb3d8bbwe"	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Windows\SysWOW64\CheckNetIsolation.exe CheckNetIsolation LoopbackExempt -a -n="Microsoft.Windows.Spartan_cw5n1h2txyewy"	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe "C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe" -install	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Process created: C:\Windows\SysWOW64\sc.exe sc start MagicLine4NXSVC	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im NTSMagicLineNP.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im MagicLine4NX.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe" -L -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default" -n "Dreamsecurity ROOT CA	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe" -L -d sql:"C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\tjbwzv1u.default-release" -n "Dreamsecurity ROOT CA	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe" -A -n "Dreamsecurity ROOT CA" -i "C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\dreamsecurity-rootca.der" -t "CT,c,C" -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe" -A -n "Dreamsecurity ROOT CA" -i "C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\dreamsecurity-rootca.der" -t "CT,c,C" -d sql:"C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\tjbwzv1u.default-release	Jump to behavior

Uses taskkill to terminate processes

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im NTSMagicLineNP.exe			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im MagicLine4NX.exe			Jump to behavior

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe

Code function: 19_2_6E158BD0 GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetLengthSid,CopySid,GetTokenInformation,GetLengthSid,CopySid,FindCloseChangeNotification,AllocateAndInitializeSid,

19_2_6E158BD0

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe

Code function: 19_2_6E158D20 GetLastError,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,GetLengthSid,GetLengthSid,GetLengthSid,GetLengthSid,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,GetLastError,

19_2_6E158D20

Language, Device and Operating System Detection

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default\secmod.db VolumeInformation
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default\cert8.db VolumeInformation
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default\key3.db VolumeInformation
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Queries volume information: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\dreamsecurity-rootca.der VolumeInformation
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Queries volume information: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\dreamsecurity-rootca.der VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation

Contains functionality to query CPU information (cpuid)

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe

Code function: 17_2_6DFD8DEF cpuid

17_2_6DFD8DEF

Source: C:\Windows\SysWOW64\cscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe

Code function: 17_2_6DFD8F8E GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

17_2_6DFD8F8E

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe

Code function: 17_2_6E031A8B _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

17_2_6E031A8B

Source: C:\Users\user\Desktop\magicline4nx_setup.exe

0_2_100010D0

Lowering of HIPS / PFW / Operating System Security Settings

Uses netsh to modify the Windows network and firewall settings

Source: C:\Users\user\Desktop\magicline4nx_setup.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall delete rule name="MagicLine4NX" program="C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe"

Modifies Internet Explorer zone settings

Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Registry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 1406	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Registry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 1607	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Registry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 CurrentLevel	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Registry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 1406	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Registry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 1607	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Registry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 CurrentLevel	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 1406	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 1607	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 CurrentLevel	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 1406	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 1607	Jump to behavior
Source: C:\Users\user\Desktop\magicline4nx_setup.exe	Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 CurrentLevel	Jump to behavior

Overwrites Mozilla Firefox settings

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default\secmod.db
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default\secmod.db
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default\secmod.db
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default\cert8.db
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default\cert8.db
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default\cert8.db
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default\key3.db
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default\key3.db
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default\key3.db
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\tjbwzv1u.default-release\cert9.db-journal
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\tjbwzv1u.default-release\cert9.db
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\tjbwzv1u.default-release\key4.db-journal
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\tjbwzv1u.default-release\key4.db

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Modifies the windows firewall

Source: C:\Users\user\Desktop\magicline4nx_setup.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall delete rule name="MagicLine4NX" program="C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe"

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"

AV process strings found (often used to terminate AV products)

Source: svchost.exe, 00000021.00000002.2430348352.000001D1EF702000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000021.00000002.2429556963.000001D1EF666000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AntiVirusProduct{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}Windows DefenderMon, 28 Nov 2022 14:22:50 GMTwindowsdefender://%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000021.00000002.2427255821.000001D1EF644000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (@V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000021.00000002.2427255821.000001D1EF644000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000021.00000002.2430348352.000001D1EF702000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000021.00000002.2429556963.000001D1EF666000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default\key.db
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\tjbwzv1u.default-release\pkcs11.txt
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default\cert6.db
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default\cert5.db
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default\cert8.db
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default\cert7.db
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\tjbwzv1u.default-release\key4.db
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default\cert.db
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\tjbwzv1u.default-release\cert9.db
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\tjbwzv1u.default-release\cert9.db-journal
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default\secmod.db
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default\key3.db
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\tjbwzv1u.default-release\key4.db-journal

Remote Access Functionality

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 17_2_6E055C30 sqlite3_clear_bindings,	17_2_6E055C30
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E15ACF0 listen,WSAGetLastError,	19_2_6E15ACF0
Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	Code function: 19_2_6E15AB20 bind,WSAGetLastError,	19_2_6E15AB20

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	11 Windows Management Instrumentation	11 DLL Side-Loading	11 DLL Side-Loading	41 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Scripting	1 DLL Search Order Hijacking	1 DLL Search Order Hijacking	1 Deobfuscate/Decode Files or Information	LSASS Memory	4 File and Directory Discovery	Remote Desktop Protocol	2 Man in the Browser	Exfiltration Over Bluetooth	2 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 Native API	1 Windows Service	1 Windows Service	1 Scripting	Security Account Manager	228 System Information Discovery	SMB/Windows Admin Shares	1 Data from Local System	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	1 Command and Scripting Interpreter	1 Registry Run Keys / Startup Folder	11 Process Injection	31 Obfuscated Files or Information	NTDS	571 Security Software Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	1 Service Execution	Network Logon Script	1 Registry Run Keys / Startup Folder	1 Install Root Certificate	LSA Secrets	24 Virtualization/Sandbox Evasion	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	121 Software Packing	Cached Domain Credentials	1 Process Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	11 DLL Side-Loading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 DLL Search Order Hijacking	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	12 Masquerading	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	24 Virtualization/Sandbox Evasion	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	11 Process Injection	Input Capture	Permission Groups Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
magicline4nx_setup.exe	4%	ReversingLabs
magicline4nx_setup.exe	3%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\CertManager.dll	0%	ReversingLabs
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\DSCToolkitV30-v3.4.2.20.dll	0%	ReversingLabs
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicCrypto32V21.dll	3%	ReversingLabs
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe	0%	ReversingLabs
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe	0%	ReversingLabs
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX_Uninstall.exe	4%	ReversingLabs
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certmgr.exe	0%	ReversingLabs
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe	0%	ReversingLabs
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\freebl3.dll	0%	ReversingLabs
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\libnspr4.dll	0%	ReversingLabs
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\libplc4.dll	0%	ReversingLabs
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\libplds4.dll	0%	ReversingLabs
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\nspr4.dll	0%	ReversingLabs
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\nss3.dll	3%	ReversingLabs
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\nssdbm3.dll	0%	ReversingLabs
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\nssutil3.dll	0%	ReversingLabs
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\plc4.dll	0%	ReversingLabs
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\plds4.dll	0%	ReversingLabs
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\smime3.dll	0%	ReversingLabs
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\softokn3.dll	0%	ReversingLabs
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\sqlite3.dll	3%	ReversingLabs
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\httptx.dll	0%	ReversingLabs
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\libeay32.dll	0%	ReversingLabs
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\nsldap32v50.dll	0%	ReversingLabs
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\ssleay32.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nst78C0.tmp\DumpLog.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nst78C0.tmp\KillProcDLL.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nst78C0.tmp\NsisUtil.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nst78C0.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nst78C0.tmp\nsExec.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nst78C0.tmp\nsProcess.dll	2%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nst78C0.tmp\version.dll	2%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.0.magicline4nx_setup.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1223491		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://cps.root-x1.letsencrypt.org0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://crl.rootca1.amazontrust.com/rootca1.crl0	0%	URL Reputation	safe
https://%s.xboxlive.com	0%	URL Reputation	safe
https://dynamic.t	0%	URL Reputation	safe
http://crt.rootca1.amazontrust.com/rootca1.cer0?	0%	URL Reputation	safe
https://%s.dnet.xboxlive.com	0%	URL Reputation	safe
http://ids.smartcert.kr	0%	Avira URL Cloud	safe
http://pcro.mobilesign.net/mini_cert_install.html	0%	Avira URL Cloud	safe
http://rootca.kisa.or.kr/kor/hsm/hsm.jsp	0%	Virustotal		Browse
http://rootca.kisa.or.kr/kor/hsm/hsm.jsp	0%	Avira URL Cloud	safe
https://mobi.yessign.or.kr/mobisignInstall.htm	0%	Avira URL Cloud	safe
http://pcro.mobilesign.net/mini_cert_install.html	0%	Virustotal		Browse
https://mobi.yessign.or.kr/mobisignInstall.htm	0%	Virustotal		Browse
http://www.ubikey.co.kr/infovine/download.html1.4.0.2609100003www.dreamsecurity.comcenter.smartcert.	0%	Avira URL Cloud	safe
https://mobi.yessign.or.kr/mobisignInstall.htmsiteCode6070059serviceOptubikeyUbikeylParamUbikeyWPara	0%	Avira URL Cloud	safe
http://rootca.kisa.or.kr/kor/hsm/hsm.jspPKCS#11.DriverDriver	0%	Avira URL Cloud	safe
https://activity.windows.comds	0%	Avira URL Cloud	safe
http://ocsp.rootca1.amazontrust.com0:	0%	Avira URL Cloud	safe
http://www.ubikey.co.kr/infovine/download.html	0%	Avira URL Cloud	safe
http://pcro.mobilesign.net/mini_cert_install.html679865F99D3C364AE1795B826BF546FAB3AC7343	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.openssl.org/support/faq.html....................rbwb.rndC:HOMERANDFILEPRNG	MagicLine4NX.exe, 0000002B.00000002.2485841132.0000000006112000.00000002.00000001.01000000.00000023.sdmp, MagicLine4NX.exe, 0000002B.00000003.1534700572.0000000005DF0000.00000004.00000800.00020000.00000000.sdmp, libeay32.dll.0.dr	false		high
https://dev.ditu.live.com/REST/v1/Routes/	svchost.exe, 0000001B.00000003.1452709266.00000168B2062000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.1460766990.00000168B2065000.00000004.00000020.00020000.00000000.sdmp	false		high
http://rootca.kisa.or.kr/kor/hsm/hsm.jsp	MagicLine4NX.exe, 0000002B.00000002.2510440514.000000006E10E000.00000002.00000001.01000000.0000001F.sdmp, MagicLine4NX.exe, 0000002B.00000003.1506828790.0000000005DFB000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/Driving	svchost.exe, 0000001B.00000003.1452377834.00000168B206A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.openssl.org/V	MagicLine4NX.exe, 0000002B.00000002.2487204433.000000000616E000.00000002.00000001.01000000.00000023.sdmp, MagicLine4NX.exe, 0000002B.00000003.1534700572.0000000005DF0000.00000004.00000800.00020000.00000000.sdmp, MagicLine4NX.exe, 0000002B.00000002.2482809862.000000000603E000.00000002.00000001.01000000.00000022.sdmp, ssleay32.dll.0.dr, libeay32.dll.0.dr	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx	svchost.exe, 0000001B.00000003.1456581081.00000168B2041000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Traffic/Incidents/	svchost.exe, 0000001B.00000002.1460315787.00000168B205C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1455845312.00000168B205B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.tiles.ditu.live.com/tiles/gen	svchost.exe, 0000001B.00000003.1456789529.00000168B206D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1451717440.00000168B206C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Walking	svchost.exe, 0000001B.00000003.1452377834.00000168B206A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://mobi.yessign.or.kr/mobisignInstall.htm	MagicLine4NX.exe, 0000002B.00000002.2433205884.0000000000918000.00000040.00000001.01000000.0000001B.sdmp, MagicLine4NX.exe, 0000002B.00000003.1486681414.00000000058B0000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://ids.smartcert.kr	MagicLine4NX.exe, 0000002B.00000003.1506828790.0000000005DFB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.openssl.org/support/faq.html	MagicLine4NX.exe, 0000002B.00000002.2485841132.0000000006112000.00000002.00000001.01000000.00000023.sdmp, MagicLine4NX.exe, 0000002B.00000003.1534700572.0000000005DF0000.00000004.00000800.00020000.00000000.sdmp, libeay32.dll.0.dr	false		high
https://dev.ditu.live.com/mapcontrol/logging.ashx	svchost.exe, 0000001B.00000003.1452377834.00000168B206A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/	svchost.exe, 0000001B.00000002.1458385356.00000168B202B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.1461738208.00000168B2074000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1452471311.00000168B2069000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1455339476.00000168B2045000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1451546459.00000168B2072000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=	svchost.exe, 0000001B.00000002.1458385356.00000168B202B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://pcro.mobilesign.net/mini_cert_install.html	MagicLine4NX.exe, 0000002B.00000002.2510440514.000000006E10E000.00000002.00000001.01000000.0000001F.sdmp, MagicLine4NX.exe, 0000002B.00000003.1506828790.0000000005DFB000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Transit/Schedules/	svchost.exe, 0000001B.00000002.1459496867.00000168B2042000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1456581081.00000168B2041000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	MagicLine4NXServices.exe.0.dr	false		high
https://activity.windows.comds	svchost.exe, 00000002.00000002.2426719982.0000010A84C41000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ubikey.co.kr/infovine/download.html1.4.0.2609100003www.dreamsecurity.comcenter.smartcert.	MagicLine4NX.exe, 0000002B.00000002.2433205884.0000000000918000.00000040.00000001.01000000.0000001B.sdmp, MagicLine4NX.exe, 0000002B.00000003.1486681414.00000000058B0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ecn.dev.virtualearth.net/mapcontrol/roadshield.ashx?bucket=	svchost.exe, 0000001B.00000003.1452471311.00000168B2069000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.bingmapsportal.com	svchost.exe, 0000001B.00000002.1458155402.00000168B2013000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 0000001B.00000002.1458385356.00000168B202B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 0000001B.00000003.1452709266.00000168B2062000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.1458385356.00000168B202B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1452471311.00000168B2069000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.1460766990.00000168B2065000.00000004.00000020.00020000.00000000.sdmp	false		high
http://cps.root-x1.letsencrypt.org0	certutil.exe, 00000013.00000003.1313979753.000000000103A000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1372715520.0000000001C88000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1362708452.00000000022CA000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1369652151.00000000022D2000.00000004.00000800.00020000.00000000.sdmp, cert9.db-journal.30.dr, cert9.db.30.dr	false	URL Reputation: safe	unknown
http://rootca.kisa.or.kr/kor/hsm/hsm.jspPKCS#11.DriverDriver	MagicLine4NX.exe, 0000002B.00000002.2510440514.000000006E10E000.00000002.00000001.01000000.0000001F.sdmp, MagicLine4NX.exe, 0000002B.00000003.1506828790.0000000005DFB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx	svchost.exe, 0000001B.00000003.1452377834.00000168B206A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://mobi.yessign.or.kr/mobisignInstall.htmsiteCode6070059serviceOptubikeyUbikeylParamUbikeyWPara	MagicLine4NX.exe, 0000002B.00000002.2433205884.0000000000918000.00000040.00000001.01000000.0000001B.sdmp, MagicLine4NX.exe, 0000002B.00000003.1486681414.00000000058B0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.ditu.live.com/REST/v1/Transit/Stops/	svchost.exe, 0000001B.00000003.1452471311.00000168B2069000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1451546459.00000168B2072000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.thawte.com0	MagicLine4NXServices.exe.0.dr	false	URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/	svchost.exe, 0000001B.00000003.1452709266.00000168B2062000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.1458385356.00000168B202B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.1460766990.00000168B2065000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Traffic/Incidents/	svchost.exe, 0000001B.00000002.1458385356.00000168B202B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=	svchost.exe, 0000001B.00000003.1456496932.00000168B2044000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1454329560.00000168B2046000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Transit/Stops/	svchost.exe, 0000001B.00000003.1452471311.00000168B2069000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=	svchost.exe, 0000001B.00000003.1453797692.00000168B205E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1455339476.00000168B2045000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	certutil.exe, 00000013.00000003.1313979753.000000000103A000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1372715520.0000000001C88000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1362708452.00000000022CA000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1369652151.00000000022D2000.00000004.00000800.00020000.00000000.sdmp, cert9.db-journal.30.dr, cert9.db.30.dr	false	URL Reputation: safe	unknown
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?	svchost.exe, 0000001B.00000003.1452709266.00000168B2062000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.1460652418.00000168B2063000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1454329560.00000168B2046000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	certutil.exe, 00000013.00000003.1313979753.000000000103A000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1372715520.0000000001C88000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1362708452.00000000022CA000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1369652151.00000000022D2000.00000004.00000800.00020000.00000000.sdmp, cert9.db-journal.30.dr, cert9.db.30.dr	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	magicline4nx_setup.exe, MagicLine4NX_Uninstall.exe.0.dr	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=	svchost.exe, 0000001B.00000002.1459384486.00000168B203F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1455339476.00000168B2045000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/	svchost.exe, 0000001B.00000003.1350499738.00000168B2036000.00000004.00000020.00020000.00000000.sdmp	false		high
https://%s.xboxlive.com	svchost.exe, 00000002.00000002.2426719982.0000010A84C41000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	low
https://dev.virtualearth.net/REST/v1/Locations	svchost.exe, 0000001B.00000003.1452377834.00000168B206A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/	svchost.exe, 0000001B.00000003.1454329560.00000168B2046000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/logging.ashx	svchost.exe, 0000001B.00000003.1452377834.00000168B206A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=	svchost.exe, 0000001B.00000003.1451546459.00000168B2072000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 0000001B.00000002.1460315787.00000168B205C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1455845312.00000168B205B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_Error	magicline4nx_setup.exe, MagicLine4NX_Uninstall.exe.0.dr	false		high
https://dynamic.t	svchost.exe, 0000001B.00000003.1456646604.00000168B2047000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.thawte.com/cps0/	magicline4nx_setup.exe, MagicLine4NXServices.exe.0.dr	false		high
http://www.ubikey.co.kr/infovine/download.html	MagicLine4NX.exe, 0000002B.00000002.2433205884.0000000000918000.00000040.00000001.01000000.0000001B.sdmp, MagicLine4NX.exe, 0000002B.00000003.1486681414.00000000058B0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.thawte.com/repository0W	magicline4nx_setup.exe, MagicLine4NXServices.exe.0.dr	false		high
https://dev.virtualearth.net/REST/v1/Routes/Transit	svchost.exe, 0000001B.00000003.1452377834.00000168B206A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	certutil.exe, 00000013.00000003.1313979753.000000000103A000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1372715520.0000000001C88000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1362708452.00000000022CA000.00000004.00000800.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.1369652151.00000000022D2000.00000004.00000800.00020000.00000000.sdmp, cert9.db-journal.30.dr, cert9.db.30.dr	false	URL Reputation: safe	unknown
https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen	svchost.exe, 0000001B.00000003.1350499738.00000168B2036000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Transit/Schedules/	svchost.exe, 0000001B.00000003.1451546459.00000168B2072000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=	svchost.exe, 0000001B.00000003.1456496932.00000168B2044000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1454329560.00000168B2046000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1456646604.00000168B2047000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=	svchost.exe, 0000001B.00000003.1452709266.00000168B2062000.00000004.00000020.00020000.00000000.sdmp	false		high
https://activity.windows.com	svchost.exe, 00000002.00000002.2426719982.0000010A84C41000.00000004.00000020.00020000.00000000.sdmp, CDPGlobalSettings.cdp.2.dr	false		high
https://dev.ditu.live.com/REST/v1/Locations	svchost.exe, 0000001B.00000003.1452377834.00000168B206A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://pcro.mobilesign.net/mini_cert_install.html679865F99D3C364AE1795B826BF546FAB3AC7343	MagicLine4NX.exe, 0000002B.00000002.2510440514.000000006E10E000.00000002.00000001.01000000.0000001F.sdmp, MagicLine4NX.exe, 0000002B.00000003.1506828790.0000000005DFB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://%s.dnet.xboxlive.com	svchost.exe, 00000002.00000002.2426719982.0000010A84C41000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	low
https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 0000001B.00000002.1460315787.00000168B205C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.1455845312.00000168B205B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=	svchost.exe, 0000001B.00000003.1451838018.00000168B204D000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	755310
Start date and time:	2022-11-28 15:22:00 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	magicline4nx_setup.exe
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 64 bit version 1909 (MS Office 2019, IE 11, Chrome 104, Firefox 88, Adobe Reader DC 21, Java 8 u291, 7-Zip)
Number of analysed new started processes analysed:	49
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal90.phis.troj.spyw.expl.evad.winEXE@66/58@0/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 8.4% (good quality ratio 8.2%) Quality average: 80.9% Quality standard deviation: 25.5%
HCA Information:	Successful, ratio: 100% Number of executed functions: 29 Number of non-executed functions: 282
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, usocoreworker.exe
Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, login.live.com, ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicCrypto32V21.dll	magicline4nx_setup.exe	Get hash	malicious	Browse
	magicline4nx_setup.exe	Get hash	malicious	Browse
	magicline4npiz.exe	Get hash	malicious	Browse
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\DSCToolkitV30-v3.4.2.20.dll	magicline4nx_setup.exe	Get hash	malicious	Browse
	magicline4nx_setup.exe	Get hash	malicious	Browse
	magicline4npiz.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Program Files (x86)\DreamSecurity\MagicLine4NX\CertManager.dll

Download File

Process:	C:\Users\user\Desktop\magicline4nx_setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2997248
Entropy (8bit):	6.268242233467519
Encrypted:	false
SSDEEP:	49152:h7ClpXrwlUNmw4ti5GX0QaiEmPDOkSxoIUhbYhC+c3hz93GRHEgwRhj5ib9cPgfz:9ArJmw4ti60Qa3mPDOkSxoBhbYh5cJM2
MD5:	61D12D057457751157FDE1E7BB1BADCD
SHA1:	6778E50CDD05C99836D406EBB8992EA0181FC71C
SHA-256:	23E7F0A6D9690B5667181C9670F60655C68ADA382CE0DEB7AC7D493344702D64
SHA-512:	E27A0706C4460007C84449BB951CF0929A94FF416C508FAE14B810FBD67CF0E81E25F05373E51A8C3FB2C7DDCA3EDFF8C0D3C8A4CB03E4135414F080578C0FF1
Malicious:	true
Yara Hits:	Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\CertManager.dll, Author: Florian Roth Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\CertManager.dll, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........U..k...k...k.......k.......k.?.....k..v....k..v..L.k......k..v....k.......k...j...k..v..g.k..v....k..v....k..v....k.Rich..k.........................PE..L...VB.`...........!................;........................................p........-...@..........................c.......$.......P!.X....................@+.\|.......................................@...............<...l"..@....................text............................... ..`.rdata..............................@..@.data........p...X...N..............@....rsrc...X....P!....... .............@..@.reloc...$...@+..&....*.............@..B................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DreamSecurity\MagicLine4NX\DSCToolkitV30-v3.4.2.20.dll

Download File

Process:	C:\Users\user\Desktop\magicline4nx_setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2851840
Entropy (8bit):	6.636498674176936
Encrypted:	false
SSDEEP:	49152:dMfIL1FYSWQyJYRD3gsPrni7zuer/JJZCd8f8dqt:OgwSEYRDQsPrni73Z0
MD5:	A48558F7999A0382CD5D5F3063D87E96
SHA1:	47D2AFAE66090D15ECBB4DC87D200BC6F4729229
SHA-256:	C5B6BC8DA03C677EAA37E67F6FBC8735943DCC1329548CDDDA7BFFBEEA6EFCEE
SHA-512:	A5A3E39470B2C58F839A2CB54483F5B3776D64706DFAD91219C25C4D5A16A85FF2CF17251188E1BE86020CB52DE6F158E58E66D118307264EFC688AB03F6919B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: magicline4nx_setup.exe, Detection: malicious, Browse Filename: magicline4nx_setup.exe, Detection: malicious, Browse Filename: magicline4npiz.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........G.........B.1......2......$.Z....#.\|....................................-......5.....3......6....Rich...........................PE..L.....%X...........!......".......... .......#...............................,.......,...@...........................'.}!....&.......).......................).......#...............................................#.x............................text....."......."................. ..`.rdata..m3....#..4....".............@..@.data....m...@'..(..."'.............@....rsrc.........)......J).............@..@.reloc...3....)..4...P).............@..B................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DreamSecurity\MagicLine4NX\ENG.ini

Download File

Process:	C:\Users\user\Desktop\magicline4nx_setup.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	16484
Entropy (8bit):	5.373727556026202
Encrypted:	false
SSDEEP:	384:d4OQvRtCt/6Ub7HDrB39jVZk3toIs92URC7iUSiFGaPLOVrVamPaedupqdkaRcVe:qOiR0t/9HnB3x9QURC7ipJAqVrVZPx8I
MD5:	B5673572EA31449177E07E5C5CAE3BE2
SHA1:	CA3D80F1B394A6464934ED2DCCC6DD9351BF25E1
SHA-256:	7779A2B0F48B0339E1761E0D3E60ED07370B26EBB404477E95166A5E4A593114
SHA-512:	7482651C3066882F4CFFA829CA02073C7705A2AE7537980DE6AC62553ED05812654570DA4667DD6CF524057295791A48C44255C3FF32734B370EF02F11BC4F81
Malicious:	false
Preview:	[UserInterface]..DLG_CERTMANAGER_CAPITON="Certificates Wizard"..DLG_CERTMANAGER_CAPITON_SELCERT="Certificates Wizard"..DLG_CERTMANAGER_CAPITON_MANAGE="Magnage Certificates"..DLG_CERTMANAGER_SIGNTAG="Data to be signed"..DLG_CERTCOPY_CAPITON="Copy Certificates"..DLG_CERTPASSWORD_CAPITON="Certificate Password"....DLG_BUTTONMEDIA_HDD="HardDisk"..DLG_BUTTONMEDIA_REMOVE="Removable Disk"..DLG_BUTTONMEDIA_PKCS11="Cryptographic Token"..DLG_BUTTONMEDIA_SMCARD="Storage Token"..DLG_BUTTONMEDIA_PHONE="Mobile Phone"..DLG_BUTTONMEDIA_USIM="USIM MobileToken"..DLG_BUTTONMEDIA_FINDCERT="Find"....DLG_DLG_BUTTONMEDIA_NOTREMOVE="No removable disk is detected."....DLG_CERTMANAGER_TABNORMAL="Certificates"..DLG_CERTMANAGER_TABMNG="Magnage Certificates"....DLG_MANAGEMAIN_TABUSER="Personal"..DLG_MANAGEMAIN_TABCA="Intermediate CA"..DLG_MANAGEMAIN_TABROOT="Root CA"..DLG_MANAGEMAIN_TABPRIVATECA="Private CA"....DLG_GROUPBOX_MEDIA="Storage Devices"..DLG_GROUPBOX_COPYMEDIA="Storage Devices"....DLG_BTNOK="OK"..DLG_BTN

C:\Program Files (x86)\DreamSecurity\MagicLine4NX\Images\Logo.bmp

Download File

Process:	C:\Users\user\Desktop\magicline4nx_setup.exe
File Type:	PC bitmap, Windows 3.x format, 369 x 73 x 16, image size 54022, resolution 3779 x 3779 px/m, cbSize 54076, bits offset 54
Category:	dropped
Size (bytes):	54076
Entropy (8bit):	5.225436026319598
Encrypted:	false
SSDEEP:	1536:t4hDW7u88888L8888885o8888X888UDcfgj:t4se
MD5:	CD75B1457961A2A2D11D8629838B5A52
SHA1:	0D98BD60AEA8564FD2D079B295CB75A5C66D4759
SHA-256:	598CB5A89036EA6BE740F16DE4DECDF82FFD4B137A377144D0399FEC1E227E2D
SHA-512:	2DC6022B021CBF16A469FCA122EDD03CE2F86B1DD05622C996A86811A0F2F15E3B7063CCB0DF16B07DE2A7DA98C1163C026DE2C60A81E513F47D6EDB94D8039D
Malicious:	false
Preview:	BM<.......6...(...q...I...............................RWucucsctcu_ScSgt_SSRWt_s_r[s[tWsWsWtWsWRSR[r_sgRgRgS_r_rgRcsgscscs_t[tWs_RWr[Q[Q[P_Q[rWr_Q[Q_P_Q_r[s[s[r[r[TSRKrSR_Rct[r[QWs[T[R[R_scsWsSRWQWrWr_r_s_r_R[r_s_s[s[s[sWRSQOR_sgr[s[scs[scscs_s[s[r[s_t_RWRSw[vgsgr_Q_r_s_r[rSrOrOsSs[s[r[r[s_sgsgQWQWQ[Q[scscs[rWRWRWr[rWRSS[s_R[R_scscr_rWQSr[s[sWsWQO0O0SQ[rcrgsctcrcRSs_tctcr[s_s[rWr[r[rWr_s_s_r[rWsWsWrWs_rcr_R[RWq[r[R[RWRSs[t_.c._.W.W.S.SPO0C0G.G.G0SQ_Qcr_rcr[rWpOpKr[r[r[r[R_Q_QWQWQS.G.C.GPK.G.G.F.KNOOS0W.S.F.F0SQSQS/OPSpS-O-KqW.ctkuk.g.c.ct_r_Q[QWs_.k.k.o.ougvg.s.{.{.{.{.{.{.{.sT_.k.wwg.S.g.{.{.{.{.{..............................................................................................................................................................................................s[u_v_tcscs[R_Sgtcs[R[r[s_r_s_tWtWsWsWs[RORSr_scRgQcQ[R[R_rcrgscscs_s[R[r_Q[Q[Q[Q[P_q[rWr[Q[P[/[Q_r_r[rWrWr[s[sWrWr[R_QWQWR[s[SWR[RgsgS[SWRWRSrWr[r_r_r_r[r[r_s[s[s[rWrSQSR_scr_rWs_s[.cscs_sWs[r[r[s[r[RWSWsc

C:\Program Files (x86)\DreamSecurity\MagicLine4NX\IssuerOid.conf

Download File

Process:	C:\Users\user\Desktop\magicline4nx_setup.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	14346
Entropy (8bit):	5.719634365075914
Encrypted:	false
SSDEEP:	384:yK5PMsGUDs5zL3LKdzuTylEAqOR/NS7w/q2SJsw4LxClya+7LsT1Xujn3EnzqIP3:f9GOs5zL+1uq2pP7CtH4oX8zUEqYOaYs
MD5:	6E134C6439E8112B105FDFFB379A2EBE
SHA1:	0C4F4C52A2D3D7321C9DE82CC1190216CC4B42A0
SHA-256:	9756AD9ECDC7BABCBA5B5115883BE8E7FB8356A8FE26A64F8D42953ED3DE63B3
SHA-512:	553F2DE596AC338E7C502BC6935BB1BEE3038CDEA34ECC739E7CF8083AF4F4D9A7ABBD9018887E8CFD9A566DBDB31E6DE598BC5718D601CB3B28EF6592C79CBF
Malicious:	false
Preview:	1.2.410.100001.2.1.1=.........1.2.410.100001.2.1.2=.......1.2.410.100001.2.1.3=...........1.2.410.100001.2.1.4=.......(..../...)..1.2.410.100001.2.1.5=.....(..../...)..1.2.410.100001.2.1.6=.........(..../...)..1.2.410.100001.2.2.1=..........1.2.410.100001.2.2.2=.......1.2.410.100001.5.3.1.1=..........1.2.410.100001.5.3.1.3=.......1.2.410.100001.5.3.1.5=...........1.2.410.100001.5.3.1.7=........1.2.410.100001.5.3.1.9=SSL....1.2.410.200004.5.1.1.1=......(..... ....)..1.2.410.200004.5.1.1.2=......(..... .......)..1.2.410.200004.5.1.1.3=......(..... ....)..1.2.410.200004.5.1.1.4=......(..... ....)..1.2.410.200004.5.1.1.5=........1.2.410.200004.5.1.1.6=...........1.2.410.200004.5.1.1.7=........1.2.410.200004.5.1.1.8=........1.2.410.200004.5.1.1.9=..../.......1.2.410.200004.5.1.1.9.2=.........1.2.410.200004.5.1.1.10=... .........1.2.410.200004.5.1.1.11=.......(....)..1.2.410.200004.5.1.1.12=.......(....)..1.2.410.200004.5.2.1.1=........1.2.410.

C:\Program Files (x86)\DreamSecurity\MagicLine4NX\IssuerOid_Eng.conf

Download File

Process:	C:\Users\user\Desktop\magicline4nx_setup.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	14415
Entropy (8bit):	5.225719152388337
Encrypted:	false
SSDEEP:	384:jDPNMJsGVufpqeDFunUqv6WrBkSEaBlmY3T+m4B0Rg2mPNkPd7yu5qxjS9Eiqy0+:9RHit
MD5:	F1EBA7DDDC7C4BAEDEC17262E1856335
SHA1:	15F11F09B91739E27597764DE4128637EE65F379
SHA-256:	6C8BFD46D492A8DC9CFAB616DEA02C4C032FCAB1008390C4B8311A5AA0E8EB22
SHA-512:	4459185BE4CF8A734C1E659A93E248FC115C70FC683391BDC8127115A1C0386FF3DC539B9D4B6C4C32914429597F423FB3A1CB9FABDCAB735B16A3F9158D4D56
Malicious:	false
Preview:	1.2.410.100001.2.1.1=E-authentication .1.2.410.100001.2.1.2=computer.1.2.410.100001.2.1.3=E-special official seal .1.2.410.100001.2.2.1=public official.1.2.410.200004.5.1.1.1=usage limite(special Private).1.2.410.200004.5.1.1.2=usage limite(special Private Server).1.2.410.200004.5.1.1.3=usage limite(special Corporation).1.2.410.200004.5.1.1.4=usage limite(special Sever).1.2.410.200004.5.1.1.5=wide use(Private).1.2.410.200004.5.1.1.6=wide use(Private Server).1.2.410.200004.5.1.1.7=wide use(Corporation).1.2.410.200004.5.1.1.8=wide use(Server).1.2.410.200004.5.1.1.9=stock/insurance.1.2.410.200004.5.1.1.9.2=credit card.1.2.410.200004.5.1.1.10=gold (Private Server).1.2.410.200004.5.1.1.11=National Tax Service(Private).1.2.410.200004.5.1.1.12=National Tax Service(Corporation).1.2.410.200004.5.2.1.1=wide use(company).1.2.410.200004.5.2.1.2=wide use(Private).1.2.410.200004.5.2.1.3=special class(E-tender).1.2.410.200004.5.2.1.4=1class certificate(Server).1.2.410.200004.5.2.1.5=special class(Cor

C:\Program Files (x86)\DreamSecurity\MagicLine4NX\KOR.ini

Download File

Process:	C:\Users\user\Desktop\magicline4nx_setup.exe
File Type:	Generic INItialization configuration [Message]
Category:	dropped
Size (bytes):	15702
Entropy (8bit):	6.079558802157707
Encrypted:	false
SSDEEP:	384:18vhqesCVDR6B3kbIxXTqodZlQBAWRNSHwHhWTFv+qI:yvhqw+kYcWTFW
MD5:	A8E649082B174EBC810DD565F02EBFF1
SHA1:	F5D0C6F9427DEFC3FCD934E1D9246744B10E6D62
SHA-256:	CD3EC7C1CC5515839299A00E2D172564939D39C52FF2DADBEDACB3C0CB8E3BBC
SHA-512:	5C0EDC0D0C88B8EB0A0BB10B61A1AB671618010E15227DAFFBCA78121988173DCD55392BE64293DA5BC28CC15082824D1D95EFDA948EC1FDB1B8C0884B74C601
Malicious:	false
Preview:	[UserInterface]..DLG_CERTMANAGER_CAPITON="...... ....."..DLG_CERTMANAGER_CAPITON_SELCERT="...... ....."..DLG_CERTMANAGER_CAPITON_MANAGE="...... ....."..DLG_CERTMANAGER_SIGNTAG="...... .... ......"..DLG_CERTCOPY_CAPITON="...... ...."..DLG_CERTPASSWORD_CAPITON="...... ..... ..."....DLG_BUTTONMEDIA_HDD="....."..DLG_BUTTONMEDIA_REMOVE="..... ..."..DLG_BUTTONMEDIA_PKCS11="......."..DLG_BUTTONMEDIA_SMCARD="......."..DLG_BUTTONMEDIA_PHONE="......"..DLG_BUTTONMEDIA_USIM="........"..DLG_BUTTONMEDIA_FINDCERT="......"....DLG_DLG_BUTTONMEDIA_NOTREMOVE="..... ............."....DLG_CERTMANAGER_TABNORMAL="..."..DLG_CERTMANAGER_TABMNG="...."....DLG_MANAGEMAIN_TABUSER="...."..DLG_MANAGEMAIN_TABCA=".........."..DLG_MANAGEMAIN_TABROOT="............"..DLG_MANAGEMAIN_TABPRIVATECA="........."....DLG_GROUPBOX_MEDIA="...... ...."..DLG_GROUPBOX_COPYMEDIA="...... ...."....DLG_BTNOK="..."..DLG_BTNCANCEL="..."....DLG_CERTLISTCTRL_DN="......."..DLG_CERTLISTCTRL_ISSUER=".

C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicCrypto32V21.dll

Download File

Process:	C:\Users\user\Desktop\magicline4nx_setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	385066
Entropy (8bit):	6.643961767304468
Encrypted:	false
SSDEEP:	6144:RCfO9c6rrgvu4xt+kVtN6V7mJ99UtQEZ2t7e7jP52n:0ucKgvu4VtNWmJ9ut/Q9n
MD5:	F9C641197FF2F98F6F31C510880A3601
SHA1:	4082D67C8D7146D7FB593BC349FF994B22C0A746
SHA-256:	670B2F1B85F39391CFF7B337A8D76EB10AB9A39A1E3E7BB985E3A22C162322EB
SHA-512:	DE19379716F1985921C71830DE372D30A2B7BF6F9E8416EFE500A53FB12D28FBB965EFFEC191F3148D377B91B4474692AE1D084E35707455F75EFEC55A11472A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Joe Sandbox View:	Filename: magicline4nx_setup.exe, Detection: malicious, Browse Filename: magicline4nx_setup.exe, Detection: malicious, Browse Filename: magicline4npiz.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........n...n...n...X..o......z......i...n...5...X........o...Richn...................PE..L......V...........!................ ................................................................................u.......n..P................................"......................................................P............................text...X........................... ..`.rdata...z..........................@..@.data....=.......0..................@....reloc..p.......0..................@..B........................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe

Download File

Process:	C:\Users\user\Desktop\magicline4nx_setup.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3753952
Entropy (8bit):	7.4951752768056945
Encrypted:	false
SSDEEP:	98304:hrgpCnBLeEObjGiyvDGKmi+KTE9ciAZTxxgWNR:hrgknBLeEOTw+wEVAZbgMR
MD5:	A98F6351876129FED4A6CA7DB7CBD721
SHA1:	23A6FA3BE3E470E6AC8A3966120A75AF02660EF2
SHA-256:	73041F16308B88BFA8A70E27B1DA6CD0F99866644D1E138C7BCB58C2627A6008
SHA-512:	44DE1F27D23F4AB79CF63A0C20D7DB3EC95E096B8C522BACB50B4FA5D1953782C39A8AEB7EA18C7B0AC11C776AF0B780180082912DB8F202BA7A78CB0E429C7D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...........\.m.\.m.\.m.U..L.m.....^.m.G..n.m.G....m.3..T.m.U..X.m.j.g...m.G...m.G..^.m.U...u.m.\.l..m.G....m.G...].m.G...].m.Rich\.m.........................PE..L.....a`..................#..j................$...@..................................r9...@.................................mP9......... .............9..1...Q9...............................................................*.@................... . ............................@....rsrc... ...........................@....idata .....P9.....................@... ..3..`9.....................@...pnesegkq......m..v..................@...oygmmjtk..............9.............@...................................................................................................................................................................................................................................

C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe.hmac

Download File

Process:	C:\Users\user\Desktop\magicline4nx_setup.exe
File Type:	data
Category:	dropped
Size (bytes):	672
Entropy (8bit):	4.672233574763069
Encrypted:	false
SSDEEP:	12:RySz+pfWbE3vzHhRJvOtMXANRje+/5citKbpoOD:RRz+UA/zhrNok+/5cygD
MD5:	DE51797AF35A128C8940AAD40145A618
SHA1:	7D3485094229D1C59EE197155D2A4385CC6EB40E
SHA-256:	9BD72884A38E549844A7BC3638CFDD01B527F29E2F9606640BDC7738B08FA1CD
SHA-512:	C282D1F235BF3A7E49296CE0E6A9FAFE6E75038A195F289F7553FAB67F85084C8379FE91DD9FCB181F7A4FD8FC0F4C9B282C86970FFAC016697CDA6C4E732668
Malicious:	true
Preview:	CertManager.dll.................................................#...i.Vg...p..U..8,...}I3Dp-dDSCToolkitV30-v3.4.2.20.dll.........................................<g~.7..o..5.=..)T...{...n..libeay32.dll.....................................................1T.m.H..k..M.P.{Q...m.O.44n...MagicCrypto32V21.dll............................................g./......7..n......>{...,.#".mlnp_dreamsecurity_com.ca-bundle.................................M.....D..MQ.$..2..N.V...(.;"BDnsldap32v50.dll..................................................f..k. -)........w..#.c...usF..ssleay32.dll....................................................y$....\|.-..!...X.&........s.7..

C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe

Download File

Process:	C:\Users\user\Desktop\magicline4nx_setup.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2248000
Entropy (8bit):	7.97136682862046
Encrypted:	false
SSDEEP:	49152:teJyTwKxc7z3PbtZgzylPby5mMin4/OpeXkZ6PvArWx:1TwKxc7zghin4MeXGKvKo
MD5:	877F2A6FC5DA85AA4C9B38943EF21EAE
SHA1:	6E1203D2580BD713486C5964EF5D5FC1A0D82EA8
SHA-256:	394B85EC47B7B0850123F4AFC3F4B9165FC217D460396570A4218860A59DB1C7
SHA-512:	C194BA525BA799A46A0CEFD3F97837A69EBD9ED721216D7B3232AE935482ABA7CC6FCCBCA3B3681A3401CECC6E59B530767E5A40E03232780B24E3682E575847
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......../.;.N.h.N.h.N.h.6uh.N.h.6rh.N.h.6bh.N.h.N.h.M.h..oh.N.h..[hXN.h..ZhqO.h..^h.N.h..kh.N.h..lh.N.hRich.N.h................PE..L......[.................F............[......`....@...........................[......E#...@.................................mP.......@.. ............"".@+...Q...................................................................................... . .0.......R..................@....rsrc... ....@.......b..............@....idata .....P.......j..............@... .`-..`.......l..............@...yqheebrs......C......n..............@...intuqfii......[...... ".............@...........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX_Uninstall.exe

Download File

Process:	C:\Users\user\Desktop\magicline4nx_setup.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	113488
Entropy (8bit):	7.309041383350943
Encrypted:	false
SSDEEP:	3072:OYrClLswbDkrcFB2eRSRrU8rUHxZK3mJOEn:O7e8BJAReHxZzf
MD5:	FF7A0CD86224BD3377DCCA90BE31E49C
SHA1:	B0D93175734602FB949AC65274808F2324B91A81
SHA-256:	A548578BFC5F319FF06783CBC85FE0B570C6A0CDF7D5A92BAA18BEBF73656C8A
SHA-512:	E2D467DE79CCCA5FE13371EC49055EC172C36E415C178C3F17FFA3843BE7E4327792D43383FCAEBED801C8D721D9033BFC0D2F6D84AD5F3BA745A2769404956D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F......F...G.v.F......F..v...F...@...F.Rich..F.........................PE..L...)..\.................d...\|.......2............@.......................... ...........@.................................<............^..........x4...2...........................................................................................text....b.......d.................. ..`.rdata..\............h..............@..@.data....U...........\|..............@....ndata...................................rsrc....^.......`..................@..@................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\ImportCAtoFirefox.vbs

Download File

Process:	C:\Users\user\Desktop\magicline4nx_setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1914
Entropy (8bit):	5.326209801205218
Encrypted:	false
SSDEEP:	48:/PWD2NxaThHqhyZQ+PLcp6JtVd7Tmv7p2Cd7Tmv7z2rF:npNxa9GyZQW4p6J9GLGm
MD5:	997D89CB7909F9CDDE3EBC58447C2464
SHA1:	F67AB8F0EFD121DB14A044B3F769B8AC2A57D5D4
SHA-256:	0A6F5BE178DE8F7D31189A225E2485B3BDBAF81DA9459DAAD2A60F2DD0A519D6
SHA-512:	4DC6537834026E2D41150E8EAB9C782E6884098966E306BEB3516EB631BC5FE2D7D5527B7C547E8A1AD0B8FF0609B5CBBF3A15C5CE3CD86AFCCDFBB7B078027D
Malicious:	false
Preview:	Set WshShell = WScript.CreateObject("WScript.Shell")..Set objFSO = CreateObject("Scripting.FileSystemObject")..set objFDB = CreateObject("Scripting.FileSystemObject")....'strTempDir..= WshShell.ExpandEnvironmentStrings("%TEMP%")..argCnt...= WScript.arguments.count..strAppDataPath..= WshShell.ExpandEnvironmentStrings("%APPDATA%")..strFirefoxProfiles.= strAppDataPath & "\Mozilla\Firefox\Profiles"..returnvalue...= 0....If True Then...Set arrFirefoxProfileList = objFSO.GetFolder(strFirefoxProfiles).SubFolders....Set colEnvironment = WshShell.Environment("PROCESS").....If argCnt = 0 Then....PROGRAM_NAME = "NTSMagicLineNP"...Else....PROGRAM_NAME = WScript.arguments.item(0)...End If......If colEnvironment("ProgramFiles(x86)") <> "" Then 'This is a 64-Bit OS....strProgramFilesPath = WshShell.ExpandEnvironmentStrings("%PROGRAMFILES(x86)%") & "\DreamSecurity\" & PROGRAM_NAME & "\cert"...Else 'This is a 32-Bit OS....strProgramFilesPath = WshShell.ExpandEnvironmentStrings("%PROGRAMFILES%") & "\Dr

C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\ImportCAtoFirefoxCheck.vbs

Download File

Process:	C:\Users\user\Desktop\magicline4nx_setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1950
Entropy (8bit):	5.353287754194917
Encrypted:	false
SSDEEP:	48:/PL+2N0aThHqhyZQ+PLa6V4M+I2Zd7F+C2Zd7+hT/a:nHN0a9GyZQWO6Vf0hG+G
MD5:	96803C61C0B45F574CF225C10C0E3069
SHA1:	15CB7346DE2FDED35346EF25AA0456D108AB5717
SHA-256:	EBB7A05C206CA5DA39AF2D5417BDB9DDF2A28979CA087B694BDFAB7696A30F25
SHA-512:	50A2FB79A8FF79D2965DFA22A51A63DA52F29B8FCC370EBF3204DC45BF245B6786CCE28BA9A4628BFEC5F64F3D65B4CC73463FB588807FDA8A2A753F67CAA60B
Malicious:	false
Preview:	Set WshShell = WScript.CreateObject("WScript.Shell")..Set objFSO = CreateObject("Scripting.FileSystemObject")..set objFDB = CreateObject("Scripting.FileSystemObject")....'strTempDir...= WshShell.ExpandEnvironmentStrings("%TEMP%")..argCnt....= WScript.arguments.count..strAppDataPath..= WshShell.ExpandEnvironmentStrings("%APPDATA%")..strFirefoxProfiles.= strAppDataPath & "\Mozilla\Firefox\Profiles"..returnvalue...= 0....If True Then....Set arrFirefoxProfileList = objFSO.GetFolder(strFirefoxProfiles).SubFolders....Set colEnvironment = WshShell.Environment("PROCESS").....If argCnt = 0 Then....PROGRAM_NAME = "NTSMagicLineNP"...Else....PROGRAM_NAME = WScript.arguments.item(0)...End If......If colEnvironment("ProgramFiles(x86)") <> "" Then 'This is a 64-Bit OS....strProgramFilesPath = WshShell.ExpandEnvironmentStrings("%PROGRAMFILES(x86)%") & "\DreamSecurity\" & PROGRAM_NAME & "\cert"...Else 'This is a 32-Bit OS....strProgramFilesPath = WshShell.ExpandEnvironmentStrings("%PROGRAMFILES%") & "

C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certmgr.exe

Download File

Process:	C:\Users\user\Desktop\magicline4nx_setup.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	5.742953949499809
Encrypted:	false
SSDEEP:	1536:fx4kDjGubbXp3aFHPCzsYw+WXsA9iYzvbAA:J4Ybbb5qNPCzst+WXso
MD5:	3A73031809C7DC0BB9BCE2F366345101
SHA1:	7A2EA88417AD67802452520B687CD1D96A7824AB
SHA-256:	F4F2C1A51FC782C6832C63ACA06107E81B422624967D2F7616C52F394D1D756B
SHA-512:	22300970A4CA9F867FB7ADA00FECA8A938F16AE78C50DF478A7ACAE7C781154CBE1A3E7D358F00EB463744C042C02F3F47939E0CEC8852C46F337F2FBA366E49
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C.\...2...2...2. !O...2. !_.@.2. !I...2...3..2. !\...2. !L...2. !N...2. !J...2.Rich..2.........PE..L......F.....................................................................0......<.....@...... ..........................4............W................... ..........................................@............................................text............................... ..`.data...............................@....rsrc....W.......X..................@..@.reloc..H.... ......................@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe

Download File

Process:	C:\Users\user\Desktop\magicline4nx_setup.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	229888
Entropy (8bit):	6.611891540134469
Encrypted:	false
SSDEEP:	3072:zM7h4dJk1xxwzuN/9f0SGh3dES/TyM5ToEm+sstcFfftLBdQqaMeOcQ9yNq0Xxd:gadq1bAtEgt5ToEm+ZKBdQqVegWxd
MD5:	F2F7AA96E4E4BFCB04643ECADEDB3A14
SHA1:	AF3301AFCB700AA1657812F03FBEFE18D82C8A5E
SHA-256:	EF135DC45A68722719FFF1D8F2CE061780D0D91EA01801152C60222C795248EA
SHA-512:	68FC1FFC4B5AA3D29DA8D1B8C4A0543DB128CFEE0E5CD3C798C37DE7C4711EA2537D31C609548A9CEAD43F71CE9EBFC591444AD65D82D43654C14C9E4D291053
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........o.............l......l..x...l......l........K.....8l......8l......8l......m.............m......*m......Rich....................PE..L....(Z.................6...f...............P....@.......................................@.................................$B..................................D%...9...............................9..@............P...............................text...d4.......6.................. ..`.rdata.......P.......:..............@..@.data....+...p.......N..............@....reloc..D%.......&...\..............@..B........................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\dreamsecurity-rootca.der

Download File

Process:	C:\Users\user\Desktop\magicline4nx_setup.exe
File Type:	Certificate, Version=3 Certificate, Version=01
Category:	dropped
Size (bytes):	872
Entropy (8bit):	7.401048604480852
Encrypted:	false
SSDEEP:	12:4wlw+31lw+o7HblEsSI9x7qq+qU1jRMhPZYfXGxokJ0OtpuodhB6Y81U:POGOf7HbiE9xuqVqRMhBg2xbNV/8K
MD5:	A08FA0A2A07CD45108D83F1E1E5396F6
SHA1:	0BAFEC00CC085C92F94FD1F2DECA2374C72EFFDA
SHA-256:	21D87B0EAA08925FC728CAF929A10A4C86602008204CCC7CE0760F70CB37792B
SHA-512:	F7343E1E80FD3595BCA7A3354E1D8DBC07B587BA18DE7A8CE093567F1D66D5D547BEC3143AE5ECA4904B6C289E895B6D09E96E6312107418E636007FED2EAE76
Malicious:	false
Preview:	0..d0..L........0....H........0J1.0...U....KR1.0...U....Dreamsecurity Inc.1.0...U....Dreamsecurity ROOT CA0...150903041134Z..350829041134Z0J1.0...U....KR1.0...U....Dreamsecurity Inc.1.0...U....Dreamsecurity ROOT CA0.."0....H.............0...........'...j.`-vlK.a.F...j.oh...b........c).8...w..u.V{....7...._v......G...5.~.y.A......u.on53.V@T..~.W..J...y{.B..XO%.....J.#.Q...)..:.$.(.".v ......lq...R6.^...aD.R.?a..m..4a...SRNc.E...7t........g..6d.n..+r ..f'.0..6..<wr.z...neQ).._..eO..@.Co.w.)......U0S0...U.......0.......0...U........T.......#'..'0W..0...U........0...`.H...B........0....H.............{..Mu..x......pk.x....k#L.C..Vz0n..jQ..[[.ET=.R#c.[.b..Tf*.-#.;..:...Y..$.z...Mb...d..l...Rl.....n.....R9L...."g}..Q..C.ukL.W'..WIa0.$.1e$m.6.\.i....bsV.,fRy...g.C.,.D..6..F..4.[ .T....U0.....}.%.U...&UMe.R..28..fz..a#N...+./Q....!y.CI..:..T

C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\dreamsecurity.com.der

Download File

Process:	C:\Users\user\Desktop\magicline4nx_setup.exe
File Type:	Certificate, Version=3, Serial=009e5343085f93b442, not-valid-before=2015-09-03 04:11:52 GMT, not-valid-after=2035-08-28 04:11:52 GMT
Category:	dropped
Size (bytes):	938
Entropy (8bit):	7.40395992192347
Encrypted:	false
SSDEEP:	24:OOaixM7nuHuXGu2vbY3WsfJgWzS21FvFX3WKUIZl:OOaieuSGzzYtJg6hxXvZl
MD5:	F1A2A050DB09D9BF775679DAF9930AC1
SHA1:	848E448BE4011A9D4190C573C6368887EA96A079
SHA-256:	91EC941FF2DF1A0B67D740FBBBE22315CA32AEC307DA3E01145B0874281EDD57
SHA-512:	E6BDBC8AD62D258B1044D890716D2541BB35F0C475B361BBCCF660BA127182683EC28D32D5673E751C1A29BEC1E0FBBEF795B514B366416FFC49B2EBF6C7E0CF
Malicious:	false
Preview:	0...0............SC._..B0....H........0J1.0...U....KR1.0...U....Dreamsecurity Inc.1.0...U....Dreamsecurity ROOT CA0...150903041152Z..350828041152Z0B1.0...U....KR1.0...U....Dreamsecurity Inc.1.0...U....Dreamsecurity0.."0....H.............0.............cZ..&C69-.m..Dp.).....7q........U."........>...8...@_..'..&..S.?&.. ...Q=.4i%)I.......wr....[.Fp.j.{],`8.E.....0.......u..d.\|.......XY..[..B..._.Q..-]L........@.....i.......$..^S.jB.}.2..]....2.u.3:..b'l.....X:.i...QL...f......Q.'n..?.u4.q........0..0...U....0.0...U.#..0.....T.......#'..'0W..0...U......&..'..<.W.........0...U........0...U.%..0...+.........+.......0...U....0.........127.0.0.10...*.H.............S.a.X.h......_(.?.,.Wd..u.._.....K)(;.f_...F.y.wg.N4.<y...f...I......8H.g..#...........G}./v....-...:j..`/?...1q."d...-.....D#5......B..).k8.w....X...>..^(A...U.L..$..2./5...mhWew...z......z...L.....hP...c%.Q..........).X..`...~.Q.8..V...R..W.

C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\freebl3.dll

Download File

Process:	C:\Users\user\Desktop\magicline4nx_setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	439808
Entropy (8bit):	6.681949216771567
Encrypted:	false
SSDEEP:	12288:QV8k/oRusrVm+iDQSCuyTjlBOPV6xc8mBFqn6YIdM:QV8k/oRusrVmPQSCuy9k96rm/+6YQ
MD5:	9C21B6BF003EC6A4BB2FEF9653EA41A0
SHA1:	BA659628536F34C473737DEFABCB56E42BF1998F
SHA-256:	4EEC36D81784F54DBB8B42C950F525369538C41C577AEE9F6D55BF4CE31DDD1A
SHA-512:	ABA87BB59DCED172B38B09D6C2CC4E0E3C3ABFDE3E5B726F0386AE4402FC205338D6CB1283557641CFB0320B2130F4F8B1B0566E918C6FCF83E62278D18767D8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u@.......................}..........`*......'......'......'..............5...............5.......5.......5.......5.......5.......Rich............PE..L...4.(Z...........!.........................0...............................0............@............................P... ...d.......(........................&...z...............................{..@............0...............................text...K........................... ..`.rdata..`\...0...^... ..............@..@.data...\|W...........~..............@....rsrc...(...........................@..@.reloc...&.......(..................@..B................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\libnspr4.dll

Download File

Process:	C:\Users\user\Desktop\magicline4nx_setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	208896
Entropy (8bit):	6.315024247746642
Encrypted:	false
SSDEEP:	3072:AtiZp9HzAEvs0thsMy0jHWkN+IsQ5kPGd+pEbqxvh50SyvHerJu8g:sGp9HMEvsqsQHBsQ5kPGd+pEevVyv8
MD5:	7957E822B5E67AFE2CB64E1FBFC923DB
SHA1:	49E065F2EBC213C445E8C637B32F101674CA4DC8
SHA-256:	480C54ABD5C555520EE38069D9233B1C2739286471376A56EE66BD756A37FDE2
SHA-512:	ED44CC693175C01E1D1A7B856CA800E3CD641A3F434FFECD1532324111AA55010601C1AA92CE069133C012D6E89D5B99BD9526283DA9B972B53F788A820E63BB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m.....................r.........................3................6........,......Rich....................PE..L.....?...........!.....P...........Q.......`.....0.........................@......................................P....*......d....................................................................................`...............................text...0B.......P.................. ..`.rdata..Xl...`...p...`..............@..@.data...H...........................@....tls................................@....rsrc...............................@..@.reloc..<#.......0..................@..B................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\libplc4.dll

Download File

Process:	C:\Users\user\Desktop\magicline4nx_setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	3.0109391012881868
Encrypted:	false
SSDEEP:	192:aIc4fylGikcNlsIvBnmAq+yB2Y1NjqPCSfi4Yg8utInnnqCv/qWARuPsBQVhmmTa:aIc4fyPqivyjOBdqAyOkdWVHg
MD5:	C3700234160AEEA85BE0BE637744F8A1
SHA1:	27B86964B29FFB287180CC2875E4467E7B092084
SHA-256:	B6A12653B2B8024F64BC581E67DC10A469EDCFDABDAD3DA405EF7B709EB34805
SHA-512:	2FF671C0633F78D3E6736BCC445B72DE1D81A74DBAE29673F4C88D57485FF3A0F2DE2A60A137113091A55FECA7C5DD1FA7816B0D630FE5F5FBD0AF70667DA4E0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........E.H@$n.@$n.@$n.";}.B$n...d.E$n...j.B$n.@$o.O$n...d.O$n.."h.A$n...j.D$n.Rich@$n.........PE..L......?...........!..... ...@.......!.......0.....0.........................p......................................P;.......9..P....P.......................`..L....................................................0..@............................text............ .................. ..`.rdata.......0.......0..............@..@.data........@.......@..............@....rsrc........P.......P..............@..@.reloc.......`.......`..............@..B................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\libplds4.dll

Download File

Process:	C:\Users\user\Desktop\magicline4nx_setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	2.0057865234443777
Encrypted:	false
SSDEEP:	96:ryDKJp9bk/uFBUcmOHeV6Yqebl6swLmwi2gGh0Gl10y6ynrJ3K1SxMRN3L6Cfw5Z:MKJp9bLF6cqSE1wi2gGGGES9aYyFfm
MD5:	A4F672B53C53E322D8F474E7980F432E
SHA1:	5359B8AC02D98801EDC6C2EB46E223C39CE42EE3
SHA-256:	6B8D5ECD92B9705D54AD48C873226991DE558E57C36EFFEEFBEA63E006AAE75F
SHA-512:	B25D18403A586B03588DDC6B283B09BD431C71D3CB548D4FE59628AB3431FEF7C7C2364EE05BF1E3983379F11E7C442F21BDCDC6DF191C4F08379BA15A10CC43
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......w..Y3...3...3...Q...1...n...6...n...1...3...<...l...0.......2......7...Rich3...................PE..L.....?...........!.........@......[........ .....0.........................`......................................`"....... ..P....@.......................P....................................................... ..@............................text............................... ..`.rdata..F.... ....... ..............@..@.data........0.......0..............@....rsrc........@.......@..............@..@.reloc.......P.......P..............@..B........................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\nspr4.dll

Download File

Process:	C:\Users\user\Desktop\magicline4nx_setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	303104
Entropy (8bit):	6.707765425314588
Encrypted:	false
SSDEEP:	6144:OKdQbWj9r770zkaHqL70knUFXmtqp0rV1JUQGoTfes6BDOqNOeYmq3NUd4yNe0RO:OKZjB770zkaHqL70lXmIp0rTeQTfes6Y
MD5:	3FF140D165BD04E982507188B9EA6548
SHA1:	E38689A283058FD9ABEE7DC8EE75C395FB8CF6CE
SHA-256:	FE3219A6ECA4B3174F48E0C9CE19F5551AEF9CE400030027DA4BA41E1590B01E
SHA-512:	81D9FFCC739D7CDC3EE06166C4BB8CCABAD8066F1EADB4559A648EB6AB07545987B53550D66488D830167D92716A6A15A637F043410490C4111D793F17A3002E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........#@..M...M...M...N...M...H...M...I...M.9;....M.~.N...M.~.H...M.~.I...M...L...M...L...M.l.I..M.l.M...M.l.....M.l.O...M.Rich..M.........PE..L.....(Z...........!.........,............................................................@.........................@:..p,...f..d...............................\|)..`1...............................1..@............................................text............................... ..`.rdata..............................@..@.data....'...........b..............@....rsrc................r..............@..@.reloc..\|).......*...v..............@..B................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\nss3.dll

Download File

Process:	C:\Users\user\Desktop\magicline4nx_setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	923136
Entropy (8bit):	6.430099287410278
Encrypted:	false
SSDEEP:	24576:n4ilYX8Z3So4mvYVlBVm5AJISxqW3Ay8Pzjcv1pIfolk9exu5f5il4MSd:n6XWi3f8iSMS
MD5:	C8416ECD8A84F3C68A595089B8848164
SHA1:	EED45CC1943ECB3D74D020FB7E7C9CE850A80758
SHA-256:	7F9C41EFF50B7D6B0C8CC7ADE5CE746A9D3BFCEAF3290B852E1A1D90A9E7CA8E
SHA-512:	15B184438639ABA989C604E735AC06B7774C6ED7FB438049E179B5CCB97BD733EDBE810E24210174A4DAB9C8784E0F77B8E2D8EB3C452D7FFD6FF902D0F6C6D3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......v$.*2E.y2E.y2E.yA'.x9E.yA'.x.E.yA'.x E.yA'.x0E.y.'.x!E.y.'.x$E.y.'.x=E.y.&.x;E.y2E.y_D.y.&.x.E.y.&.x3E.y.&by3E.y.&.x3E.yRich2E.y........................PE..L.....(Z...........!................N........................................`............@..............................i......x................................`..P...............................p...@...............D............................text...e........................... ..`.rdata..^...........................@..@.data...L(..........................@....rsrc...............................@..@.reloc...`.......b..................@..B................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\nssdbm3.dll

Download File

Process:	C:\Users\user\Desktop\magicline4nx_setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	186880
Entropy (8bit):	6.535151118637971
Encrypted:	false
SSDEEP:	3072:hUQPC/6de8P03tNjwfYmfIsSXiVsfH6tykzBROgLxbS7W6b4ad/k3iF5jpT6q1+:EDk9J/VzB8Mxb64N+p1
MD5:	9B8489053EA8FE2C5B4734A611B9AFB8
SHA1:	4A42F573DE61BB137108CE8A1ECB22EFE7F7560F
SHA-256:	7C3CF9B202AE31E10AD6B518DC1BE92E91D28D9D3D4844B38579231C5657E402
SHA-512:	659679443294A7F645B8AA0BF2479C260CDE4C9F04AEA4BFDA3962AD2849CE35E4B03DFA8F1834EFA9D5E038C3A9AE473AA6E503CB68A5024242E17A84895B25
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......R^#..?M..?M..?M.e]N..?M.e]H.?M.e]I..?M.e]L..?M......?M..]N..?M..]H..?M..]I..?M..\L..?M..?L.?M..\I..?M..\M..?M..\...?M..\O..?M.Rich.?M.........................PE..L...H.(Z...........!.....>...........^.......P............................... ............@.....................................d.......0..............................................................@............P...............................text...{=.......>.................. ..`.rdata...q...P...r...B..............@..@.data...............................@....rsrc...0...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\nssutil3.dll

Download File

Process:	C:\Users\user\Desktop\magicline4nx_setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	232448
Entropy (8bit):	6.627306316810938
Encrypted:	false
SSDEEP:	3072:ly4s8phG+fU/xQib2BSOLBp0BC2NdfdsQKXsDpPn1n9I2XCIAdM3DKaRQF84W0cR:LByVEAaQUsDpNeCCIAdM39nbbB
MD5:	F59DDE4ECA1BE70BBFEAB54D65AD7FC6
SHA1:	76A025AC6DFB0F9CC3A7A503AED639FA6665AC25
SHA-256:	72B2DAFCBBD37A3E5BB9DE44A33B599ACD4212791606DADA0826C51153557194
SHA-512:	25BF2F5AFF9CA798C862CBD37DBBE755E74572B7D6A0A798FEF37883039E1BDEC92D28718149D9FC30698F73B7070A93C30488951AFB382973F3F83FFC8013C9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................... ............#I.....d.....d.....d.....v........,..v.....v.....v.5....v.....Rich...........................PE..L...".(Z...........!.....(...r...............@............................................@.........................PE..8....a..d................................ ..p<...............................<..@............@...............................text....&.......(.................. ..`.rdata..r-...@.......,..............@..@.data........p.......Z..............@....rsrc................f..............@..@.reloc... ......."...j..............@..B........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\plc4.dll

Download File

Process:	C:\Users\user\Desktop\magicline4nx_setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	79360
Entropy (8bit):	6.3223897273437055
Encrypted:	false
SSDEEP:	1536:YcuYn8RSX8p+2ZcoN5MPGuFX6CEIzksuy4esWFcdApuqwj/:NuYnM+2Z35/uAC/kjy6Apuqwj/
MD5:	0D3B00FD0975F6483C7A09EA7E5B9909
SHA1:	E73EB17710D848EAD606709F1FF4081D3665A67D
SHA-256:	16EFAD50FACA6E70F1FF85EB6E137C2878615CE252A2F8A20CBE6C8AE622808D
SHA-512:	D155815C23BEFF221B558311B3D6458299262102532DE90D9EA3C96600F069228D5AFF54292710087D0AE0B848B1F1E96F2F0A64B6CB94949620C46D9DC982E9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9#.m}B@>}B@>}B@>. C?wB@>. E?.B@>. D?oB@>. A?.B@>. C?oB@>. E?kB@>. D?rB@>.!A?~B@>}BA>&B@>.!D?sB@>.!@?\|B@>.!.>\|B@>.!B?\|B@>Rich}B@>........PE..L.....(Z...........!................D&.......................................p............@..........................".......&..<....P.......................`..........................................@...............,............................text...D........................... ..`.rdata..<].......^..................@..@.data........0......................@....rsrc........P......."..............@..@.reloc.......`.......&..............@..B................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\plds4.dll

Download File

Process:	C:\Users\user\Desktop\magicline4nx_setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	75264
Entropy (8bit):	6.290034334738998
Encrypted:	false
SSDEEP:	1536:y1Wz50SpLgo1G0WgIv2BiEsunsWNcdgcTI1ruYE:dz5Jgo1GsIajugcTI1ru5
MD5:	93ED2BA3FD74B01F61C3B661FEAC39A8
SHA1:	5AB890E01062FF28B0D24A3C7B539981A6F2C3E4
SHA-256:	F97CF1219F31772EBD45F3CE48178558505AB82E307DB53E0965A6FB83C1D682
SHA-512:	F3C24B2FD37F95546C9FCAC3A0F7271BFCCB56B6779BCA3A68A9BD1E1CDFDBEA5A462D4B70A49AB81353B0319DFBFC1E5D46EFC6368DE0AF4BE4A54FFCE71027
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J9...X...X...X..}:...X..}:..pX..}:...X..}:...X...:...X...:...X...:...X...;...X...X..[X...;...X...;...X...;G..X...;...X..Rich.X..........PE..L.....(Z...........!................`........................................`............@.........................0...,...\...<....@.......................P......P...............................p...@............................................text...7........................... ..`.rdata...Z.......\..................@..@.data........ ......................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\smime3.dll

Download File

Process:	C:\Users\user\Desktop\magicline4nx_setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	166400
Entropy (8bit):	6.364018629902664
Encrypted:	false
SSDEEP:	3072:NHhFdhM3PSqAHTRaeY3QtUMdJuRqPLCosqGn9ZOh/Rj7cgjv2nN5zisYXPh:NHhFdGPYlaeY3QtUMdJuRSGnnAVc+
MD5:	805B305A873C907396B0B61ABB79F69A
SHA1:	B4C4D4D39A9AADBE4E85789C1FF759E9C1FFF079
SHA-256:	BAE860C5DC9C643078D8CC094BA26F3A08AB1EF1FB248C9C3C18BCCCA14B8B08
SHA-512:	AF5BE4BF5D80B3963CC999C3CE8425502220A577856B56CA5B0F0AB13AA17BE692573DDEDF19BD7D0F3C6E55607285B7642FF2C800BAB898E097457162DB2F24
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........N.../../../.M../.M./.M../.M.././M.././M.././M../.=L../../....=L../.=L../.=L.../.=L../.Rich./.........PE..L.....(Z...........!................l,....................................................@..........................=.......W.......................................6...............................7..@...............<............................text...7........................... ..`.rdata..............................@..@.data................f..............@....rsrc................p..............@..@.reloc...............t..............@..B................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\softokn3.dll

Download File

Process:	C:\Users\user\Desktop\magicline4nx_setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	252928
Entropy (8bit):	6.516573394162405
Encrypted:	false
SSDEEP:	3072:PO8tU83xAI1/YWpkfzxiqJcrS6pMyOVY5oSww02tgSiyXXLpTzg/ba/gCgHBhib9:PO8tUGB1AhfE95cw0KfiEXNns0R
MD5:	082EBA66B0047184E1DABC19B6B4D601
SHA1:	F1E52B03D5BE0B5D56DBAC1707E1A90F8775944A
SHA-256:	889C04ADB3085A7DFBC31013965E83EAC6DA933337E8AEDA371E6198717D2558
SHA-512:	23BA25527B259EAAF4EE2EE66DCEF82330A0D386608D8126E9D307D71DB3BC4F9B615946DFC398E6A6FDE3C267D18DE4FF4289D0D99E755D8D3B3158EF7E9CE0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............e...e...e...f...e...`.W.e...a...e...d...e.KM....e...f...e...`...e...a...e...d...e...d...e...a...e...e...e.......e...g...e.Rich..e.................PE..L...D.(Z...........!.................&....................................... ............@.........................`...................0........................$......................................@............................................text...{........................... ..`.rdata.............................@..@.data...............................@....rsrc...0...........................@..@.reloc...$.......&..................@..B................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\sqlite3.dll

Download File

Process:	C:\Users\user\Desktop\magicline4nx_setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	603136
Entropy (8bit):	6.672922368408147
Encrypted:	false
SSDEEP:	12288:6JBr6WT5WNUNqZHZzlJS5toxgm7Xp2wXk/krKXa8l1zz5B7pusKLcnP/xVJ:67tT5WO0JJSc6UIwXk/YKXa8l1zFZpuU
MD5:	C7DFBD9ACBE88781CCC963D1A927EAD0
SHA1:	65A9F80FD2BAE228D8E95192D0C6C38ACBE0BA36
SHA-256:	95D4A37B7A5F60EB57C4F0D81E15AA4FD08FF0C4CE2D8E96BA2485B76EB869B7
SHA-512:	CAE8E0238B8766068E221DD4B02F2CEF444AA61F25D1F76ACFF32A0DB15A8D160AD3C396B79D4220468A32309B5E0D1994DEBC993AB601E5F519C022E8A418F5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........W.(.6.{.6.{.6.{.T.z.6.{.T.zQ6.{.T.z.6.{.T.z.6.{.6.{^6.{.T.z.6.{.T.z.6.{.T.z.6.{.U.z.6.{.U.z.6.{.U.z.6.{Rich.6.{........PE..L...:.(Z...........!.........d......O........................................p............@.........................@...........(............................ ..,@.................................. ...@............................................text............................... ..`.rdata..............................@..@.data...x(..........................@....reloc..,@... ...B..................@..B........................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DreamSecurity\MagicLine4NX\httptx.dll

Download File

Process:	C:\Users\user\Desktop\magicline4nx_setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	6.123033849062735
Encrypted:	false
SSDEEP:	768:QXVqg6kighctswggAZYDPFa/5yTx6Lh6H5zO35ZQ1kzhCVotBvn2OED3yZQ0Wwmk:QQYSRA2Puid5C3ik160xf1mVZ
MD5:	BEC8140C288DBE32C62B87E7560F2C0D
SHA1:	7496F93318F1597F69C28B3EA1247CFDB453A6C2
SHA-256:	ED59FB7F2310FCF40C8C832F8C0505F64741BD41B68EF6C587D13169E7D585C9
SHA-512:	F21ED4975A0BF8172A16A223AECB2F97F48276776F5240A86FFE4899AD489193E8E9D575D7813F34A82D6AAD01474E36818B0568333D48A1A2C9C98E719B44E0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................w......w7..................w6.....w......w......w.....Rich...................PE..L......V...........!.........b.......=.......................................P.......W.............................. ...s...<...P.... ..D....................0..........................................@...............X............................text.............................. ..`.rdata...5.......6..................@..@.data....-..........................@....rsrc...D.... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DreamSecurity\MagicLine4NX\libeay32.dll

Download File

Process:	C:\Users\user\Desktop\magicline4nx_setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1212472
Entropy (8bit):	6.761065177668376
Encrypted:	false
SSDEEP:	24576:kG+C8D62e/Jcn0F8+j3UjMEWXmrZopoWArxEIgQc:p+C8+KMEWXmlopoFrxEIgQc
MD5:	1AE9574B7717DB35DEEF74DFECA80FB4
SHA1:	FDCE40C2386B9CC3FEC4E65F0471EE2FB2FCC6FB
SHA-256:	0F3154AE6DD4489BA16B81914D0F50F67B51B9F3B4C86DB84F8C34346E1A1BD4
SHA-512:	B8F8ACB958E4C826304D6547C2143861CD68E8FD9CF16DF42DA9F492B9FAC22B5BE12BFBEFF43850753885C759416B210B68C7948DF0B3B62A220B0A8A2DE4C7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........{...(...(...(...(...(...(...(..(...(y..(..()..(...(y..(...(Rich...(........PE..L....cX...........!................s........ ..........................................................................a...............@............................"............................................... ...............................text............................... ..`.rdata..!:... ...@... ..............@..@.data...x~...`...`...`..............@....rsrc...@...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DreamSecurity\MagicLine4NX\mlnp_dreamsecurity_com.ca-bundle

Download File

Process:	C:\Users\user\Desktop\magicline4nx_setup.exe
File Type:	PEM certificate
Category:	dropped
Size (bytes):	2606
Entropy (8bit):	5.9557459815042035
Encrypted:	false
SSDEEP:	48:LrHNcPhfWbfPMPUqxP7jrUI44lBBvE5wfpsAfiIZHiMO1Z3GLkQLelgrm4j:LrtcPh2fPAxP73P4+7vkwfpsAfiIJdk0
MD5:	859A0BB10E5565275DC1DFEC02D621D8
SHA1:	ADB398E1ACFB3A9867D6F8AC6ACF13FFB64EB51F
SHA-256:	174D1EF3C586A6054418A74D511424ABA132108C4EA656890DAA28E53B224244
SHA-512:	C5CF2880EBAFDB56BBC8A0ED6BA7EFDEFE427B6545E832143653E080C6625C376A4712AFE718761450C5FED8CF6B5699928BE7D7A4801A1B24FADB01BEA6402A
Malicious:	false
Preview:	-----BEGIN CERTIFICATE-----..MIIDpjCCAo6gAwIBAgIJAJ5TQwhfk7RCMA0GCSqGSIb3DQEBCwUAMEoxCzAJBgNV..BAYTAktSMRswGQYDVQQKExJEcmVhbXNlY3VyaXR5IEluYy4xHjAcBgNVBAMTFURy..ZWFtc2VjdXJpdHkgUk9PVCBDQTAeFw0xNTA5MDMwNDExNTJaFw0zNTA4MjgwNDEx..NTJaMEIxCzAJBgNVBAYTAktSMRswGQYDVQQKExJEcmVhbXNlY3VyaXR5IEluYy4x..FjAUBgNVBAMTDURyZWFtc2VjdXJpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw..ggEKAoIBAQDW/Mf+o2Na3JjDJkM2OS25bR/ZRHDTKcbiztrKhjdxvqTR+/DIyelV..oCKm4gSGpxSkqj77yemeOPECukBfu/Qn8fkm4AFTuj8mFJAgloGEUT2iNGklKUmt..nhjkwpwV+Xdy7AUb11vvRnAeaoF7XSxgOJdFGa4Ptgwwsf1/y+nL4Zh1ygxkHnwX..v8OHGY77nFhZHo5bhdNCky7Zql8TUQDxLV1MwfTz5Qnw5uSJQOcLA8jtaRyh/wYZ..3fAksNVeU9lqQtN9+zLrGl2AqKX0MgV16jM6HJJiJ2yu8rCgBhD9WDrDaRED1FFM..zZ8HvGaqogGw3BpRCCdur8g/hXU00KlxAgMBAAGjgZYwgZMwCQYDVR0TBAIwADAf..BgNVHSMEGDAWgBQBylQfrKfb0/6vIyfFr5EnMFfh1TAdBgNVHQ4EFgQUJu39J6PT..sTz5V9+Dy/0FDBaNr7gwCwYDVR0PBAQDAgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMB..BggrBgEFBQcDAjAaBgNVHREEEzARhwR/AAABggkxMjcuMC4wLjEwDQYJKoZIhvcN..AQELBQADggEBAFOnYc1YrGjTDIWJ/LlfKJ4/4qksqldkoPB

C:\Program Files (x86)\DreamSecurity\MagicLine4NX\nsldap32v50.dll

Download File

Process:	C:\Users\user\Desktop\magicline4nx_setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	139264
Entropy (8bit):	6.145526888679854
Encrypted:	false
SSDEEP:	1536:hA6M5YamTgHr5vf7ICr9b2wjn677s9wtjF4FD2boJDd5IloZhLNUbkI9Y2:h2YHT0r5n9jn6ns9mA40DACPNekI
MD5:	EC0F6B05F7321EE8C6B4D2C8DA487C67
SHA1:	48B2EB1AA2572F4B7ED5F3DE3E119FCB72F40D2E
SHA-256:	0A668E0E6B85202D298ED10C7F17BF07EC778EC323BC63E7DD89FB757346F71F
SHA-512:	D563E4C0CCD459DB004C0E5518C706C115CD966D5C4DDB0E1BD64582E69C53146B67DC7B71920521C3837398073DB4CB2D0EED577AEDCD556ADF3DB07AE35DAB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........6.ZlXIZlXIZlXI!pTIXlXI.pVI[lXIZlYIclXI8sKIYlXI.LRIdlXI.L\IYlXIRichZlXI........PE..L.....}<...........!.........p......!........................................0..........................................i%......<............................ .......................................................................................text.............................. ..`.rdata...=.......@..................@..@.data...............................@....reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DreamSecurity\MagicLine4NX\ssleay32.dll

Download File

Process:	C:\Users\user\Desktop\magicline4nx_setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	270392
Entropy (8bit):	6.143161891507789
Encrypted:	false
SSDEEP:	6144:bU2paW6Siqi1FoptSpbFkiaOCe/SVKCnzOXzVvx2yvlRli2Uz/+cg90LB/vnasWF:bU2paW6Siqi1FoptSpbFkiaFe/6KCzON
MD5:	A65286209067D71BB23BC1C889EF5C58
SHA1:	5999B6B5E2264ADF37D1A95113F77ECAE76D4953
SHA-256:	79248FC5F49C7CAF2D11D521F2098658C52602CC8DAD160FE8CBE7731D37E9DF
SHA-512:	7E38371A1EFF66A07D06DDE232226DA902E0E8769A57D37E1263C2B64237CE37565344BC866F0C33421586FDE2FFA630891D15057F980921CB14BB6FCF9FB005
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......0...t.`.t.`.t.`...s.v.`...n.w.`.t.a...`...j.A.`..f.u.`...d.r.`.Richt.`.................PE..L.....cX...........!......... ............................................... ..........................................]$...x..P.......@.......................t ...................................................................................text............................... ..`.rdata.............................@..@.data....+.......0..................@....rsrc...@...........................@..@.reloc..*!.......0..................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\DreamSecurity\MagicLine4NX\logs\install-202211281523.log

Download File

Process:	C:\Users\user\Desktop\magicline4nx_setup.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	2583
Entropy (8bit):	5.751354769608515
Encrypted:	false
SSDEEP:	48:o/3IIyHqyH5u70yeOyeLZ1gstASOiKvnHGkAscxsjMsPAwqcAl7vk8PDs7SuQzuv:A3Qdm6qzvzgbBp
MD5:	7E708EFF7C0A054A8EBB6E603CCA379D
SHA1:	173692A4C4D1BEBDAE29F88032B75184F855F01D
SHA-256:	4103B7D2D092513579F6491F46D1B8C692801AC55AA98D7CD05EE55151EC2515
SHA-512:	3ACDDEA7C799CD0C37BD9B3A19A1AD212C8B95B789C559CD2E3899A7FEE7BFF9AAD9990797DBF182FEEEB0D3F539C5167DC4EFBA230BBB712162800EF7D73A56
Malicious:	false
Preview:	... .......... ....: 1.0.0.20......: NTSMagicLineNP.exe (nsProcess::KillProcess ...: 603)......: NTSMagicLineNP (nsProcess::KillProcess ...: 603)......: NTSMagicLineNP.exe (...: 0)......: MagicLine4NX.exe (KillProcDLL::KillProc ...: 603)......: MagicLine4NX.exe (nsProcess::KillProcess ...: 603)......: MagicLine4NX (nsProcess::KillProcess ...: 603)......: MagicLine4NX.exe (KillProcess ...: 0)......: MagicLine4NX.exe (...: 0)..... ....: C:\Program Files (x86)\DreamSecurity\MagicLine4NX...... ....: CertManager.dll... 100%...... ....: DSCToolkitV30-v3.4.2.20.dll... 100%...... ....: MagicCrypto32V21.dll... 100%...... ....: ENG.ini... 100%...... ....: httptx.dll... 100%...... ....: IssuerOid.conf... 100%...... ....: IssuerOid_Eng.conf... 100%...... ....: KOR.ini... 100%...... ....: mlnp_dreamsecurity_com.ca-bundle... 100%...... ....: nsldap32v50.dll... 100%...... ....: MagicLine4NX.exe... 100%...... ....: MagicLine4NX.exe.hmac... 100%...... ....: MagicLine4NXServices.exe... 100%...

C:\Users\user\AppData\Local\Temp\nst78C0.tmp\DumpLog.dll

Download File

Process:	C:\Users\user\Desktop\magicline4nx_setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3072
Entropy (8bit):	3.7325977608282273
Encrypted:	false
SSDEEP:	24:ev1GSVGHaOcnc7TanS+kKCMhTlGkUA4Q7HCg80iBR3SuAYYWjp5s0D5f0bz:qVGH6nc7T85qkU9uHg0iBRj/Dgz
MD5:	E9D269B0C3D13CFFC70E9FFD472B89B7
SHA1:	73D9BD6004B097916E1F579AD3F70E2342890667
SHA-256:	E61E0A458A0F1A57082697D8694511DEB1B33CF3E7287FB4487593246B8E108D
SHA-512:	DE90798EAB2C8052A3BFA38E61E479FC26B09BDCDC5D5DED0FA7AD5061251300F832ED5D8C958366376C44EBB42717BB7FFB12739169B60892CDC99B88C66ECE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u.t...t...t..\{F..t...t...t...xD..t...xG..t...xA..t..Rich.t..................PE..L.....JC...........!......................... ...............................P.......................................!..F.... ..<............................@..`.................................................... ..0............................text............................... ..`.rdata....... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nst78C0.tmp\KillProcDLL.dll

Download File

Process:	C:\Users\user\Desktop\magicline4nx_setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	5.083312243715674
Encrypted:	false
SSDEEP:	384:3rYz6grZodORNWATt4TBmlk5ooyzFh7BukAUdJoUtSOSR:3QggDWATWNCFh7BNddJoxO+
MD5:	83142EAC84475F4CA889C73F10D9C179
SHA1:	DBE43C0DE8EF881466BD74861B2E5B17598B5CE8
SHA-256:	AE2F1658656E554F37E6EAC896475A3862841A18FFC6FAD2754E2D3525770729
SHA-512:	1C66EAB21F0C9E0B99ECC3844516A6978F52E0C7F489405A427532ECBE78947C37DAC5B4C8B722CC8BC1EDFB74BA4824519D56099E587E754E5C668701E83BD1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b..^&..&..&..]..'...........5..D..%..&..c.....%.....'..Rich&..........................PE..L......>...........!.....@...@...............P...................................................................... Z..K....U..(....................................................................................P...............................text....?.......@.................. ..`.rdata..k....P.......P..............@..@.data...h....`.......`..............@....reloc...............p..............@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nst78C0.tmp\NsisUtil.dll

Download File

Process:	C:\Users\user\Desktop\magicline4nx_setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.830400532033853
Encrypted:	false
SSDEEP:	768:ck8a6Iq7MH5CI3IwEqTGbSAy23hJokG9YKiB9HPp57s/Z3lVcB:bX6IqwXTGeAN3oQfbgl+
MD5:	59541B9DA3C09F318A58BEF52C9FF131
SHA1:	149F47CAE21A25EF7D5FB6FBE7A517B45B51259E
SHA-256:	74A542EF3BBE0673453286DFEB335C1D7BDE4E601C932A3D0D04C85EB098BB47
SHA-512:	DDAE88B5F17B0247FE6E96CAA4AA93F1C20E18371FDB9E3390AF40EB0EFCF9589147E4D8EB74E2C5BF36AB7E3DD9F59E135C0069A2D631D348952D8F94DBCF2D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......j.l..i...i...i...u..;i...O..si...a_.'i...i..{i...O..,i...o../i...I../i..Rich.i..........................PE..L....f.W...........!....................................................................................................\|...@...d...............................@....................................................... ............................text...vx.......................... ..`.rdata..,...........................@..@.data....J.......@..................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nst78C0.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\magicline4nx_setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	5.825582780706362
Encrypted:	false
SSDEEP:	192:yPtkiQJr7V9r3Ftr87NfwXQ6whlgi62V7i77blbTc4DI:N7Vxr8IgLgi3sVc4
MD5:	FBE295E5A1ACFBD0A6271898F885FE6A
SHA1:	D6D205922E61635472EFB13C2BB92C9AC6CB96DA
SHA-256:	A1390A78533C47E55CC364E97AF431117126D04A7FAED49390210EA3E89DD0E1
SHA-512:	2CB596971E504EAF1CE8E3F09719EBFB3F6234CEA5CA7B0D33EC7500832FF4B97EC2BBE15A1FBF7E6A5B02C59DB824092B9562CD8991F4D027FEAB6FD3177B06
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir.-.D.-.D.-.D...J..D.-.E.>.D......D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L....~.\...........!..... ...........(.......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text...O........ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..\|....P.....................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nst78C0.tmp\nsExec.dll

Download File

Process:	C:\Users\user\Desktop\magicline4nx_setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6656
Entropy (8bit):	4.997724806443559
Encrypted:	false
SSDEEP:	96:17GUxNkO6GR0t9GKKr1Zd8NHYVVHp4dEeY3kRnHdMqqyVgNT3e:5XhHR0aTQN4gRHdMqJVgNa
MD5:	50BA20CAD29399E2DB9FA75A1324BD1D
SHA1:	3850634BB15A112623222972EF554C8D1ECA16F4
SHA-256:	E7B145ABC7C519E6BD91DC06B7B83D1E73735AC1AC37D30A7889840A6EED38FC
SHA-512:	893E053FCB0A2D3742E2B13B869941A3A485B2BDA3A92567F84190CB1BE170B67D20CC71C6A2CB92F4202140C8AFD9C40A358496947D709E0C4B68D43A368754
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........d..7..7..7..7..7,..7..7..7..7..7..7Rich..7........PE..L....~.\...........!......................... ...............................P............@..........................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..,.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nst78C0.tmp\nsProcess.dll

Download File

Process:	C:\Users\user\Desktop\magicline4nx_setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4608
Entropy (8bit):	4.666004851298707
Encrypted:	false
SSDEEP:	48:iYXzAm8HGJLvwM8GJFd6I7W4JtT2bxNNAa4GsNf+CJ8aYqmtlKdgAtgma1QvtCSJ:lz2mJkpGR6GY74GQ1YqmstgGCtR
MD5:	FAA7F034B38E729A983965C04CC70FC1
SHA1:	DF8BDA55B498976EA47D25D8A77539B049DAB55E
SHA-256:	579A034FF5AB9B732A318B1636C2902840F604E8E664F5B93C07A99253B3C9CF
SHA-512:	7868F9B437FCF829AD993FF57995F58836AD578458994361C72AE1BF1DFB74022F9F9E948B48AFD3361ED3426C4F85B4BB0D595E38EE278FEE5C4425C4491DBF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........s.I...I...I...n\|f.L...I...Q...@..K...@..H...@..H...RichI...........PE..L...`..N...........!......................... ...............................`.......................................#....... ..<....@.......................P..\|.................................................... ..`............................text............................... ..`.rdata....... ......................@..@.data... ....0......................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nst78C0.tmp\version.dll

Download File

Process:	C:\Users\user\Desktop\magicline4nx_setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	22528
Entropy (8bit):	7.558597682232844
Encrypted:	false
SSDEEP:	384:6Qx38r8QfiLpVjOXf4Rrd2IpZn8LI2EdGZ5D6PDo3rsyfyC8n:6Qx38r8Qgp1OvYd2zqGZ5D6PDmXf98
MD5:	FBE588B15EB1BD86DEFADE69F796B56F
SHA1:	2F63CF44039ADDDDB22C2C0497673B49E6B3AD7A
SHA-256:	31144E8B156FE87317073C48A09ABCB033FDA8DBDD96986C4ABEA8C00C00355F
SHA-512:	E1A9E29E4C62E77A2EC2C539344F0B5A8CD67CA3FD8DFEFB0B0666A992EB2FABADB0034D439C4ADBBDFFD9C9439F23EE5757FAC0ED669D3C9DB48F50C677143D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................P........................@.......................... ..................................................<...................................................................................................................UPX0....................................UPX1.....P.......N..................@....rsrc................R..............@..............................................................................................................................................................................................................................................................................................................................................................................3.09.UPX!....

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MagicLine4NX\MagicLine4NX.lnk

Download File

Process:	C:\Users\user\Desktop\magicline4nx_setup.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Mon Mar 29 10:06:58 2021, mtime=Mon Nov 28 13:22:36 2022, atime=Mon Mar 29 10:06:58 2021, length=3753952, window=hide
Category:	dropped
Size (bytes):	2262
Entropy (8bit):	3.590510959739067
Encrypted:	false
SSDEEP:	48:8FAHpdO5ANbcL8rscDdDmO3dDmJdDmOEacQDmOlCa0M5:82OnCnM
MD5:	1BDBF7EE074AEF8CDB3A42887BD8A386
SHA1:	893F3843E4D31374D8A29226887C071AF20A8287
SHA-256:	A44EBA83B29BFA8CD05A537F83371B54972A6749A769BB34A80D20BCE2BC84EE
SHA-512:	A1230BD3A23F444D56371AE85A2104ADAABF98E911B5E242650211D4ED65A8A8CCF12EDFB2FC6A4E1B7AC670237DF28E8BE3764E465D4270682200A919C7C4F6
Malicious:	false
Preview:	L..................F.@.. ........$......4........$...G9..........................P.O. .:i.....+00.../C:\.....................1.....\|U.r..PROGRA~2.........sN.&\|U.r....^...............V.........P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....d.1.....\|U.r..DREAMS~1..L......\|U.r\|U.r....W`.......................D.r.e.a.m.S.e.c.u.r.i.t.y.....b.1.....\|U.r..MAGICL~1..J......\|U.r\|U.r....X`.....................V..M.a.g.i.c.L.i.n.e.4.N.X.....n.2..G9.}R.X .MAGICL~1.EXE..R......}R.X\|U.r....f`........................M.a.g.i.c.L.i.n.e.4.N.X...e.x.e.......q...............-.......p...........C........C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe..Z.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.D.r.e.a.m.S.e.c.u.r.i.t.y.\.M.a.g.i.c.L.i.n.e.4.N.X.\.M.a.g.i.c.L.i.n.e.4.N.X...e.x.e.6.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.D.r.e.a.m.S.e.c.u.r.i.t.y.\.M.a.g.i.c.L.i.n.e.4.N.X.\.c.e.r.t.B.C.:.\.P.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MagicLine4NX\Uninstall.lnk

Download File

Process:	C:\Users\user\Desktop\magicline4nx_setup.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Mon Nov 28 13:22:36 2022, mtime=Mon Nov 28 13:22:36 2022, atime=Mon Nov 28 13:22:36 2022, length=113488, window=hide
Category:	dropped
Size (bytes):	2312
Entropy (8bit):	3.6324388595560677
Encrypted:	false
SSDEEP:	48:86YHpdO5ANbhbdFscUdDmObmdDmJdDmOEacQDmOlaa0M5:8BvoxanM
MD5:	3DABE45E330BE7131D5B51BAB21BF29F
SHA1:	5377D6C396A01DCFA1CADBCDB9F871A81E629450
SHA-256:	A21AC948498B3E2017D61A87013EC37397571AFA19C1A96D10C9DBB5E4268BB0
SHA-512:	86A9ED81C50FD38792C3941BDA3E7B00D6C4A39554337CD5A3FFCB79FF63362E6DB86AAFACBB2D10925C8DC500F375BC4F6CAC092485C44B43EAFD842915FC68
Malicious:	false
Preview:	L..................F.@.. ....!F.4.....H.4.....H.4...P............................P.O. .:i.....+00.../C:\.....................1.....\|U.r..PROGRA~2.........sN.&\|U.r....^...............V.........P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....d.1.....\|U.r..DREAMS~1..L......\|U.r\|U.r....W`.......................D.r.e.a.m.S.e.c.u.r.i.t.y.....b.1.....\|U.r..MAGICL~1..J......\|U.r\|U.r....X`.....................V..M.a.g.i.c.L.i.n.e.4.N.X.......2.P...\|U.r .MAGICL~3.EXE..f......\|U.r\|U.r....k`........................M.a.g.i.c.L.i.n.e.4.N.X._.U.n.i.n.s.t.a.l.l...e.x.e.......{...............-.......z...........C........C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX_Uninstall.exe..d.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.D.r.e.a.m.S.e.c.u.r.i.t.y.\.M.a.g.i.c.L.i.n.e.4.N.X.\.M.a.g.i.c.L.i.n.e.4.N.X._.U.n.i.n.s.t.a.l.l...e.x.e.6.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.D.r.e.a.m.S.e.c.u.r.i.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default\cert8.db

Download File

Process:	C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe
File Type:	Berkeley DB 1.85 (Hash, version 2, native byte-order)
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.2615441683929896
Encrypted:	false
SSDEEP:	48:CrvbeOsO+lxhOGOzHbjIqAWhBRlTO8GOj:AvbvJ+lxUXzHbjv3C8Xj
MD5:	9C69C6CEDD5EE764D496971B28C5A24A
SHA1:	EF47AA3797E380311ED720EA2C92E39CE99A999A
SHA-256:	E47EACA8AB3788C9AA18412FB0B65D7CA91EC38AE4A8E7A217F67FCB4C86541F
SHA-512:	BAEF241248D960AB18E800086F7BA8E5565D2DD2E7DDA7063A39F9FA835E6A2E377DFB99AE1F73725301FE918CD85A84DF5ED58C949ED0BEFD318FFE7D8478DB
Malicious:	true
Preview:	...a..........@..................................................n}.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default\key3.db

Download File

Process:	C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe
File Type:	Berkeley DB 1.85 (Hash, version 2, native byte-order)
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	1.1202299158170133
Encrypted:	false
SSDEEP:	6:5X9cvVmXy/VofeQaH1aRYno3FTUti/SH0cLD:5NGVmXydofsakoZzSU+D
MD5:	38A5693CDB57B758D277B56A9C535068
SHA1:	F042CD0B01C730665F050B2E82040974A8A7B407
SHA-256:	8C2AB6201D2049071203455C5BCEE7FBC509434B79F271973183A3292E647776
SHA-512:	2D8CB57F8F3278B55B68515099D31E7CF21D6B101BFCEF1205BAC3DDA04373CD837AF3C5D0C3C3BE349ADF627FD37C910BF52A53D56B470587A52B19B5124832
Malicious:	true
Preview:	...a.............................................................n}.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default\secmod.db

Download File

Process:	C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe
File Type:	Berkeley DB 1.85 (Hash, version 2, native byte-order)
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	1.0631901030961983
Encrypted:	false
SSDEEP:	12:5NGVqnXy0LXWvFC0qudhTbOGLDcGuyrJvGLOvP:SonXyLvFHNbaGaOvP
MD5:	2720F1AD2A036A2D9EEA5B21E0D9E4CC
SHA1:	67D5309357AA4152891A38A6CF2FE77EA044F375
SHA-256:	E84B67DEFCDEEE2AF834F233FE82DEF3CB5D3C8DA831419F73D81793367113EF
SHA-512:	FBBB3B4F936374320921B1C81202695FAC2487F76AB8438475907971F79B459CC17212100F91991194BFF926B9BC707178C439D08AF598ADD136A0ADA99C4210
Malicious:	true
Preview:	...a.............................................................n}.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\tjbwzv1u.default-release\cert9.db

Download File

Process:	C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe
File Type:	SQLite 3.x database, last written using SQLite version 3010002, page size 32768, file counter 7, database pages 7, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	229376
Entropy (8bit):	0.5414788194073594
Encrypted:	false
SSDEEP:	192:5OFva0zkVmvQhyn+Zoz679fqlQbGhMHPaVAL23v5v3FcyS50+Mg2gTP6TSufMOgT:c1zkVmvQhyn+Zoz67z8+Yg7cNloMM03e
MD5:	52F67E637F3F0EC7699005E7E2225488
SHA1:	15436DA35E0C9E204BCE62E961803C3EECB4D496
SHA-256:	90FA473D059B94919C3256CDE4CF8CCE0429AF0CB5976091B0B9518F021BDA61
SHA-512:	3D15D832C8379BC1D2F665C9E9081FBFD7C34DB19936238C427B700249CA88AB5FE1C1AF8BD10F6810F070FFC1CC4C15156B82F2E597A4E91C6D6447AAFDB7A7
Malicious:	true
Preview:	SQLite format 3......@ .........................................................................-.......z..{...{.{j{*z.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\tjbwzv1u.default-release\cert9.db-journal

Download File

Process:	C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	229944
Entropy (8bit):	0.5290740915837886
Encrypted:	false
SSDEEP:	384:73Z8+Yg7cNloMM0yDD1zkVmvQhyn+Zoz67J:+wc8M8k
MD5:	FF80A94CE49F32E85BA8C265CC5CEBCC
SHA1:	E3E4A05819D199C2E200B95CCD05EDB7F4902A81
SHA-256:	7CECAE98B578452C01C76C1E7AE75B2F55C6A8639EDE1B84C19E4C99DA74F790
SHA-512:	1AE4F9EC7D3E89DCD9B1D14AF00A1BCFECD2EBDF23F174082A6698426BBAD74F9526680AFAA3F690D548458F21F7C567D9FE1A85AA8C14F7379D570F53655875
Malicious:	true
Preview:	.... .c.....,.^Q........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\tjbwzv1u.default-release\key4.db

Download File

Process:	C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe
File Type:	SQLite 3.x database, last written using SQLite version 3010002, page size 32768, file counter 3, database pages 9, cookie 0x6, schema 4, UTF-8, version-valid-for 3
Category:	modified
Size (bytes):	294912
Entropy (8bit):	0.15216131491049606
Encrypted:	false
SSDEEP:	192:dva0zkVmvQhyn+Zoz679fqlQbGhMHPaVAL23vCeDs4Ds9:d1zkVmvQhyn+Zoz67ms9
MD5:	10A7BBBFBC5A4D1CA8B6D70A68F1A1D5
SHA1:	9380138E4C919A4FDF64C89E9CDA4CB32BEF48CF
SHA-256:	3AA0ECA2B4BB9C047C9A0547107E4B21FA475EFF829BE9E000B029907E0C7152
SHA-512:	216BDBA5818149FC4D208FF40046A6359047068A11C7DFBA11263D36D88EBDF53F275471213EF7513E0FE6289A084B9689C968F2ED7C019A4512568782DBA503
Malicious:	true
Preview:	SQLite format 3......@ .........................................................................-.......z<.{...{.{a{.z.z<z.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\tjbwzv1u.default-release\key4.db-journal

Download File

Process:	C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	98840
Entropy (8bit):	0.2272603247984588
Encrypted:	false
SSDEEP:	192:7+kva0zkVmvQhyn+Zoz679fqlQbGhMHPaVAL23vk:7+k1zkVmvQhyn+Zoz67B
MD5:	A30FA6E449025F5C54C637EE8839A38A
SHA1:	D5EE5AC5CB0E45AD3EA6BD29652DA68C8B940279
SHA-256:	0A776BA9118A55DF41A48571D0F126DDEF544F544D2698B1160DCE0FD8C26EA9
SHA-512:	528D1254F530D6903E5B0484AFED150103912F18F6954D4B959DE7A8744429D1474D9F4DDF862225B63D28A1AD94236ECD6CF4C483DF8EE266C922226016A40B
Malicious:	true
Preview:	.... .c.....+.\.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Logs\waasmedic\waasmedic.20221128_142248_759.etl

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	2.7215647863449464
Encrypted:	false
SSDEEP:	48:c1Wr52I6sb7kUlb7kEBb7klEtb7kmgb7kbIl9lcob7k0tpl6Hb7k7yb7kbpb7kwj:92Il0Ul0W0Q0l0U9l0ClO0G0t0U09m
MD5:	A107301ABC02D4AAE067671118A7A663
SHA1:	02AB932DBD4054EC6712C7BE9CE2265592EF14C9
SHA-256:	1324BFE22AAA7EFD96C7A833FC9D3A5061268D40C808A8DA2D538F9BBB043DC2
SHA-512:	E32248963225DCB938567CAA911B900C55E1B7C3E83C81808B97B7FB7733A84E99F6BE4C02A1957E03BD0AD0F1E507B5E72570B5A1CAA2393126D32C4BF4ED9C
Malicious:	false
Preview:	....................................................!.....................................tQ.....................G......b...5...Zb....... ..........................................@.t.z.r.e.s...d.l.l.,.-.3.2.2.......................................................@.t.z.r.e.s...d.l.l.,.-.3.2.1..............................................................v............#S.4...........E.C.C.B.1.7.5.F.-.1.E.B.2.-.4.3.D.A.-.B.F.B.5.-.A.8.D.5.8.A.4.0.A.4.D.7...C.:.\.W.i.n.d.o.w.s.\.l.o.g.s.\.w.a.a.s.m.e.d.i.c.\.w.a.a.s.m.e.d.i.c...2.0.2.2.1.1.2.8._.1.4.2.2.4.8._.7.5.9...e.t.l.............P.P...........tQ................................................................:.B...tQ....18362.1.amd64fre.19h1_release.190318-1202...........5.@...tQ.....*..c...;.P...4....WaaSMedicSvc.pdb............................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\LocalService\AppData\Local\ConnectedDevicesPlatform\CDPGlobalSettings.cdp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Unicode text, UTF-8 (with BOM) text
Category:	dropped
Size (bytes):	2583
Entropy (8bit):	4.9697986369741445
Encrypted:	false
SSDEEP:	48:5nL4sTeegaiJpfd8ewgm63QmncUJ3t30rPzDA0GJBjUFtlTFeolVK1W7mTJf/7J0:xL4sTtgjDfiewgm63QmcUxl01G6tTeoN
MD5:	B85E9A4702D1EEE70CA0B91AB0BD8110
SHA1:	9BE136BF0625D12E69B5F440892C67DD76ED2363
SHA-256:	4C365648A2AF6EA1B81DF89BD9BA18082D9475218CF609C0E72EAB72157C4F9C
SHA-512:	66931D4BD97531B12609E11A78F81BEA25215C0CFC83DDC42290B27E6A808D7702DE6585D826788763BC9823C038BCB904109FCAD10731D28E58EC10BEFE3026
Malicious:	false
Preview:	.{. "AFSEnvironment" : 0,. "AFSUrl" : "https://activity.windows.com",. "AccountSettings" : [],. "AfcDefaultUser" : "",. "AfcPrivacySettings" : {. "ActivityFeed" : 0,. "CloudSync" : 0,. "PublishUserActivity" : 0,. "UploadUserActivity" : 1. },. "AfsConnectivityEnabled" : true,. "AfsPostInitializeSyncWaitMs" : 10000,. "AfsSyncFrequencyMs" : 86400000,. "Authentication.Environment" : 0,. "BluetoothTransportEnabled" : true,. "BluetoothTransportHostingAllowed" : true,. "CcsApiVersion" : "/api/v1",. "CcsDefaultServerName" : "romeccs.microsoft.com",. "CcsPollingEnabled" : false,. "CcsPollingInterval" : 0,. "CcsSeenRequestIds" : [],. "CcsSeenRequestIdsLastUpdatedTime" : "0000-00-00T00:00:00.000",. "Cloud.SessionIdleTimeoutIntervalSecs" : 3600,. "CloudDataGroupPolicyActivitiyPolicies" : [],. "CloudDataMDMActivitiyPolicies" : [],. "CloudTransportEnabled" : true,. "CloudTransportHostingAllowed" : true,. "CustomAuthClsid" : "",.

C:\Windows\ServiceProfiles\LocalService\AppData\Local\ConnectedDevicesPlatform\L.user.cdp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Unicode text, UTF-8 (with BOM) text
Category:	modified
Size (bytes):	945
Entropy (8bit):	4.857708856587884
Encrypted:	false
SSDEEP:	24:oz5cATnwlThXGpA781cL1/y6PYmXG2mXG784zZGUQUXGoXp:GpMdB0AI1cx/y65GXGIIjQOzp
MD5:	FF687088B4177384963F7132F0C423FC
SHA1:	40BAE70C277123FB4390DBF031A4E1D27E66140B
SHA-256:	1A0D4F7B07A0FE051A152F6F54B032B99BC48935237D1DBDEC25F71FE4AF1822
SHA-512:	B4BA2C5CADCC808636ECBDB7131FB6021E55E21AC270E235C8FC5F63B7A9DEB4CB12DA8E4A21130EA3364A633DDE974CF4AEBC7D2F254796F4AD46CC88764530
Malicious:	false
Preview:	.{. "AfcDatabaseSettings" : {. "DatabaseInstanceId" : 0,. "LastUpdated" : "2022-11-28T15:22:28.900". },. "AfsActivityTypes" : [],. "AfsChannelUri" : "",. "AfsEnvironment" : "",. "AfsSubscriptionId" : "",. "AfsSubscriptionUpdateTime" : "0000-00-00T00:00:00.000",. "BaseRegisteredInfoHash" : "",. "CNCNotificationUri" : "",. "CNCNotificationUriExpirationTime" : "0000-00-00T00:00:00.000",. "CNCNotificationUriLastSynced" : "0000-00-00T00:00:00.000",. "DdsRegistrationExpiryTickCount" : 1144689510112,. "Devices" : [],. "FormatVersion" : 12,. "LastRegisteredNotificationUri" : "",. "LastRegisteredNotificationUriExpirationTime" : "0000-00-00T00:00:00.000",. "LastSyncedTime" : "0000-00-00T00:00:00.000",. "LogicalDeviceId" : "",. "NextDataEncryptionKeyRolloverTime" : "0000-00-00T00:00:00.000",. "RegisteredInfoHash" : "",. "RegisteredWithStrongAuth" : false,. "StableUserId" : "L.user".}.

\Device\ConDrv

Download File

Process:	C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	156
Entropy (8bit):	5.091772172748974
Encrypted:	false
SSDEEP:	3:oFj4I5hXuHcSlSFkRMJJtmKQPFYM1DX+gOVofOILdq37eev:oJ5Bu8SlkyLPWMNnMoBwLew
MD5:	51F764E5C0DBE4C2B9E2D2F59B089B80
SHA1:	608F4A13997D030E9164CF32D79C6C4CCC0B3400
SHA-256:	A0352E2F4CC409B59DC819CCB84CEB79E1265280372509CE61A1956E5F06AABD
SHA-512:	1DA8C0B4F19627D6DF9A6BA405C109BA64C9E4632D66EA6698BD4CE72AE2C54EF8C6502BB3FF8F8CE0B30FE1EFE593409DD7137804DF66FFBE21048F34C18871
Malicious:	false
Preview:	C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe: Could not find cert: Dreamsecurity ROOT CA..: PR_FILE_NOT_FOUND_ERROR: File not found..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.998103778788712
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	magicline4nx_setup.exe
File size:	10774328
MD5:	7cec32c04fdae116ab0f7f4fd8372abd
SHA1:	8b87b2536fc29ced5a2a242bf0ae1d9d3b5b2d2b
SHA256:	aee4831c12dc0cb1c46544cb2319f018d9f16c7a23592008a580a7a605e7ca1f
SHA512:	68b017169a1058b98650fb471ed2f0dc04222b516f8670597c28c7e5209e773ecc8f10ededd2a378b3ad6f634c3c8673255edd6178af3dfddd97b5c6f5d212cf
SSDEEP:	196608:i1swU0H5icKcguNb/0ysBK3KxI6lUlWqQBGG1y+8dkrrkRauWlcf:i1k08cKcguh1VlkICqsrkL1f
TLSH:	A5B63393662DE553F5124A7A2E7800393B82464F871A516F9DBCCBEFF20734EF665084
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F......F...G.v.F......F...v...F...@...F.Rich..F.........................PE..L...)..\.................d...\|.....

File Icon


Icon Hash:	b16dccb2b3b3b2c4

Static PE Info

General

Entrypoint:	0x40320c
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5C157F29 [Sat Dec 15 22:24:41 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	3abe302b6d9a1256e6a915429af4ffd2

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	8/6/2020 2:00:00 AM 10/6/2022 1:59:59 AM
Subject Chain	CN="Dreamsecurity Co., Ltd.", O="Dreamsecurity Co., Ltd.", L=Songpa-gu, S=Seoul, C=KR
Version:	3
Thumbprint MD5:	6B78DDD09198A24ADE2ACAD1888F8EC0
Thumbprint SHA-1:	67251A386BA7C15C78268757250E79941ABDBEA1
Thumbprint SHA-256:	06152A2F83FE2FF6A89421C22F59E35E89B2850B8FE725B4D808872311AAA0BF
Serial:	2991F14126A97EDB9A5F5E00E13ACD9C

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 0040A198h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [004080A0h]
call dword ptr [0040809Ch]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [0042F40Ch], eax
je 00007F4BECF83F73h
push ebx
call 00007F4BECF8704Ah
cmp eax, ebx
je 00007F4BECF83F69h
push 00000C00h
call eax
mov esi, 00408298h
push esi
call 00007F4BECF86FC6h
push esi
call dword ptr [00408098h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007F4BECF83F4Dh
push 0000000Ah
call 00007F4BECF8701Eh
push 00000008h
call 00007F4BECF87017h
push 00000006h
mov dword ptr [0042F404h], eax
call 00007F4BECF8700Bh
cmp eax, ebx
je 00007F4BECF83F71h
push 0000001Eh
call eax
test eax, eax
je 00007F4BECF83F69h
or byte ptr [0042F40Fh], 00000040h
push ebp
call dword ptr [00408044h]
push ebx
call dword ptr [00408288h]
mov dword ptr [0042F4D8h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 00429830h
call dword ptr [00408178h]
push 0040A188h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x853c	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3c000	0x5ed0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xa43478	0x32c0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x298	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x628f	0x6400	False	0.6700390625	data	6.442207080714446	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x135c	0x1400	False	0.4611328125	data	5.240043476337556	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x25518	0x600	False	0.455078125	data	4.04938010159809	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x30000	0xc000	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3c000	0x5ed0	0x6000	False	0.4967854817708333	data	5.530327691332003	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x3c2c8	0x1628	Device independent bitmap graphic, 64 x 128 x 8, image size 0	English	United States
RT_ICON	0x3d8f0	0x1445	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x3ed38	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	United States
RT_ICON	0x3fbe0	0xca8	Device independent bitmap graphic, 32 x 64 x 24, image size 0	English	United States
RT_ICON	0x40888	0x748	Device independent bitmap graphic, 24 x 48 x 24, image size 0	English	United States
RT_ICON	0x40fd0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States
RT_DIALOG	0x41538	0xec	data	English	United States
RT_DIALOG	0x41628	0x108	data	English	United States
RT_DIALOG	0x41730	0x4c	data	English	United States
RT_GROUP_ICON	0x41780	0x5a	data	English	United States
RT_VERSION	0x417e0	0x2bc	data	Korean	North Korea
RT_VERSION	0x417e0	0x2bc	data	Korean	South Korea
RT_MANIFEST	0x41aa0	0x42e	XML 1.0 document, ASCII text, with very long lines (1070), with no line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	GetTempPathA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetEnvironmentVariableA, Sleep, GetTickCount, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GetWindowsDirectoryA, SetCurrentDirectoryA, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, GetExitCodeProcess, WaitForSingleObject, CompareFileTime, SetFileAttributesA, GetFileAttributesA, GetShortPathNameA, MoveFileA, GetFullPathNameA, SetFileTime, SearchPathA, CloseHandle, lstrcmpiA, CreateThread, GlobalLock, lstrcmpA, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GlobalAlloc, GlobalFree, ExpandEnvironmentStringsA
USER32.dll	ScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, ShellExecuteExA, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA
ADVAPI32.dll	AdjustTokenPrivileges, RegCreateKeyExA, RegOpenKeyExA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, RegEnumValueA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Korean	North Korea
Korean	South Korea

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: magicline4nx_setup.exePID: 5736, Parent PID: 3800

General

Target ID:	0
Start time:	15:22:27
Start date:	28/11/2022
Path:	C:\Users\user\Desktop\magicline4nx_setup.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\magicline4nx_setup.exe
Imagebase:	0x400000
File size:	10774328 bytes
MD5 hash:	7CEC32C04FDAE116AB0F7F4FD8372ABD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_3, Description: Yara detected GuLoader, Source: 00000000.00000003.1579576184.0000000000501000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_3, Description: Yara detected GuLoader, Source: 00000000.00000003.1580731607.0000000000553000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_3, Description: Yara detected GuLoader, Source: 00000000.00000003.1209899240.0000000000542000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 5992, Parent PID: 636

General

Target ID:	2
Start time:	15:22:28
Start date:	28/11/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
Imagebase:	0x7ff711320000
File size:	53744 bytes
MD5 hash:	9520A99E77D6196D0D09833146424113
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 6204, Parent PID: 5736

General

Target ID:	3
Start time:	15:22:30
Start date:	28/11/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /C taskkill /f /im NTSMagicLineNP.exe
Imagebase:	0x390000
File size:	236032 bytes
MD5 hash:	4943BA1A9B41D69643F69685E35B2943
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6212, Parent PID: 6204

General

Target ID:	4
Start time:	15:22:30
Start date:	28/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff74e0f0000
File size:	885760 bytes
MD5 hash:	C5E9B1D1103EDCEA2E408E9497A5A88F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: taskkill.exePID: 6260, Parent PID: 6204

General

Target ID:	5
Start time:	15:22:31
Start date:	28/11/2022
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /f /im NTSMagicLineNP.exe
Imagebase:	0xc40000
File size:	73728 bytes
MD5 hash:	07D18817187E87CFC6AB2A4670061AE0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: sc.exePID: 6288, Parent PID: 5736

General

Target ID:	6
Start time:	15:22:32
Start date:	28/11/2022
Path:	C:\Windows\SysWOW64\sc.exe
Wow64 process (32bit):	true
Commandline:	sc stop MagicLine4NXSVC
Imagebase:	0x760000
File size:	61440 bytes
MD5 hash:	3A070609B1569EDEBABDC6466E8FA36C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6296, Parent PID: 6288

General

Target ID:	7
Start time:	15:22:32
Start date:	28/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff74e0f0000
File size:	885760 bytes
MD5 hash:	C5E9B1D1103EDCEA2E408E9497A5A88F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: sc.exePID: 6380, Parent PID: 5736

General

Target ID:	8
Start time:	15:22:32
Start date:	28/11/2022
Path:	C:\Windows\SysWOW64\sc.exe
Wow64 process (32bit):	true
Commandline:	sc delete MagicLine4NXSVC
Imagebase:	0x760000
File size:	61440 bytes
MD5 hash:	3A070609B1569EDEBABDC6466E8FA36C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6392, Parent PID: 6380

General

Target ID:	9
Start time:	15:22:32
Start date:	28/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff74e0f0000
File size:	885760 bytes
MD5 hash:	C5E9B1D1103EDCEA2E408E9497A5A88F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 6436, Parent PID: 5736

General

Target ID:	10
Start time:	15:22:33
Start date:	28/11/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /C taskkill /f /im MagicLine4NX.exe
Imagebase:	0x390000
File size:	236032 bytes
MD5 hash:	4943BA1A9B41D69643F69685E35B2943
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6444, Parent PID: 6436

General

Target ID:	11
Start time:	15:22:33
Start date:	28/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff74e0f0000
File size:	885760 bytes
MD5 hash:	C5E9B1D1103EDCEA2E408E9497A5A88F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: taskkill.exePID: 6484, Parent PID: 6436

General

Target ID:	12
Start time:	15:22:33
Start date:	28/11/2022
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /f /im MagicLine4NX.exe
Imagebase:	0xc40000
File size:	73728 bytes
MD5 hash:	07D18817187E87CFC6AB2A4670061AE0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: certmgr.exePID: 6512, Parent PID: 5736

General

Target ID:	13
Start time:	15:22:38
Start date:	28/11/2022
Path:	C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certmgr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certmgr.exe" -add dreamsecurity-rootca.der -c -s -r localMachine Root
Imagebase:	0x220000
File size:	65536 bytes
MD5 hash:	3A73031809C7DC0BB9BCE2F366345101
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6520, Parent PID: 6512

General

Target ID:	14
Start time:	15:22:38
Start date:	28/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff74e0f0000
File size:	885760 bytes
MD5 hash:	C5E9B1D1103EDCEA2E408E9497A5A88F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: cscript.exePID: 6564, Parent PID: 5736

General

Target ID:	15
Start time:	15:22:40
Start date:	28/11/2022
Path:	C:\Windows\SysWOW64\cscript.exe
Wow64 process (32bit):	true
Commandline:	cscript" "C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\ImportCAtoFirefoxCheck.vbs" "MagicLine4NX
Imagebase:	0xf30000
File size:	144896 bytes
MD5 hash:	86EF3CCA8FF54D585BC29699EE1ADC00
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6572, Parent PID: 6564

General

Target ID:	16
Start time:	15:22:40
Start date:	28/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff74e0f0000
File size:	885760 bytes
MD5 hash:	C5E9B1D1103EDCEA2E408E9497A5A88F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: certutil.exePID: 6652, Parent PID: 6564

General

Target ID:	17
Start time:	15:22:41
Start date:	28/11/2022
Path:	C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe" -L -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default" -n "Dreamsecurity ROOT CA
Imagebase:	0x6d0000
File size:	229888 bytes
MD5 hash:	F2F7AA96E4E4BFCB04643ECADEDB3A14
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6660, Parent PID: 6652

General

Target ID:	18
Start time:	15:22:41
Start date:	28/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff74e0f0000
File size:	885760 bytes
MD5 hash:	C5E9B1D1103EDCEA2E408E9497A5A88F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: certutil.exePID: 6712, Parent PID: 6564

General

Target ID:	19
Start time:	15:22:43
Start date:	28/11/2022
Path:	C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe" -L -d sql:"C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\tjbwzv1u.default-release" -n "Dreamsecurity ROOT CA
Imagebase:	0x6d0000
File size:	229888 bytes
MD5 hash:	F2F7AA96E4E4BFCB04643ECADEDB3A14
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6720, Parent PID: 6712

General

Target ID:	20
Start time:	15:22:43
Start date:	28/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff74e0f0000
File size:	885760 bytes
MD5 hash:	C5E9B1D1103EDCEA2E408E9497A5A88F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: cscript.exePID: 6820, Parent PID: 5736

General

Target ID:	22
Start time:	15:22:45
Start date:	28/11/2022
Path:	C:\Windows\SysWOW64\cscript.exe
Wow64 process (32bit):	true
Commandline:	cscript" "C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\ImportCAtoFirefox.vbs" "MagicLine4NX
Imagebase:	0xf30000
File size:	144896 bytes
MD5 hash:	86EF3CCA8FF54D585BC29699EE1ADC00
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6828, Parent PID: 6820

General

Target ID:	23
Start time:	15:22:45
Start date:	28/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff74e0f0000
File size:	885760 bytes
MD5 hash:	C5E9B1D1103EDCEA2E408E9497A5A88F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: certutil.exePID: 6908, Parent PID: 6820

General

Target ID:	24
Start time:	15:22:46
Start date:	28/11/2022
Path:	C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe" -A -n "Dreamsecurity ROOT CA" -i "C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\dreamsecurity-rootca.der" -t "CT,c,C" -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default
Imagebase:	0x6d0000
File size:	229888 bytes
MD5 hash:	F2F7AA96E4E4BFCB04643ECADEDB3A14
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6916, Parent PID: 6908

General

Target ID:	25
Start time:	15:22:46
Start date:	28/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff74e0f0000
File size:	885760 bytes
MD5 hash:	C5E9B1D1103EDCEA2E408E9497A5A88F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 6936, Parent PID: 636

General

Target ID:	26
Start time:	15:22:46
Start date:	28/11/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p -s DoSvc
Imagebase:	0x7ff711320000
File size:	53744 bytes
MD5 hash:	9520A99E77D6196D0D09833146424113
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 6996, Parent PID: 636

General

Target ID:	27
Start time:	15:22:47
Start date:	28/11/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p
Imagebase:	0x7ff711320000
File size:	53744 bytes
MD5 hash:	9520A99E77D6196D0D09833146424113
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: SgrmBroker.exePID: 7040, Parent PID: 636

General

Target ID:	28
Start time:	15:22:47
Start date:	28/11/2022
Path:	C:\Windows\System32\SgrmBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\SgrmBroker.exe
Imagebase:	0x7ff726ec0000
File size:	263904 bytes
MD5 hash:	C51AA0BB954EA45E85572E6CC29BA6F4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 7068, Parent PID: 636

General

Target ID:	29
Start time:	15:22:47
Start date:	28/11/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
Imagebase:	0x7ff711320000
File size:	53744 bytes
MD5 hash:	9520A99E77D6196D0D09833146424113
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: certutil.exePID: 7088, Parent PID: 6820

General

Target ID:	30
Start time:	15:22:47
Start date:	28/11/2022
Path:	C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe" -A -n "Dreamsecurity ROOT CA" -i "C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\dreamsecurity-rootca.der" -t "CT,c,C" -d sql:"C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\tjbwzv1u.default-release
Imagebase:	0x6d0000
File size:	229888 bytes
MD5 hash:	F2F7AA96E4E4BFCB04643ECADEDB3A14
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 7108, Parent PID: 7088

General

Target ID:	31
Start time:	15:22:47
Start date:	28/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff74e0f0000
File size:	885760 bytes
MD5 hash:	C5E9B1D1103EDCEA2E408E9497A5A88F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 6272, Parent PID: 636

General

Target ID:	33
Start time:	15:22:48
Start date:	28/11/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Imagebase:	0x7ff711320000
File size:	53744 bytes
MD5 hash:	9520A99E77D6196D0D09833146424113
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 6348, Parent PID: 636

General

Target ID:	34
Start time:	15:22:48
Start date:	28/11/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc
Imagebase:	0x7ff711320000
File size:	53744 bytes
MD5 hash:	9520A99E77D6196D0D09833146424113
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: netsh.exePID: 6480, Parent PID: 5736

General

Target ID:	35
Start time:	15:22:51
Start date:	28/11/2022
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh advfirewall firewall delete rule name="MagicLine4NX" program="C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe"
Imagebase:	0x1720000
File size:	82432 bytes
MD5 hash:	718A726FCC5EFCE3529E7A244D87F13F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6440, Parent PID: 6480

General

Target ID:	36
Start time:	15:22:51
Start date:	28/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff74e0f0000
File size:	885760 bytes
MD5 hash:	C5E9B1D1103EDCEA2E408E9497A5A88F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: netsh.exePID: 6540, Parent PID: 5736

General

Target ID:	37
Start time:	15:22:53
Start date:	28/11/2022
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh advfirewall firewall add rule name="MagicLine4NX" dir=in action=allow program="C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe" enable=yes
Imagebase:	0x1720000
File size:	82432 bytes
MD5 hash:	718A726FCC5EFCE3529E7A244D87F13F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6544, Parent PID: 6540

General

Target ID:	38
Start time:	15:22:53
Start date:	28/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff74e0f0000
File size:	885760 bytes
MD5 hash:	C5E9B1D1103EDCEA2E408E9497A5A88F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: CheckNetIsolation.exePID: 6668, Parent PID: 5736

General

Target ID:	39
Start time:	15:22:54
Start date:	28/11/2022
Path:	C:\Windows\SysWOW64\CheckNetIsolation.exe
Wow64 process (32bit):	true
Commandline:	CheckNetIsolation LoopbackExempt -a -n="Microsoft.MicrosoftEdge_8wekyb3d8bbwe"
Imagebase:	0xc10000
File size:	26624 bytes
MD5 hash:	2FBEB635ADD6F73B226EE4BE660201BB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6664, Parent PID: 6668

General

Target ID:	40
Start time:	15:22:54
Start date:	28/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff74e0f0000
File size:	885760 bytes
MD5 hash:	C5E9B1D1103EDCEA2E408E9497A5A88F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: CheckNetIsolation.exePID: 6732, Parent PID: 5736

General

Target ID:	41
Start time:	15:22:54
Start date:	28/11/2022
Path:	C:\Windows\SysWOW64\CheckNetIsolation.exe
Wow64 process (32bit):	true
Commandline:	CheckNetIsolation LoopbackExempt -a -n="Microsoft.Windows.Spartan_cw5n1h2txyewy"
Imagebase:	0xc10000
File size:	26624 bytes
MD5 hash:	2FBEB635ADD6F73B226EE4BE660201BB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5772, Parent PID: 6732

General

Target ID:	42
Start time:	15:22:54
Start date:	28/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff74e0f0000
File size:	885760 bytes
MD5 hash:	C5E9B1D1103EDCEA2E408E9497A5A88F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: MagicLine4NX.exePID: 5700, Parent PID: 5736

General

Target ID:	43
Start time:	15:22:55
Start date:	28/11/2022
Path:	C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe
Imagebase:	0x820000
File size:	3753952 bytes
MD5 hash:	A98F6351876129FED4A6CA7DB7CBD721
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 0000002B.00000002.2510440514.000000006E10E000.00000002.00000001.01000000.0000001F.sdmp, Author: Florian Roth Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 0000002B.00000002.2510440514.000000006E10E000.00000002.00000001.01000000.0000001F.sdmp, Author: Joe Security Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 0000002B.00000003.1506828790.0000000005DFB000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 0000002B.00000003.1506828790.0000000005DFB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 0000002B.00000002.2433205884.0000000000918000.00000040.00000001.01000000.0000001B.sdmp, Author: Florian Roth Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 0000002B.00000002.2433205884.0000000000918000.00000040.00000001.01000000.0000001B.sdmp, Author: Joe Security Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 0000002B.00000003.1486681414.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 0000002B.00000003.1486681414.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs

Show Windows behavior

Chronological Activities

Analysis Process: MagicLine4NXServices.exePID: 6760, Parent PID: 5736

General

Target ID:	44
Start time:	15:22:56
Start date:	28/11/2022
Path:	C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe" -install
Imagebase:	0x770000
File size:	2248000 bytes
MD5 hash:	877F2A6FC5DA85AA4C9B38943EF21EAE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6620, Parent PID: 6760

General

Target ID:	45
Start time:	15:22:57
Start date:	28/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff74e0f0000
File size:	885760 bytes
MD5 hash:	C5E9B1D1103EDCEA2E408E9497A5A88F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: sc.exePID: 1156, Parent PID: 5736

General

Target ID:	46
Start time:	15:23:05
Start date:	28/11/2022
Path:	C:\Windows\SysWOW64\sc.exe
Wow64 process (32bit):	true
Commandline:	sc start MagicLine4NXSVC
Imagebase:	0x760000
File size:	61440 bytes
MD5 hash:	3A070609B1569EDEBABDC6466E8FA36C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 1392, Parent PID: 1156

General

Target ID:	47
Start time:	15:23:05
Start date:	28/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff74e0f0000
File size:	885760 bytes
MD5 hash:	C5E9B1D1103EDCEA2E408E9497A5A88F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: MagicLine4NXServices.exePID: 1936, Parent PID: 636

General

Target ID:	48
Start time:	15:23:05
Start date:	28/11/2022
Path:	C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe
Imagebase:	0x770000
File size:	2248000 bytes
MD5 hash:	877F2A6FC5DA85AA4C9B38943EF21EAE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: magicline4nx_setup.exePID: 5736, Parent PID: 3800COMMON

Execution Graph

Execution Coverage:	22.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	59.3%
Total number of Nodes:	86
Total number of Limit Nodes:	7

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 100010D0 Relevance: 45.7, APIs: 20, Strings: 6, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E100010D0() {
				struct HINSTANCE__* _t53;
				short* _t54;
				struct HINSTANCE__* _t55;
				struct HINSTANCE__* _t57;
				struct HINSTANCE__* _t60;
				int* _t61;
				struct HINSTANCE__* _t65;
				struct HINSTANCE__* _t67;
				struct HINSTANCE__* _t78;
				struct HINSTANCE__* _t81;
				int _t86;
				struct HINSTANCE__* _t88;
				long _t94;
				struct HINSTANCE__* _t97;
				struct HINSTANCE__* _t98;
				struct HINSTANCE__* _t100;
				struct HINSTANCE__* _t103;
				struct HINSTANCE__* _t105;
				void* _t106;
				void* _t109;
				struct HINSTANCE__* _t113;
				void* _t114;
				void* _t116;
				void* _t117;

				_t114 = _t116 - 0x6c;
				_t117 = _t116 - 0x2dc;
				 *(_t114 + 0x5c) = 0;
				 *(_t114 + 0x58) = 0;
				 *((intOrPtr*)(_t114 + 0x60)) = 0;
				 *(_t114 - 0x44) = 0x94;
				if(GetVersionExA(_t114 - 0x44) != 0) {
					__eflags =  *((intOrPtr*)(_t114 - 0x34)) - 2;
					if( *((intOrPtr*)(_t114 - 0x34)) == 2) {
						_t94 = 0x4000;
						_t53 = LoadLibraryW(L"NTDLL.DLL");
						 *(_t114 + 0x64) = _t53;
						__eflags = _t53;
						if(_t53 == 0) {
							_t103 = 0x25e;
						} else {
							_t65 = GetProcAddress(_t53, "NtQuerySystemInformation");
							 *(_t114 + 0x54) = _t65;
							__eflags = _t65;
							if(_t65 == 0) {
								_t103 = 0x25f;
							} else {
								_t67 = LocalAlloc(0, 0x4000); // executed
								__eflags = _t67;
								while(1) {
									 *(_t114 + 0x68) = _t67;
									if(__eflags == 0) {
										break;
									}
									_t103 = NtQuerySystemInformation(5,  *(_t114 + 0x68), _t94, _t114 + 0x50);
									__eflags = _t103;
									if(_t103 != 0) {
										LocalFree( *(_t114 + 0x68)); // executed
										__eflags = _t103 - 0xc0000004;
										if(_t103 != 0xc0000004) {
											break;
										} else {
											_t94 = _t94 + _t94;
											_t67 = LocalAlloc(0, _t94); // executed
											__eflags = _t67;
											continue;
										}
									}
									goto L14;
								}
								_t103 = 0x260;
							}
							L14:
							FreeLibrary( *(_t114 + 0x64));
						}
						__eflags = _t103;
						if(_t103 == 0) {
							_t109 =  *(_t114 + 0x68);
							while(1) {
								_t54 =  *(_t109 + 0x3c);
								__eflags = _t54;
								if(_t54 == 0) {
									goto L23;
								}
								WideCharToMultiByte(0, 0, _t54, 0xffffffff, _t114 - 0x270, 0x104, 0, 0);
								_t60 = lstrcmpiA(_t114 - 0x270,  *(_t114 + 0x74));
								__eflags = _t60;
								if(_t60 != 0) {
									goto L23;
								} else {
									_t61 =  &(_t60->i);
									 *(_t114 + 0x5c) = _t61;
									__eflags =  *((intOrPtr*)(_t114 + 0x78)) - _t61;
									if( *((intOrPtr*)(_t114 + 0x78)) == _t61) {
										E1000103F( *((intOrPtr*)(_t109 + 0x44)),  *((intOrPtr*)(_t114 + 0x7c)), _t114 + 0x58, _t114 + 0x60);
										_t117 = _t117 + 0x10;
										goto L23;
									}
								}
								L25:
								LocalFree( *(_t114 + 0x68));
								goto L43;
								L23:
								_t55 =  *_t109;
								__eflags = _t55;
								if(_t55 != 0) {
									_t109 = _t109 + _t55;
									continue;
								}
								goto L25;
							}
						} else {
							_t57 = _t103;
						}
					} else {
						__eflags =  *((intOrPtr*)(_t114 - 0x34)) - 1;
						if( *((intOrPtr*)(_t114 - 0x34)) == 1) {
							_t97 = LoadLibraryA("KERNEL32.DLL");
							 *(_t114 + 0x64) = _t97;
							__eflags = _t97;
							if(_t97 == 0) {
								L44:
								_t57 = 0x25b;
							} else {
								_t105 = GetProcAddress(_t97, "CreateToolhelp32Snapshot");
								_t98 = GetProcAddress(_t97, "Process32First");
								_t113 = GetProcAddress( *(_t114 + 0x64), "Process32Next");
								__eflags = _t105;
								if(_t105 != 0) {
									__eflags = _t113;
									if(_t113 != 0) {
										__eflags = _t98;
										if(_t98 != 0) {
											_t106 = _t105->i(2, 0);
											__eflags = _t106 - 0xffffffff;
											if(_t106 != 0xffffffff) {
												 *((intOrPtr*)(_t114 - 0x16c)) = 0x128;
												_t78 = _t98->i(_t106, _t114 - 0x16c);
												while(1) {
													__eflags = _t78;
													if(_t78 == 0) {
														break;
													}
													_t81 = _t114 + lstrlenA(_t114 - 0x148) - 0x149;
													while(1) {
														_t100 = _t81->i;
														__eflags = _t100 - 0x5c;
														if(_t100 == 0x5c) {
															break;
														}
														__eflags = _t100;
														if(_t100 != 0) {
															_t81 = _t81 - 1;
															__eflags = _t81;
															continue;
														}
														break;
													}
													lstrcpynA(_t114 - 0x270,  &(_t81->i), 0x104);
													_t86 = lstrcmpiA(_t114 - 0x270,  *(_t114 + 0x74));
													__eflags = _t86;
													if(_t86 != 0) {
														L39:
														_t78 = _t113->i(_t106, _t114 - 0x16c);
														continue;
													} else {
														_t88 = _t86 + 1;
														 *(_t114 + 0x5c) = _t88;
														__eflags =  *((intOrPtr*)(_t114 + 0x78)) - _t88;
														if( *((intOrPtr*)(_t114 + 0x78)) == _t88) {
															E1000103F( *((intOrPtr*)(_t114 - 0x164)),  *((intOrPtr*)(_t114 + 0x7c)), _t114 + 0x58, _t114 + 0x60);
															_t117 = _t117 + 0x10;
															goto L39;
														}
													}
													break;
												}
												CloseHandle(_t106);
											}
										}
									}
								}
								FreeLibrary( *(_t114 + 0x64));
								L43:
								__eflags =  *(_t114 + 0x5c);
								if( *(_t114 + 0x5c) != 0) {
									__eflags =  *((intOrPtr*)(_t114 + 0x78)) - 1;
									if( *((intOrPtr*)(_t114 + 0x78)) != 1) {
										L50:
										_t57 = 0;
										__eflags = 0;
									} else {
										__eflags =  *(_t114 + 0x58);
										if( *(_t114 + 0x58) != 0) {
											__eflags =  *((intOrPtr*)(_t114 + 0x60)) - 1;
											if( *((intOrPtr*)(_t114 + 0x60)) != 1) {
												goto L50;
											} else {
												_t57 = 0x25a;
											}
										} else {
											_t57 = 0x259;
										}
									}
								} else {
									goto L44;
								}
							}
						} else {
							_t57 = 0x25d;
						}
					}
				} else {
					_t57 = 0x25c;
				}
				return _t57;
			}

0x100010d1
0x100010d5
0x100010e2
0x100010e5
0x100010e8
0x100010eb
0x100010fa
0x10001106
0x1000110c
0x1000112c
0x1000112e
0x10001134
0x10001137
0x10001139
0x100011a5
0x1000113b
0x10001141
0x10001147
0x1000114a
0x1000114c
0x10001195
0x1000114e
0x10001156
0x10001158
0x10001189
0x10001189
0x1000118c
0x00000000
0x00000000
0x10001169
0x1000116b
0x1000116d
0x10001172
0x10001178
0x1000117e
0x00000000
0x10001180
0x10001180
0x10001185
0x10001187
0x00000000
0x10001187
0x1000117e
0x00000000
0x1000116d
0x1000118e
0x1000118e
0x1000119a
0x1000119d
0x1000119d
0x100011ac
0x100011ae
0x100011b7
0x100011ba
0x100011ba
0x100011bd
0x100011bf
0x00000000
0x00000000
0x100011d4
0x100011e4
0x100011ea
0x100011ec
0x00000000
0x100011ee
0x100011ee
0x100011ef
0x100011f2
0x100011f5
0x10001205
0x1000120a
0x00000000
0x1000120a
0x100011f5
0x10001217
0x1000121a
0x00000000
0x1000120d
0x1000120d
0x1000120f
0x10001211
0x10001213
0x00000000
0x10001213
0x00000000
0x10001211
0x100011b0
0x100011b0
0x100011b0
0x1000110e
0x1000110e
0x10001112
0x10001230
0x10001232
0x10001235
0x10001237
0x10001332
0x10001332
0x1000123d
0x10001251
0x1000125d
0x10001261
0x10001263
0x10001265
0x1000126b
0x1000126d
0x10001273
0x10001275
0x10001281
0x10001283
0x10001286
0x10001294
0x1000129e
0x10001318
0x10001318
0x1000131a
0x00000000
0x00000000
0x100012af
0x100012bd
0x100012bd
0x100012bf
0x100012c2
0x00000000
0x00000000
0x100012b8
0x100012ba
0x100012bc
0x100012bc
0x00000000
0x100012bc
0x00000000
0x100012ba
0x100012d2
0x100012e2
0x100012e8
0x100012ea
0x1000130e
0x10001316
0x00000000
0x100012ec
0x100012ec
0x100012ed
0x100012f0
0x100012f3
0x10001306
0x1000130b
0x00000000
0x1000130b
0x100012f3
0x00000000
0x100012ea
0x1000131d
0x1000131d
0x10001286
0x10001275
0x1000126d
0x10001326
0x1000132c
0x1000132c
0x10001330
0x10001339
0x1000133d
0x10001359
0x10001359
0x10001359
0x1000133f
0x1000133f
0x10001343
0x1000134c
0x10001350
0x00000000
0x10001352
0x10001352
0x10001352
0x10001345
0x10001345
0x10001345
0x10001343
0x00000000
0x00000000
0x00000000
0x10001330
0x10001118
0x10001118
0x10001118
0x10001112
0x100010fc
0x100010fc
0x100010fc
0x10001362

APIs

GetVersionExA.KERNEL32(?), ref: 100010F2

Strings

NtQuerySystemInformation, xrefs: 1000113B
KERNEL32.DLL, xrefs: 10001225
NTDLL.DLL, xrefs: 10001127
Process32First, xrefs: 1000124B
Process32Next, xrefs: 10001255
CreateToolhelp32Snapshot, xrefs: 10001243

Memory Dump Source

Source File: 00000000.00000002.1587560261.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1587460389.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1587600604.0000000010002000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1587642103.0000000010004000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_magicline4nx_setup.jbxd

Similarity

API ID: Version
String ID: CreateToolhelp32Snapshot$KERNEL32.DLL$NTDLL.DLL$NtQuerySystemInformation$Process32First$Process32Next
API String ID: 1889659487-877962304
Opcode ID: 65e34132412926b77cd70352a95a1b322544ba155a4a88647b4c9b484df59334
Instruction ID: 3df706415bff85d1043f51983ae3f68c733976b3404a17f8fb4488dcc6387507
Opcode Fuzzy Hash: 65e34132412926b77cd70352a95a1b322544ba155a4a88647b4c9b484df59334
Instruction Fuzzy Hash: 19715871900659EFFB11DFA4CC88ADE3BEAEB483C4F250026FA19D2159E6358E49CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10001426 Relevance: 2.5, APIs: 2, Instructions: 29
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E10001426(CHAR* _a4, int _a8) {
				void* _t5;
				int _t10;
				void* _t15;

				_t5 =  *0x10003000;
				if(_t5 == 0 ||  *_t5 == 0) {
					return 1;
				} else {
					_t15 =  *_t5;
					if(_a4 != 0) {
						_t10 = _a8;
						if(_t10 == 0) {
							_t10 =  *0x10003004;
						}
						_t3 = _t15 + 4; // 0x10003024
						lstrcpynA(_a4, _t3, _t10);
						_t5 =  *0x10003000;
					}
					 *_t5 =  *_t15; // executed
					GlobalFree(_t15); // executed
					return 0;
				}
			}

0x10001426
0x1000142d
0x00000000
0x10001434
0x1000143a
0x1000143c
0x1000143e
0x10001444
0x10001446
0x10001446
0x1000144c
0x10001454
0x1000145a
0x1000145a
0x10001462
0x10001464
0x00000000
0x1000146c

APIs

lstrcpynA.KERNEL32(?,10003024,?,10003020,1000138F,10003020,00000400), ref: 10001454
GlobalFree.KERNELBASE(10003020), ref: 10001464

Memory Dump Source

Source File: 00000000.00000002.1587560261.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1587460389.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1587600604.0000000010002000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1587642103.0000000010004000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_magicline4nx_setup.jbxd

Similarity

API ID: FreeGloballstrcpyn
String ID:
API String ID: 1459762280-0
Opcode ID: d37c7429f21efaa5103ac68eecef2f505b672404a3497301ec3293a1c9b8d6fd
Instruction ID: 61cff6a9ed434c6726c3e265b98623322506fe6e864b2b4fb358a1092e6d6a6c
Opcode Fuzzy Hash: d37c7429f21efaa5103ac68eecef2f505b672404a3497301ec3293a1c9b8d6fd
Instruction Fuzzy Hash: 8DF0F8312152209FE315DF24CC94B9777E9FB0A385F018429E691C7278D770E804CB22

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 1000103F Relevance: 9.1, APIs: 6, Instructions: 55
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E1000103F(long _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr* _a16) {
				long _v8;
				int _v12;
				void* _v16;
				void* _t12;
				int _t13;
				intOrPtr* _t14;
				void* _t22;
				long _t23;

				_t23 = _a4;
				_t12 = OpenProcess(0x100401, 0, _t23);
				_t22 = _t12;
				if(_t22 == 0) {
					return _t12;
				}
				_v16 = _t23;
				_v12 = 0;
				if(_a8 == 0) {
					L7:
					_t13 = TerminateProcess(_t22, 0);
					_t14 = _a12;
					if(_t13 == 0) {
						_t14 = _a16;
					}
					L9:
					 *_t14 = 1;
					return CloseHandle(_t22);
				}
				EnumWindows(E10001007,  &_v16);
				if(_v12 == 0 || GetExitCodeProcess(_t22,  &_v8) != 0 && _v8 == 0x103 && WaitForSingleObject(_t22, 0xbb8) != 0) {
					goto L7;
				} else {
					_t14 = _a12;
					goto L9;
				}
			}

0x10001047
0x10001054
0x1000105a
0x1000105e
0x100010cf
0x100010cf
0x10001060
0x10001063
0x10001069
0x100010ac
0x100010ae
0x100010b6
0x100010b9
0x100010bb
0x100010bb
0x100010be
0x100010bf
0x00000000
0x100010c5
0x10001074
0x1000107d
0x00000000
0x100010a7
0x100010a7
0x00000000
0x100010a7

APIs

OpenProcess.KERNEL32(00100401,00000000,?,0000025E,?,00000000,?), ref: 10001054
EnumWindows.USER32(10001007,?), ref: 10001074
GetExitCodeProcess.KERNEL32(00000000,?), ref: 10001084
WaitForSingleObject.KERNEL32(00000000,00000BB8), ref: 1000109D
TerminateProcess.KERNEL32(00000000,00000000), ref: 100010AE
CloseHandle.KERNEL32(00000000), ref: 100010C5

Memory Dump Source

Source File: 00000000.00000002.1587560261.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1587460389.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1587600604.0000000010002000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1587642103.0000000010004000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_magicline4nx_setup.jbxd

Similarity

API ID: Process$CloseCodeEnumExitHandleObjectOpenSingleTerminateWaitWindows
String ID:
API String ID: 3465249596-0
Opcode ID: 45a2251c50cfe7217ad4567bb79eedec0e3199e983198285888405aa9b7494a4
Instruction ID: 6b4dcd5717a232181223c093e4f4244ae1ce1555a3c8e15b92772d9ea2fb9ae7
Opcode Fuzzy Hash: 45a2251c50cfe7217ad4567bb79eedec0e3199e983198285888405aa9b7494a4
Instruction Fuzzy Hash: 5211E235A00299EFFB00DFA5CCC8AEE77BCEB456C5F014069FA4192149D7B49981CB62

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: certmgr.exePID: 6512, Parent PID: 5736COMMON

Execution Graph

Execution Coverage:	5.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	30.8%
Total number of Nodes:	78
Total number of Limit Nodes:	3

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00221DF9 Relevance: 13.6, APIs: 9, Instructions: 91
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CertAddCertificateContextToStore.CRYPT32(?,00000000,00000003,00000000), ref: 00221E2A
CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 00221E38
CertAddCRLContextToStore.CRYPT32(?,?,00000003,00000000), ref: 00221E58
CertEnumCTLsInStore.CRYPT32(?,00000000), ref: 00221E68
CertAddCRLContextToStore.CRYPT32(?,?,00000003,00000000), ref: 00221E8D
CertGetCRLFromStore.CRYPT32(?,00000000,00000000,?), ref: 00221EA2
CertFreeCertificateContext.CRYPT32(00000000), ref: 00221EB7
CertFreeCRLContext.CRYPT32(?), ref: 00221EC5
CertFreeCRLContext.CRYPT32(?), ref: 00221ED6

Memory Dump Source

Source File: 0000000D.00000002.1269714571.0000000000221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00221000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_221000_certmgr.jbxd

Similarity

API ID: Cert$ContextStore$Free$CertificateEnum$CertificatesFrom
String ID:
API String ID: 121226512-0
Opcode ID: a18ea0ec3c2231a9110df62075d5d47cb3e939a8d55d599791a987c297b0b54b
Instruction ID: 0da53195fb5716c412384ee76a5e5d8211206adb291da1f61009775e8725128e
Opcode Fuzzy Hash: a18ea0ec3c2231a9110df62075d5d47cb3e939a8d55d599791a987c297b0b54b
Instruction Fuzzy Hash: F4311E3191026ABBCB215FD0ED48EAEBBB9BF14784F114065FD04A5060C3B14BB19B90

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00221A91 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190
encryptionstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strtok.MSVCRT ref: 00221ADC
strtok.MSVCRT ref: 00221AE9
CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 00221BD7
CertSetCRLContextProperty.CRYPT32(?,00000009,00000000,00000000), ref: 00221BED
CertSetCRLContextProperty.CRYPT32(?,00000009,00000000,?), ref: 00221C0E
CertEnumCertificatesInStore.CRYPT32(?,?), ref: 00221C1A
CertFreeCertificateContext.CRYPT32(?), ref: 00221C68

Strings

2.5.29.37, xrefs: 00221B9D, 00221BA2, 00221BC4

Memory Dump Source

Source File: 0000000D.00000002.1269714571.0000000000221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00221000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_221000_certmgr.jbxd

Similarity

API ID: Cert$Context$CertificatesEnumPropertyStorestrtok$CertificateFree
String ID: 2.5.29.37
API String ID: 4019044053-3842544949
Opcode ID: 93cc6a3b7d9dfd8748477f00fe980283fe8f103872bc9b9232be9deb0ff3030b
Instruction ID: c80d8289dc30f5984efe4dbe77a356f466693e638f3f260d6ca6a96e8760c081
Opcode Fuzzy Hash: 93cc6a3b7d9dfd8748477f00fe980283fe8f103872bc9b9232be9deb0ff3030b
Instruction Fuzzy Hash: 88518C76D1012AFFDF209FE4AD84DAEBBB9EB18700F14456AE900A3150D7319E71DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00221829 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 0022182B
CryptInitOIDFunctionSet.CRYPT32(CryptDllFormatObject,00000000), ref: 00221844

Strings

CryptDllFormatObject, xrefs: 0022183E, 00221843, 00221867

Memory Dump Source

Source File: 0000000D.00000002.1269714571.0000000000221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00221000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_221000_certmgr.jbxd

Similarity

API ID: CryptFunctionHandleInitModule
String ID: CryptDllFormatObject
API String ID: 188214945-3973519293
Opcode ID: 5b09549201bf4d4956f3db39489bd05ec767d29e5ee81a5f8908e52b1de69e9e
Instruction ID: b028f1fb0d0691304aa48905995be35aec6adff12278fabc9f3b64243e8574ba
Opcode Fuzzy Hash: 5b09549201bf4d4956f3db39489bd05ec767d29e5ee81a5f8908e52b1de69e9e
Instruction Fuzzy Hash: 74F05435664321BBF7205FE57C4DF953B95E730B51F001065F108D85A0E6718572969A

Uniqueness

Uniqueness Score: -1.00%

Function 00221EE8 Relevance: 18.1, APIs: 12, Instructions: 93
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CertDuplicateCertificateContext.CRYPT32(?), ref: 00221F19
CertDeleteCRLFromStore.CRYPT32(00000000), ref: 00221F20
CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 00221F32
CertDuplicateCRLContext.CRYPT32(?), ref: 00221F4D
CertDeleteCRLFromStore.CRYPT32(00000000), ref: 00221F58
CertEnumCTLsInStore.CRYPT32(?,00000000), ref: 00221F66
CertDuplicateCRLContext.CRYPT32(00000004), ref: 00221F85
CertDeleteCRLFromStore.CRYPT32(00000000), ref: 00221F90
CertGetCRLFromStore.CRYPT32(?,00000000,00000000,?), ref: 00221FA3
CertFreeCertificateContext.CRYPT32(?), ref: 00221FBB
CertFreeCRLContext.CRYPT32(?), ref: 00221FC9
CertFreeCRLContext.CRYPT32(00000004), ref: 00221FDA

Memory Dump Source

Source File: 0000000D.00000002.1269714571.0000000000221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00221000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_221000_certmgr.jbxd

Similarity

API ID: Cert$ContextStore$From$DeleteDuplicateFree$CertificateEnum$Certificates
String ID:
API String ID: 3778652152-0
Opcode ID: 75dd99a5b733c1ffb0d4c0a3b387d037bf8e30779a3f63414f12d6b4849781c5
Instruction ID: e9ba17c71e259f23a70b7bad9cdcaaad2400f91edfab06afe34ee41c3e9a7149
Opcode Fuzzy Hash: 75dd99a5b733c1ffb0d4c0a3b387d037bf8e30779a3f63414f12d6b4849781c5
Instruction Fuzzy Hash: B0313C71D1425ABBCF219FD5EE48DAEFBB9BF64340F244065E921A2420D3758BB19B10

Uniqueness

Uniqueness Score: -1.00%

Function 00221D0F Relevance: 7.6, APIs: 5, Instructions: 91
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CertGetCRLFromStore.CRYPT32(?,00000000,00000000,?), ref: 00221D43
CertGetCRLContextProperty.CRYPT32(?,00000003,00000000,?), ref: 00221D65
CertGetCRLContextProperty.CRYPT32(?,00000003,00000000,?), ref: 00221D86
CertGetCRLFromStore.CRYPT32(?,00000000,?,?), ref: 00221DAF
CertFreeCRLContext.CRYPT32(?), ref: 00221DE1

Memory Dump Source

Source File: 0000000D.00000002.1269714571.0000000000221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00221000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_221000_certmgr.jbxd

Similarity

API ID: Cert$Context$FromPropertyStore$Free
String ID:
API String ID: 1268920413-0
Opcode ID: 07a69bfb8176c211edc9e4aa2b66fc70b82250f846316a27ffdbd6c5f2ffff90
Instruction ID: 6baf94283ea18fae2f86029d9b42ae6a22a832c551fe78a3c46d0113210acf05
Opcode Fuzzy Hash: 07a69bfb8176c211edc9e4aa2b66fc70b82250f846316a27ffdbd6c5f2ffff90
Instruction Fuzzy Hash: CA31D271D2112AFBCF21DFD5E944CEEBBB9EF28751B244466E805A2110D7709F60DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00221C7B Relevance: 7.6, APIs: 5, Instructions: 61
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 00221CB8
CertSetCRLContextProperty.CRYPT32(00000000,0000000B,00000000,00000000), ref: 00221CCD
CertSetCRLContextProperty.CRYPT32(00000000,0000000B,00000000,?), ref: 00221CDC
CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 00221CE6
CertFreeCertificateContext.CRYPT32(00000000), ref: 00221CFA

Memory Dump Source

Source File: 0000000D.00000002.1269714571.0000000000221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00221000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_221000_certmgr.jbxd

Similarity

API ID: Cert$Context$CertificatesEnumPropertyStore$CertificateFree
String ID:
API String ID: 1905719181-0
Opcode ID: 14e339211de1ac30cb99561d9e66766cd5ecdeef1584f096e7153207e693a6e9
Instruction ID: 273521d1a99adad3e817a4ab650f861e0c6fbd87b190b5946c0e0d0a560a7b88
Opcode Fuzzy Hash: 14e339211de1ac30cb99561d9e66766cd5ecdeef1584f096e7153207e693a6e9
Instruction Fuzzy Hash: C4110836640206BBD7328FD8EC45FAE77B9EB94740F114026E900EB290DF70EE218B55

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: certutil.exePID: 6652, Parent PID: 6564COMMON

Execution Graph

Execution Coverage:	1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	8.2%
Total number of Nodes:	573
Total number of Limit Nodes:	67

Executed Functions

Function 6DF91120 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 159
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6DFA2110: PR_Lock.NSPR4(6DFF9B70,00000000,6DFF9B70,?,6DF9114B,?,00000000,?,00000014), ref: 6DFA211A
Part of subcall function 6DFA2110: PR_Unlock.NSPR4(6DFF9B70), ref: 6DFA2153

GlobalMemoryStatus.KERNEL32(00000020), ref: 6DF9115B

Part of subcall function 6DFA2110: PR_Unlock.NSPR4(6DFF9B70), ref: 6DFA217E

GetLogicalDrives.KERNELBASE ref: 6DF91170

Part of subcall function 6DFA2110: PR_Unlock.NSPR4(6DFF9B70), ref: 6DFA21BD

GetComputerNameA.KERNEL32(?,00000000), ref: 6DF91197
GetCurrentProcess.KERNEL32 ref: 6DF911B1
GetCurrentProcessId.KERNEL32 ref: 6DF911CA
GetCurrentThreadId.KERNEL32 ref: 6DF911E1
GetVolumeInformationA.KERNELBASE(00000000,?,00000080,?,?,?,?,00000100), ref: 6DF9122D
GetDiskFreeSpaceA.KERNELBASE(00000000,?,?,?,?), ref: 6DF912B2

Part of subcall function 6DFA2110: PR_Unlock.NSPR4(6DFF9B70,?,?,?,?,?,?,6E1768C0), ref: 6DFA223E

Part of subcall function 6DF91020: QueryPerformanceCounter.KERNEL32(?,6DFF9B70,?,?,6DF91140,?,00000014), ref: 6DF91038

Strings

, xrefs: 6DF9114E

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: Unlock$Current$Process$ComputerCounterDiskDrivesFreeGlobalInformationLockLogicalMemoryNamePerformanceQuerySpaceStatusThreadVolume
String ID:
API String ID: 1007984748-3916222277
Opcode ID: e9bee8d899a7129b6343341c0bacaf0d0273663e68e6da309472eb4dbdecf85a
Instruction ID: 0197de319ebc5dd3ab30a4a2b93516acf047df56c7587a9f4eb2841b25ecbe52
Opcode Fuzzy Hash: e9bee8d899a7129b6343341c0bacaf0d0273663e68e6da309472eb4dbdecf85a
Instruction Fuzzy Hash: AF513EB1948304BBD761DBA4C849F9B77ECAF49708F090D2DF785D6140EB75D6088B62

Uniqueness

Uniqueness Score: -1.00%

Function 6E02AF75 Relevance: 13.8, APIs: 9, Instructions: 272
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6E02AC4B: CreateFileW.KERNELBASE(00000000,00000000,?,6E02B01E,?,?,00000000,?,6E02B01E,00000000,0000000C), ref: 6E02AC68

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6E02B089
__dosmaperr.LIBCMT ref: 6E02B090
GetFileType.KERNEL32(00000000), ref: 6E02B09C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6E02B0A6
__dosmaperr.LIBCMT ref: 6E02B0AF
CloseHandle.KERNEL32(00000000), ref: 6E02B0CF
CloseHandle.KERNEL32(00000000), ref: 6E02B219
GetLastError.KERNEL32 ref: 6E02B24B
__dosmaperr.LIBCMT ref: 6E02B252

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID:
API String ID: 4237864984-0
Opcode ID: 1cb923c9d7b93551fef0d8943b8d9acdcb25780eda692b9a40887cc830a69f0b
Instruction ID: a45e1e0c1b4899e111680dbc333819133d7f0c01634dd5e43952cf2692b1f3e8
Opcode Fuzzy Hash: 1cb923c9d7b93551fef0d8943b8d9acdcb25780eda692b9a40887cc830a69f0b
Instruction Fuzzy Hash: 15A15836A145458FCF19CFE8C8917AE7BF4AB0B328F240569E811EF394DB359816CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6E029A2D Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 123
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe, xrefs: 6E029A70, 6E029A77, 6E029AAB
05, xrefs: 6E029A7F

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID:
String ID: 05$C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe
API String ID: 0-3125619958
Opcode ID: 8f3605529c97c29991d7b20f92656ffba2822662801584b15497e563c88643b2
Instruction ID: 608575fc9bb909d2d9214dbdc90342b50c0e40a3c6d1761555179a13fe6a56bb
Opcode Fuzzy Hash: 8f3605529c97c29991d7b20f92656ffba2822662801584b15497e563c88643b2
Instruction Fuzzy Hash: 50416071E04719AFDB128FD9C984BDEBBFCEB85754B90017AE51497200D7719A41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6DFDAED5 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 123
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe, xrefs: 6DFDAF18, 6DFDAF1F, 6DFDAF53
05, xrefs: 6DFDAF27

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID:
String ID: 05$C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe
API String ID: 0-3125619958
Opcode ID: 73a3ccd6f9e516ad990a33cf1ef76eef21d606e6a1b1d573ce04e8e08fc1af4e
Instruction ID: 2813c753ac2c79966f58be24c6efb29358fb5a25c8153fc0e0156f20d1e64fc2
Opcode Fuzzy Hash: 73a3ccd6f9e516ad990a33cf1ef76eef21d606e6a1b1d573ce04e8e08fc1af4e
Instruction Fuzzy Hash: 3241A3B1A18355AFDB52CF9DD8C4EAEBBF8EF95310B090096E514D7240D7708E40CB94

Uniqueness

Uniqueness Score: -1.00%

Function 6E0C2BA8 Relevance: 7.6, APIs: 5, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___scrt_fastfail.LIBCMT ref: 6E0C2BE3
__RTC_Initialize.LIBCMT ref: 6E0C2BFB
___scrt_initialize_default_local_stdio_options.LIBCMT ref: 6E0C2C05
___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6E0C2C69

Memory Dump Source

Source File: 00000011.00000002.1303092111.000000006E051000.00000020.00000001.01000000.00000016.sdmp, Offset: 6E050000, based on PE: true

Associated: 00000011.00000002.1303052213.000000006E050000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303638387.000000006E0CF000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303739246.000000006E0DF000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303779693.000000006E0E0000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303823917.000000006E0E2000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e050000_certutil.jbxd

Similarity

API ID: Initialize___scrt_fastfail___scrt_initialize_default_local_stdio_options___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 2705677121-0
Opcode ID: 347d5274eadd6b2d57b8cc9796a70b0d3dd62367157b642916cb09a3905b172b
Instruction ID: 4ef6b96a1efc0fac75a8c3fc985c06801f113649629e3188e46885e0e6849e61
Opcode Fuzzy Hash: 347d5274eadd6b2d57b8cc9796a70b0d3dd62367157b642916cb09a3905b172b
Instruction Fuzzy Hash: 0D110831558A429ADF406BF488587DD37AC4F1AF6CF205895D8882B1C1CF7901498267

Uniqueness

Uniqueness Score: -1.00%

Function 6DFDE1ED Relevance: 7.6, APIs: 5, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentStringsW.KERNEL32 ref: 6DFDE1F6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6DFDE219

Part of subcall function 6DFDB801: RtlAllocateHeap.NTDLL(00000000,6DFC008D,?,?,6DFC008D,00000000), ref: 6DFDB833

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 6DFDE23F
_free.LIBCMT ref: 6DFDE252
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6DFDE261

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 16a70dd4bc4897c1a8b5f090a51289a7a7b09e7db6dd9bb70e64f6e23a45c4e9
Instruction ID: cad2d18cd883ed072c9a500650ce959b1bbd871d7ae9fa7bf120f6541758e3e6
Opcode Fuzzy Hash: 16a70dd4bc4897c1a8b5f090a51289a7a7b09e7db6dd9bb70e64f6e23a45c4e9
Instruction Fuzzy Hash: 3501D472E116117BA75259BE5C8CD7BBA7DEEC7AA631A012DFE14C2244DF60CC0181B0

Uniqueness

Uniqueness Score: -1.00%

Function 6E025C30 Relevance: 6.1, APIs: 4, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___scrt_fastfail.LIBCMT ref: 6E025C6B
__RTC_Initialize.LIBCMT ref: 6E025C83
___scrt_initialize_default_local_stdio_options.LIBCMT ref: 6E025C8D
___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6E025CF1

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Initialize___scrt_fastfail___scrt_initialize_default_local_stdio_options___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 2705677121-0
Opcode ID: e168471fa9339fe9cc3f02cdb481f0efced861337c0f09de2441ae0b5448be46
Instruction ID: a05ca28024805045a10ae59b92b5a659a267a1285d9f5518484e6e6927b2cada
Opcode Fuzzy Hash: e168471fa9339fe9cc3f02cdb481f0efced861337c0f09de2441ae0b5448be46
Instruction Fuzzy Hash: 7E1134395752239EEF202BF4A4147DC33F95F1236CF604839C8946B1CAEF21010496AB

Uniqueness

Uniqueness Score: -1.00%

Function 6DFD8A02 Relevance: 6.1, APIs: 4, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___scrt_fastfail.LIBCMT ref: 6DFD8A3D
__RTC_Initialize.LIBCMT ref: 6DFD8A55
___scrt_initialize_default_local_stdio_options.LIBCMT ref: 6DFD8A5F
___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6DFD8AC3

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: Initialize___scrt_fastfail___scrt_initialize_default_local_stdio_options___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 2705677121-0
Opcode ID: 0f27f63e3844e2e12f21dcfe6691f42d585fe41ce75916b67c84d7770a61edbc
Instruction ID: 51dd03e7262e38803349e3d47019f2f128bef0addc56cc9dc887389592308c1a
Opcode Fuzzy Hash: 0f27f63e3844e2e12f21dcfe6691f42d585fe41ce75916b67c84d7770a61edbc
Instruction Fuzzy Hash: 0111D32154C202B9DB91ABFC94287AD37A56F1335DF1E9409DA442B1C2DF360945C666

Uniqueness

Uniqueness Score: -1.00%

Function 6E0C8F63 Relevance: 6.1, APIs: 4, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentStringsW.KERNEL32 ref: 6E0C8F6C
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6E0C8F8F

Part of subcall function 6E0C61B4: RtlAllocateHeap.NTDLL(00000000,?), ref: 6E0C61E6

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 6E0C8FB5
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6E0C8FD7

Memory Dump Source

Source File: 00000011.00000002.1303092111.000000006E051000.00000020.00000001.01000000.00000016.sdmp, Offset: 6E050000, based on PE: true

Associated: 00000011.00000002.1303052213.000000006E050000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303638387.000000006E0CF000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303739246.000000006E0DF000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303779693.000000006E0E0000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303823917.000000006E0E2000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e050000_certutil.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap
String ID:
API String ID: 1794362364-0
Opcode ID: 88f26b9ef3f25506898bb3eeece607343043ef95016afb524a9485d850274bd7
Instruction ID: 6f4d23bbff48624cf09a6feb96e90d8e2ebe081ea72e0477c6464bdeff0dd724
Opcode Fuzzy Hash: 88f26b9ef3f25506898bb3eeece607343043ef95016afb524a9485d850274bd7
Instruction Fuzzy Hash: 140188726056157F67211AFA9C4CE7F39AEEFCBEA53110129FD04D3100DB709D0295B6

Uniqueness

Uniqueness Score: -1.00%

Function 6DFDB22C Relevance: 4.6, APIs: 3, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 6DFDB2BC
_free.LIBCMT ref: 6DFDB2D6
_free.LIBCMT ref: 6DFDB2E1

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 69166b3d5a7997d224b4952a4094d6e6ce5f46efde03abf935ef8688d88b4cca
Instruction ID: f0bd906ac72bb1698c128e913063711afd4771de3d8620f154e7a9455c2e7600
Opcode Fuzzy Hash: 69166b3d5a7997d224b4952a4094d6e6ce5f46efde03abf935ef8688d88b4cca
Instruction Fuzzy Hash: 54218B3390C2466FEB468FAD9854BAD7BB8CF42329F2C499DDD5497145EB318C028250

Uniqueness

Uniqueness Score: -1.00%

Function 6E029CD7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 6E029D19

Strings

C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe, xrefs: 6E029CDC

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: _free
String ID: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe
API String ID: 269201875-399415284
Opcode ID: c074a7e0fbc1deaf16684aff430dee5d328be455dfb68cbd0b6033d1417acc1b
Instruction ID: 49026739177e674149df2aca3600ad4ca539f7de9f940a27b11c6a9e70ad36cf
Opcode Fuzzy Hash: c074a7e0fbc1deaf16684aff430dee5d328be455dfb68cbd0b6033d1417acc1b
Instruction Fuzzy Hash: BFF0A031E002295BDB245AB988907DA73DAAB487A0F910E35F87ADB1C0D671DC1083C0

Uniqueness

Uniqueness Score: -1.00%

Function 6E0282C4 Relevance: 3.1, APIs: 2, Instructions: 87
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76544ddc70aba0a554aadde67dd8f81a4a8c4fee5dc2fd0a68906fb33e95d13a
Instruction ID: 332c852ac9b358b40db8b51ea5e10c692e287332083c020caf83095d82c1feb5
Opcode Fuzzy Hash: 76544ddc70aba0a554aadde67dd8f81a4a8c4fee5dc2fd0a68906fb33e95d13a
Instruction Fuzzy Hash: C821BD36801618AFEB115BE89C40B9E37ADAF42378F204665F9682B2D0DB706A0586B1

Uniqueness

Uniqueness Score: -1.00%

Function 6E02DCCD Relevance: 3.1, APIs: 2, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 6E02DD19
GetFileType.KERNELBASE(00000000), ref: 6E02DD2B

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: fdc7360e5e6507e0e4dfdf63e6085c32e01d7faec99dc399a0ee6059ad9bbe84
Instruction ID: 02dc420cfee9ae4d03176e592ea2f01d59107c2104fa63d9206b3b261e0978c1
Opcode Fuzzy Hash: fdc7360e5e6507e0e4dfdf63e6085c32e01d7faec99dc399a0ee6059ad9bbe84
Instruction Fuzzy Hash: 6E11AE71108F438FD7604EBE8894716BAE5AF82270B34077AD0F6865F5C330C8858E41

Uniqueness

Uniqueness Score: -1.00%

Function 6E0C947F Relevance: 3.1, APIs: 2, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 6E0C94CB
GetFileType.KERNELBASE(00000000), ref: 6E0C94DD

Memory Dump Source

Source File: 00000011.00000002.1303092111.000000006E051000.00000020.00000001.01000000.00000016.sdmp, Offset: 6E050000, based on PE: true

Associated: 00000011.00000002.1303052213.000000006E050000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303638387.000000006E0CF000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303739246.000000006E0DF000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303779693.000000006E0E0000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303823917.000000006E0E2000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e050000_certutil.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 2e3b6b513c454bf65af236e71332732076ab102137136821ac81ee05666d21df
Instruction ID: 6d6cad61c32aadad98c4e6aef04e97dcf696d9358ec457f4dbdf90ed68c63779
Opcode Fuzzy Hash: 2e3b6b513c454bf65af236e71332732076ab102137136821ac81ee05666d21df
Instruction Fuzzy Hash: 4811B431104B824ACB704EBE8C98B1EBAE4E747B78BA40759D4BAC65E5C730D4868242

Uniqueness

Uniqueness Score: -1.00%

Function 6DFDD134 Relevance: 3.1, APIs: 2, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 6DFDD180
GetFileType.KERNELBASE(00000000), ref: 6DFDD192

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 3445f422758d7e33ab8417202919aed904591e969a5f5b297e2c9a9905aa82a0
Instruction ID: cbc035f00cd9a0c89051115b7ecd803a93e422041f6ec29bf0beba33e8e14f82
Opcode Fuzzy Hash: 3445f422758d7e33ab8417202919aed904591e969a5f5b297e2c9a9905aa82a0
Instruction Fuzzy Hash: 5F118472214753B6E7718A3D8C88722BAA5E7D7235B2D0719D5B6C75F5C330D48ACB40

Uniqueness

Uniqueness Score: -1.00%

Function 6E028F18 Relevance: 3.1, APIs: 2, Instructions: 66COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6E028F46
_free.LIBCMT ref: 6E028F6C

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 9b56b893a8ff77562f198c60f24a20e0273d51341381d3de5add3c90dc1fea07
Instruction ID: c2488a7a8b4a25498200da304dbcdc5b03fa09bead9058617f231ba6b4181def
Opcode Fuzzy Hash: 9b56b893a8ff77562f198c60f24a20e0273d51341381d3de5add3c90dc1fea07
Instruction Fuzzy Hash: D011C875A247125FDBA09AB8DC40B4533E9AB41775F240636F565DB2C0D370D9828A94

Uniqueness

Uniqueness Score: -1.00%

Function 6E0C95B5 Relevance: 3.1, APIs: 2, Instructions: 58COMMON

Download Yara Rule

APIs

sqlite3_thread_cleanup.SQLITE3(?,00000000,00000001,?,?,6E0C60E6,6E0D8670,6E0D86F0,6E0C3265,?,6E0C2BBB,00000000,6E0DC918,00000010,6E0C2B90,?), ref: 6E0C95DE

Memory Dump Source

Source File: 00000011.00000002.1303092111.000000006E051000.00000020.00000001.01000000.00000016.sdmp, Offset: 6E050000, based on PE: true

Associated: 00000011.00000002.1303052213.000000006E050000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303638387.000000006E0CF000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303739246.000000006E0DF000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303779693.000000006E0E0000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303823917.000000006E0E2000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e050000_certutil.jbxd

Similarity

API ID: sqlite3_thread_cleanup
String ID:
API String ID: 1771986828-0
Opcode ID: a85c4a0d798935b0e59c9b7ddfd41f04e1d565a26a3201385392dea50557506c
Instruction ID: 38eafab081fa4b2161fd70684c366c89a76862957870adc1ee94098617384396
Opcode Fuzzy Hash: a85c4a0d798935b0e59c9b7ddfd41f04e1d565a26a3201385392dea50557506c
Instruction Fuzzy Hash: EC012632A046059BCF10DFECC9D479EB3E8EF42B68F90412ADC6957180CB31ED018792

Uniqueness

Uniqueness Score: -1.00%

Function 6E028A20 Relevance: 3.0, APIs: 2, Instructions: 40COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6E028A56

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: d6044c162533052c52eca53967cac3fd3c1813c5613c0573aab43a98d4c505ea
Instruction ID: bb405be8ca4bb7b91b9350532bc49c3dd9d3354d9a7adee5f22a636b416ca39b
Opcode Fuzzy Hash: d6044c162533052c52eca53967cac3fd3c1813c5613c0573aab43a98d4c505ea
Instruction Fuzzy Hash: A2F0623A804118BFEF019AE4DC01BDD77E8DB05379F244576F90866190EF368E10A6A0

Uniqueness

Uniqueness Score: -1.00%

Function 6DFDB1DA Relevance: 3.0, APIs: 2, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 6DFDE1ED: GetEnvironmentStringsW.KERNEL32 ref: 6DFDE1F6
Part of subcall function 6DFDE1ED: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6DFDE219
Part of subcall function 6DFDE1ED: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 6DFDE23F
Part of subcall function 6DFDE1ED: _free.LIBCMT ref: 6DFDE252
Part of subcall function 6DFDE1ED: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6DFDE261

_free.LIBCMT ref: 6DFDB21A
_free.LIBCMT ref: 6DFDB221

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: _free$ByteCharEnvironmentMultiStringsWide$Free
String ID:
API String ID: 400815659-0
Opcode ID: 9ded730f32a0754990b2de12922df911348df87ba3b995cd5c0146267d8695d5
Instruction ID: 37d2d1ef80dc0a8d974322d451d3421a05e8d2501f0f312d985b1e8ffbfebab6
Opcode Fuzzy Hash: 9ded730f32a0754990b2de12922df911348df87ba3b995cd5c0146267d8695d5
Instruction Fuzzy Hash: 8AE0ED23A0D52126F3935E3E3C8072E36354B8277AB1B0B1BEA30CB1C5DF608C024196

Uniqueness

Uniqueness Score: -1.00%

Function 6E02C863 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,6E02D166,00000001,00000364,FFFFFFFF,000000FF), ref: 6E02C8A4

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 468e954a94a35f963893e3ca09466339510ddb3675333f48455b8eb1cb196f7f
Instruction ID: c5a2809b5d55049eebb2bcebc3f6ad47a79789bac8388f56e9720221155ec5dc
Opcode Fuzzy Hash: 468e954a94a35f963893e3ca09466339510ddb3675333f48455b8eb1cb196f7f
Instruction Fuzzy Hash: B5F0B431605A366EFB615AF68844B5F37D8EB427A4B12C132EC14EF280DB30D80042E0

Uniqueness

Uniqueness Score: -1.00%

Function 6E0C6642 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,6E0C79F0,00000001,00000364,FFFFFFFF,000000FF,?,0AD74ABF,6E0C6960,6E0C61A0,?,?,6E0C5F1E), ref: 6E0C6683

Part of subcall function 6E0C968F: sqlite3_thread_cleanup.SQLITE3(00000000,?,?,?,6E0C6675,?,?,6E0C79F0,00000001,00000364,FFFFFFFF,000000FF,?,0AD74ABF,6E0C6960,6E0C61A0), ref: 6E0C96B0

Memory Dump Source

Source File: 00000011.00000002.1303092111.000000006E051000.00000020.00000001.01000000.00000016.sdmp, Offset: 6E050000, based on PE: true

Associated: 00000011.00000002.1303052213.000000006E050000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303638387.000000006E0CF000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303739246.000000006E0DF000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303779693.000000006E0E0000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303823917.000000006E0E2000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e050000_certutil.jbxd

Similarity

API ID: AllocateHeapsqlite3_thread_cleanup
String ID:
API String ID: 73035715-0
Opcode ID: fa8018a5a6153c95b21a0b720b976d492ec2c58b7a61a8b3130fe0443cd56800
Instruction ID: fdb60076af701302e67813d2ab888168dff3aea4483da68c86a836ec36b6973d
Opcode Fuzzy Hash: fa8018a5a6153c95b21a0b720b976d492ec2c58b7a61a8b3130fe0443cd56800
Instruction Fuzzy Hash: C3F0B4716605275AEB714AE6A824BBF379C9B42FE8B114211E818DB0C4CB30D80086A7

Uniqueness

Uniqueness Score: -1.00%

Function 6E02AF24 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6E02AF65

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 8f0ae0e57bb7f4a376b0506f89eb476029073ba0837fc6fb3eec4c3d4557224f
Instruction ID: 7150cfc90ffaefad2a459ca82ba8235324833b7c8e8d87e68daccfe3832bd6f6
Opcode Fuzzy Hash: 8f0ae0e57bb7f4a376b0506f89eb476029073ba0837fc6fb3eec4c3d4557224f
Instruction Fuzzy Hash: 78F01736914109BFDF015EE59C01ADE7BBDEF89364F200666FA14A2060DA36DA209BA4

Uniqueness

Uniqueness Score: -1.00%

Function 6E0C61B4 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?), ref: 6E0C61E6

Memory Dump Source

Source File: 00000011.00000002.1303092111.000000006E051000.00000020.00000001.01000000.00000016.sdmp, Offset: 6E050000, based on PE: true

Associated: 00000011.00000002.1303052213.000000006E050000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303638387.000000006E0CF000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303739246.000000006E0DF000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303779693.000000006E0E0000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303823917.000000006E0E2000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e050000_certutil.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 80eedaa09c9e9fc478b327967544dff01a2ce1387e332c3bd4d4e40f550969f7
Instruction ID: dd9c53472c6006d79a3c407c8de29bb7ac8badc3dd6c36e0a8546b305e2387b5
Opcode Fuzzy Hash: 80eedaa09c9e9fc478b327967544dff01a2ce1387e332c3bd4d4e40f550969f7
Instruction Fuzzy Hash: DDE065316646325AE6721AE66C24BBE36CD9B42FE6F594231DC1D961C5CF70CC0182A7

Uniqueness

Uniqueness Score: -1.00%

Function 6DFDB801 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,6DFC008D,?,?,6DFC008D,00000000), ref: 6DFDB833

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 3636194ab3353067fa73991f857a6fb8c50e6e2925dacf81fa20d30d825b77b9
Instruction ID: 85f754cea8225955a9f7a03dbc623d4b49e2012ac719df096998dd1bf1c85a83
Opcode Fuzzy Hash: 3636194ab3353067fa73991f857a6fb8c50e6e2925dacf81fa20d30d825b77b9
Instruction Fuzzy Hash: E0E0652255512266E7926F6DDC04B7A76789F426A0F3E8921ED54D6180DB60C84286E1

Uniqueness

Uniqueness Score: -1.00%

Function 6DFDB8A9 Relevance: 1.5, APIs: 1, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e697b9d5686d98e55c7298bb87e2296db35c820cd46439d227557e518945784b
Instruction ID: b3719760797a115571460ebe49556153b47c129409edbf3207d1ab9d278fc7ad
Opcode Fuzzy Hash: e697b9d5686d98e55c7298bb87e2296db35c820cd46439d227557e518945784b
Instruction Fuzzy Hash: 63E0C231A0562633DBA12E2F8808B6F3B7CAF02E91B2E8414ED14A7180CB21EC0186E0

Uniqueness

Uniqueness Score: -1.00%

Function 6E02AC4B Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,6E02B01E,?,?,00000000,?,6E02B01E,00000000,0000000C), ref: 6E02AC68

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2b0258c3c67cfd82310edf2ff530750b67976916abb836c1126876b23fc0af59
Instruction ID: 5fcd803eeca4206aadeae57192ceae1f3906ed23c18f5ca0be2e53a1f3465a59
Opcode Fuzzy Hash: 2b0258c3c67cfd82310edf2ff530750b67976916abb836c1126876b23fc0af59
Instruction Fuzzy Hash: 80D06C3200020DBBDF128E84DD06EDA3BAAFB48714F014100BA1856020C732E821EB90

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6E021180 Relevance: 52.8, APIs: 20, Strings: 10, Instructions: 345
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 76%

			E6E021180() {
				void* _t150;
				intOrPtr _t151;
				intOrPtr _t152;
				intOrPtr _t154;
				signed int _t155;
				signed int _t156;
				intOrPtr _t157;
				signed int _t158;
				signed int _t159;
				signed int _t160;
				signed int _t161;
				unsigned int _t162;
				unsigned int _t163;
				unsigned int _t164;
				intOrPtr _t184;
				void* _t186;
				signed int _t191;
				intOrPtr* _t192;
				intOrPtr _t193;
				intOrPtr* _t195;
				intOrPtr* _t196;
				signed int _t198;
				signed int* _t202;
				unsigned int _t215;
				unsigned int _t216;
				unsigned int _t217;
				signed int _t218;
				void* _t236;
				signed int _t237;
				unsigned int _t238;
				void* _t240;
				void* _t241;
				void* _t242;
				signed int _t243;
				signed int _t244;
				signed int _t246;
				signed int _t247;
				unsigned int _t248;
				intOrPtr _t249;
				signed int _t250;
				signed int _t252;
				unsigned int _t253;
				void* _t254;
				char* _t255;
				void* _t256;
				void* _t257;
				intOrPtr _t258;
				void* _t259;
				void* _t260;
				void* _t262;
				void* _t263;
				void* _t264;

				_t191 = 0;
				_push(_t259 + 0xc);
				 *((intOrPtr*)(_t259 + 0x14)) = 0;
				_push(_t259 + 0x20);
				 *((intOrPtr*)(_t259 + 0x1c)) = 0;
				_push(_t259 + 0x1c);
				_t150 = _t259 + 0x24;
				 *((intOrPtr*)(_t259 + 0x24)) = 0;
				_push(_t150);
				_push( *((intOrPtr*)(_t259 + 0x54)));
				_t250 = 0;
				 *((intOrPtr*)(_t259 + 0x30)) = 0;
				 *((intOrPtr*)(_t259 + 0x34)) = 0;
				_t258 = 0;
				 *((intOrPtr*)(_t259 + 0x20)) = 0;
				L6E025BB4();
				_t260 = _t259 + 0x14;
				if(_t150 != 0) {
					return _t150;
				}
				_t192 =  *((intOrPtr*)(_t260 + 0x14));
				_push(_t243);
				_t244 = _t243 | 0xffffffff;
				if(_t192 == 0) {
					L31:
					_t151 =  *((intOrPtr*)(_t260 + 0x1c));
					if(_t151 != 0) {
						_push(_t151);
						L6E025A9A();
						_t260 = _t260 + 4;
					}
					_t152 =  *((intOrPtr*)(_t260 + 0x20));
					if(_t152 != 0) {
						_push(_t152);
						L6E025A9A();
						_t260 = _t260 + 4;
					}
					if(_t258 != 0) {
						_push(_t258);
						L6E025A9A();
						_t260 = _t260 + 4;
					}
					_t193 =  *((intOrPtr*)(_t260 + 0x10));
					if(_t193 != 0) {
						_push(_t193);
						L6E025A9A();
					}
					return _t244;
				}
				_t236 = _t192 + 1;
				do {
					_t154 =  *_t192;
					_t192 = _t192 + 1;
				} while (_t154 != 0);
				_t246 = _t192 - _t236 & 0x0000ffff;
				_t195 =  *((intOrPtr*)(_t260 + 0x1c));
				 *(_t260 + 0x2c) = _t246;
				if(_t195 == 0) {
					L8:
					_t196 =  *((intOrPtr*)(_t260 + 0x20));
					if(_t196 == 0) {
						L12:
						_push( *((intOrPtr*)(_t260 + 0x10)));
						_push("slotParams");
						L6E025B8A();
						 *((intOrPtr*)(_t260 + 0x30)) = _t154;
						_push(_t260 + 0x1c);
						_push(_t154);
						_push(0);
						L6E025BA8();
						_t258 = _t154;
						_t262 = _t260 + 0x14;
						_t155 =  *(_t262 + 0x28);
						if(_t155 != 0) {
							_push(_t155);
							L6E025A9A();
							_t262 = _t262 + 4;
						}
						_t198 =  *(_t262 + 0x14);
						if(_t198 == 0 || _t258 != 0) {
							_t237 = _t246 & 0x0000ffff;
							_t156 = _t250 & 0x0000ffff;
							_t247 = _t191 & 0x0000ffff;
							 *(_t262 + 0x30) = _t237;
							 *(_t262 + 0x34) = _t247;
							_t252 = _t237 + 0x28 + (_t198 << 5) + _t156 + _t247;
							 *(_t262 + 0x28) = _t156;
							_push(_t252);
							L6E025A94();
							_t202 =  *(_t262 + 0x48);
							_t246 = _t156;
							_t260 = _t262 + 4;
							 *_t202 = _t246;
							_t202[1] = _t252;
							if(_t246 == 0) {
								goto L28;
							}
							 *_t246 = 0x600;
							_push( *((intOrPtr*)(_t260 + 0x10)));
							_push("internal");
							_push("flags");
							L6E025B90();
							_t158 = _t156 & 0xffffff00 | _t156 != 0x00000000;
							 *(_t246 + 6) = _t158;
							_push( *((intOrPtr*)(_t260 + 0x1c)));
							_push("FIPS");
							_push("flags");
							L6E025B90();
							_t159 = _t158 & 0xffffff00 | _t158 != 0x00000000;
							 *(_t246 + 7) = _t159;
							_push( *((intOrPtr*)(_t260 + 0x28)));
							_push("isModuleDB");
							_push("flags");
							L6E025B90();
							_t160 = _t159 & 0xffffff00 | _t159 != 0x00000000;
							 *(_t246 + 0x19) = _t160;
							_push( *((intOrPtr*)(_t260 + 0x34)));
							_push("isModuleDBOnly");
							_push("flags");
							L6E025B90();
							_t161 = _t160 & 0xffffff00 | _t160 != 0x00000000;
							 *(_t246 + 0x1a) = _t161;
							_push( *((intOrPtr*)(_t260 + 0x40)));
							_push("critical");
							_push("flags");
							L6E025B90();
							_push(0);
							_t162 = _t161 & 0xffffff00 | _t161 != 0x00000000;
							_push(0x32);
							 *(_t246 + 0x1b) = _t162;
							_push( *((intOrPtr*)(_t260 + 0x54)));
							_push("trustOrder");
							L6E025B96();
							_t263 = _t260 + 0x4c;
							 *(_t246 + 0x13) = _t162;
							 *((char*)(_t246 + 0x12)) = _t162 >> 8;
							_push(0);
							_t163 = _t162 >> 0x18;
							_push(0);
							 *((char*)(_t246 + 0x11)) = _t162 >> 0x10;
							 *(_t246 + 0x10) = _t163;
							_push( *((intOrPtr*)(_t263 + 0x18)));
							_push("cipherOrder");
							L6E025B96();
							 *(_t246 + 0x17) = _t163;
							 *((char*)(_t246 + 0x16)) = _t163 >> 8;
							_t164 = _t163 >> 0x18;
							 *((char*)(_t246 + 0x15)) = _t163 >> 0x10;
							 *(_t246 + 0x14) = _t164;
							_push( *((intOrPtr*)(_t263 + 0x20)));
							_push("ciphers");
							L6E025B8A();
							_t253 = _t164;
							_push(_t253);
							_push(_t263 + 0x50);
							L6E025BC0();
							_t264 = _t263 + 0x20;
							 *((char*)(_t246 + 0xb)) =  *(_t263 + 0x58) & 0x000000ff;
							 *((char*)(_t246 + 0xa)) =  *(_t264 + 0x39) & 0x000000ff;
							 *((char*)(_t246 + 9)) =  *(_t264 + 0x3a) & 0x000000ff;
							 *((char*)(_t246 + 8)) =  *(_t264 + 0x3b) & 0x000000ff;
							 *((char*)(_t246 + 0xf)) =  *(_t264 + 0x3c) & 0x000000ff;
							 *((char*)(_t246 + 0xe)) =  *(_t264 + 0x3d) & 0x000000ff;
							 *((char*)(_t246 + 0xd)) =  *(_t264 + 0x3e) & 0x000000ff;
							 *((char*)(_t246 + 0xc)) =  *(_t264 + 0x3f) & 0x000000ff;
							if(_t253 != 0) {
								_push(_t253);
								L6E025A9A();
								_t264 = _t264 + 4;
							}
							_t238 =  *(_t264 + 0x2c);
							_t80 = _t246 + 0x22; // 0x22
							_t254 = _t80;
							 *((short*)(_t246 + 2)) = 0x2000;
							_t215 = _t238 + _t191 +  *((intOrPtr*)(_t264 + 0x24)) + 0x00000026 & 0x0000ffff;
							 *(_t246 + 5) = _t215;
							_t216 = _t215 + _t246;
							 *((char*)(_t246 + 4)) = _t215 >> 8;
							 *(_t264 + 0x2c) = _t216;
							 *((char*)(_t216 + 1)) =  *(_t264 + 0x14);
							 *_t216 =  *(_t264 + 0x14) >> 8;
							 *(_t246 + 0x21) = _t238;
							 *((char*)(_t246 + 0x20)) = _t238 >> 8;
							_t248 =  *(_t264 + 0x30);
							E6E0267A0(_t254,  *((intOrPtr*)(_t264 + 0x1c)), _t248);
							_t217 =  *(_t264 + 0x30);
							_t255 = _t254 + _t248;
							_t249 =  *((intOrPtr*)(_t264 + 0x34));
							_t260 = _t264 + 0xc;
							 *(_t255 + 1) = _t217;
							 *_t255 = _t217 >> 8;
							_t256 = _t255 + 2;
							if(_t217 != 0) {
								E6E0267A0(_t256,  *((intOrPtr*)(_t260 + 0x20)), _t249);
								_t260 = _t260 + 0xc;
							}
							 *(_t256 + _t249 + 1) = _t191;
							 *((char*)(_t256 + _t249)) = _t191 >> 8;
							if(_t191 != 0) {
								_t102 = _t256 + 2; // 0x22
								E6E0267A0(_t102 + _t249,  *(_t260 + 0x24),  *((intOrPtr*)(_t260 + 0x34)));
								_t260 = _t260 + 0xc;
							}
							_t184 =  *((intOrPtr*)(_t260 + 0x14));
							if(_t184 == 0) {
								L27:
								_t244 = 0;
								goto L29;
							} else {
								_t257 = 0;
								if(_t184 <= 0) {
									goto L27;
								}
								_t106 = _t258 + 2; // 0x2
								_t240 = _t106;
								_t186 =  *(_t260 + 0x2c) + 4;
								do {
									_t218 =  *(_t240 - 2) & 0x000000ff;
									_t240 = _t240 + 0x24;
									 *(_t186 + 1) = _t218;
									_t186 = _t186 + 0x20;
									_t257 = _t257 + 1;
									 *((char*)(_t186 - 0x20)) =  *(_t240 - 0x25) & 0x000000ff;
									 *((char*)(_t186 - 0x21)) =  *(_t240 - 0x24) & 0x000000ff;
									 *((char*)(_t186 - 0x22)) =  *(_t240 - 0x23) & 0x000000ff;
									 *((char*)(_t186 - 0x1b)) =  *(_t240 - 0x22) & 0x000000ff;
									 *((char*)(_t186 - 0x1c)) =  *(_t240 - 0x21) & 0x000000ff;
									 *((char*)(_t186 - 0x1d)) =  *(_t240 - 0x20) & 0x000000ff;
									 *((char*)(_t186 - 0x1e)) =  *(_t240 - 0x1f) & 0x000000ff;
									 *((char*)(_t186 - 0x17)) =  *(_t240 - 0x1a) & 0x000000ff;
									 *((char*)(_t186 - 0x18)) =  *(_t240 - 0x1a) >> 8;
									 *((char*)(_t186 - 0x19)) =  *(_t240 - 0x18) & 0x000000ff;
									 *((char*)(_t186 - 0x1a)) =  *(_t240 - 0x17) & 0x000000ff;
									 *((char*)(_t186 - 0x16)) =  *(_t240 - 0x1e) & 0x000000ff;
									 *((char*)(_t186 - 0x15)) =  *(_t240 - 0x16) & 0x000000ff;
									 *((intOrPtr*)(_t186 - 0x14)) = 0;
									 *((intOrPtr*)(_t186 - 0x10)) = 0;
									 *((intOrPtr*)(_t186 - 0xc)) = 0;
									 *((intOrPtr*)(_t186 - 8)) = 0;
									 *((short*)(_t186 - 4)) = 0;
								} while (_t257 <  *((intOrPtr*)(_t260 + 0x14)));
								goto L27;
							}
						} else {
							L28:
							_t244 = _t246 | 0xffffffff;
							L29:
							_t157 =  *((intOrPtr*)(_t260 + 0x18));
							if(_t157 != 0) {
								_push(_t157);
								L6E025A9A();
								_t260 = _t260 + 4;
							}
							goto L31;
						}
					}
					_t241 = _t196 + 1;
					do {
						_t154 =  *_t196;
						_t196 = _t196 + 1;
					} while (_t154 != 0);
					_t191 = _t196 - _t241 & 0x0000ffff;
					goto L12;
				}
				_t242 = _t195 + 1;
				do {
					_t154 =  *_t195;
					_t195 = _t195 + 1;
				} while (_t154 != 0);
				_t250 = _t195 - _t242 & 0x0000ffff;
				 *(_t260 + 0x24) = _t250;
				goto L8;
			}

0x6e02118a
0x6e02118c
0x6e021191
0x6e021195
0x6e02119a
0x6e02119e
0x6e02119f
0x6e0211a3
0x6e0211a7
0x6e0211a8
0x6e0211ac
0x6e0211ae
0x6e0211b2
0x6e0211b6
0x6e0211b8
0x6e0211bc
0x6e0211c1
0x6e0211c6
0x6e0215b8
0x6e0215b8
0x6e0211cc
0x6e0211d0
0x6e0211d1
0x6e0211d6
0x6e02156f
0x6e02156f
0x6e021575
0x6e021577
0x6e021578
0x6e02157d
0x6e02157d
0x6e021580
0x6e021586
0x6e021588
0x6e021589
0x6e02158e
0x6e02158e
0x6e021593
0x6e021595
0x6e021596
0x6e02159b
0x6e02159b
0x6e02159e
0x6e0215a4
0x6e0215a6
0x6e0215a7
0x6e0215ac
0x00000000
0x6e0215b1
0x6e0211dc
0x6e0211e0
0x6e0211e0
0x6e0211e2
0x6e0211e3
0x6e0211e9
0x6e0211ec
0x6e0211f0
0x6e0211f6
0x6e021210
0x6e021210
0x6e021216
0x6e02122c
0x6e02122c
0x6e021230
0x6e021235
0x6e02123e
0x6e021242
0x6e021243
0x6e021244
0x6e021246
0x6e02124b
0x6e02124d
0x6e021250
0x6e021256
0x6e021258
0x6e021259
0x6e02125e
0x6e02125e
0x6e021261
0x6e021267
0x6e021271
0x6e021274
0x6e02127a
0x6e021281
0x6e021288
0x6e02128c
0x6e02128e
0x6e021292
0x6e021293
0x6e021298
0x6e02129c
0x6e02129e
0x6e0212a1
0x6e0212a3
0x6e0212a8
0x00000000
0x00000000
0x6e0212ae
0x6e0212b3
0x6e0212b7
0x6e0212bc
0x6e0212c1
0x6e0212c8
0x6e0212cb
0x6e0212ce
0x6e0212d2
0x6e0212d7
0x6e0212dc
0x6e0212e3
0x6e0212e6
0x6e0212e9
0x6e0212ed
0x6e0212f2
0x6e0212f7
0x6e0212fe
0x6e021301
0x6e021304
0x6e021308
0x6e02130d
0x6e021312
0x6e021319
0x6e02131c
0x6e02131f
0x6e021323
0x6e021328
0x6e02132d
0x6e021334
0x6e021336
0x6e021339
0x6e02133b
0x6e02133e
0x6e021342
0x6e021347
0x6e02134c
0x6e02134f
0x6e021357
0x6e02135c
0x6e021361
0x6e021364
0x6e021366
0x6e021369
0x6e02136c
0x6e021370
0x6e021375
0x6e02137c
0x6e021382
0x6e02138a
0x6e02138d
0x6e021390
0x6e021393
0x6e021397
0x6e02139c
0x6e0213a1
0x6e0213a7
0x6e0213a8
0x6e0213a9
0x6e0213b3
0x6e0213b6
0x6e0213be
0x6e0213c6
0x6e0213ce
0x6e0213d6
0x6e0213de
0x6e0213e6
0x6e0213ee
0x6e0213f3
0x6e0213f5
0x6e0213f6
0x6e0213fb
0x6e0213fb
0x6e0213fe
0x6e021402
0x6e021402
0x6e02140c
0x6e021417
0x6e02141a
0x6e021422
0x6e021424
0x6e02142b
0x6e02142f
0x6e021439
0x6e02143b
0x6e021441
0x6e021444
0x6e02144e
0x6e021453
0x6e021457
0x6e021459
0x6e021462
0x6e021465
0x6e021468
0x6e02146a
0x6e021470
0x6e021478
0x6e02147d
0x6e02147d
0x6e021482
0x6e021489
0x6e02148f
0x6e021495
0x6e02149f
0x6e0214a4
0x6e0214a4
0x6e0214a7
0x6e0214ad
0x6e021557
0x6e021557
0x00000000
0x6e0214b3
0x6e0214b3
0x6e0214b7
0x00000000
0x00000000
0x6e0214c1
0x6e0214c1
0x6e0214c4
0x6e0214d0
0x6e0214d0
0x6e0214d4
0x6e0214d7
0x6e0214da
0x6e0214e1
0x6e0214e2
0x6e0214e9
0x6e0214f0
0x6e0214f7
0x6e0214fe
0x6e021505
0x6e02150c
0x6e021513
0x6e02151c
0x6e021523
0x6e02152a
0x6e021531
0x6e021538
0x6e02153d
0x6e021540
0x6e021543
0x6e021546
0x6e021549
0x6e02154d
0x00000000
0x6e0214d0
0x6e02155b
0x6e02155b
0x6e02155b
0x6e02155e
0x6e02155e
0x6e021564
0x6e021566
0x6e021567
0x6e02156c
0x6e02156c
0x00000000
0x6e021564
0x6e021267
0x6e021218
0x6e021220
0x6e021220
0x6e021222
0x6e021223
0x6e021229
0x00000000
0x6e021229
0x6e0211f8
0x6e021200
0x6e021200
0x6e021202
0x6e021203
0x6e021209
0x6e02120c
0x00000000

APIs

NSSUTIL_ArgParseModuleSpec.NSSUTIL3(?,?,?,?,00000000,00000000,?,?), ref: 6E0211BC
NSSUTIL_ArgGetParamValue.NSSUTIL3(slotParams,?,00000000,?,?,00000000,?,?), ref: 6E021235
NSSUTIL_ArgParseSlotInfo.NSSUTIL3(00000000,00000000,?,slotParams,?,00000000,?,?,00000000,?,?), ref: 6E021246
PORT_Free_Util.NSSUTIL3(?,?,?,?,?,00000000,?,?,00000000,?,?), ref: 6E021259
PORT_ZAlloc_Util.NSSUTIL3(?,?,?,?,?,00000000,?,?,00000000,?,?), ref: 6E021293
NSSUTIL_ArgHasFlag.NSSUTIL3(flags,internal,?,?,?,?,?,?,00000000,?,?,00000000,?,?), ref: 6E0212C1
NSSUTIL_ArgHasFlag.NSSUTIL3(flags,FIPS,?,flags,internal,?,?,?,?,?,?,00000000,?,?,00000000), ref: 6E0212DC
NSSUTIL_ArgHasFlag.NSSUTIL3(flags,isModuleDB,?,flags,FIPS,?,flags,internal,?,?,?,?,?,?,00000000), ref: 6E0212F7
NSSUTIL_ArgHasFlag.NSSUTIL3(flags,isModuleDBOnly,?,flags,isModuleDB,?,flags,FIPS,?,flags,internal,?), ref: 6E021312
PORT_Free_Util.NSSUTIL3(?,00000000,?,?,00000000,?,?), ref: 6E021578
PORT_Free_Util.NSSUTIL3(?,00000000,?,?,00000000,?,?), ref: 6E021589
PORT_Free_Util.NSSUTIL3(00000000,00000000,?,?,00000000,?,?), ref: 6E021596
PORT_Free_Util.NSSUTIL3(?,00000000,?,?,00000000,?,?), ref: 6E0215A7

Strings

trustOrder, xrefs: 6E021342
isModuleDB, xrefs: 6E0212ED
cipherOrder, xrefs: 6E021370
isModuleDBOnly, xrefs: 6E021308
ciphers, xrefs: 6E021397
slotParams, xrefs: 6E021230
FIPS, xrefs: 6E0212D2
internal, xrefs: 6E0212B7
critical, xrefs: 6E021323
flags, xrefs: 6E0212BC, 6E0212D7, 6E0212F2, 6E02130D, 6E021328

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Util$Free_$Flag$Parse$Alloc_InfoModuleParamSlotSpecValue
String ID: FIPS$cipherOrder$ciphers$critical$flags$internal$isModuleDB$isModuleDBOnly$slotParams$trustOrder
API String ID: 1384561460-1596463532
Opcode ID: 4f4e84d138fd8ee145dac135352376f34d1d8bc2521255be92b91d99fb49b3d6
Instruction ID: 9e9f0443feb4ec73ab793cd4427ccb9b07547ebb587afd296648645190b7c08f
Opcode Fuzzy Hash: 4f4e84d138fd8ee145dac135352376f34d1d8bc2521255be92b91d99fb49b3d6
Instruction Fuzzy Hash: 86D105755093D29FC705CFA9885067EFFE5AE95204F084AAEF8D58B342D321D618CBA3

Uniqueness

Uniqueness Score: -1.00%

Function 6DFB8E20 Relevance: 15.3, APIs: 10, Instructions: 282COMMON

Download Yara Rule

APIs

PORT_SetError_Util.NSSUTIL3(FFFFE004,?), ref: 6DFB8E8A
PORT_SetError_Util.NSSUTIL3(FFFFE013), ref: 6DFB8EB8

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: Error_Util
String ID:
API String ID: 1971245937-0
Opcode ID: d578b5897db20364cca547063342ece3bb3f25d7f32b511af1c63e204c1ae49a
Instruction ID: 6afe0808c5557b5cd78ef95ace4b2d5932eedf0af3695b9c9ab844d1e8558270
Opcode Fuzzy Hash: d578b5897db20364cca547063342ece3bb3f25d7f32b511af1c63e204c1ae49a
Instruction Fuzzy Hash: 6091DF7550C2429FD711CF2DDC81AABBBE4AF99344F08062DE5D987201EB36E909CB93

Uniqueness

Uniqueness Score: -1.00%

Function 6E070C10 Relevance: 11.9, Strings: 9, Instructions: 622COMMON

Download Yara Rule

Strings

old, xrefs: 6E070F50
ambiguous column name, xrefs: 6E0711A8
new, xrefs: 6E070F2C
no such column, xrefs: 6E0711CE, 6E0711DE, 6E0711F7, 6E07120B
%s: %s.%s, xrefs: 6E0711F8
ROWID, xrefs: 6E07135D, 6E071363
misuse of aliased aggregate %s, xrefs: 6E071153
%s: %s, xrefs: 6E07120C
%s: %s.%s.%s, xrefs: 6E0711DF

Memory Dump Source

Source File: 00000011.00000002.1303092111.000000006E051000.00000020.00000001.01000000.00000016.sdmp, Offset: 6E050000, based on PE: true

Associated: 00000011.00000002.1303052213.000000006E050000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303638387.000000006E0CF000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303739246.000000006E0DF000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303779693.000000006E0E0000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303823917.000000006E0E2000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e050000_certutil.jbxd

Similarity

API ID:
String ID: %s: %s$%s: %s.%s$%s: %s.%s.%s$ROWID$ambiguous column name$misuse of aliased aggregate %s$new$no such column$old
API String ID: 0-2960191893
Opcode ID: 5b44f393fb375284375671bab3ce09434ab0386ff7432b3ca07b03845a6714ce
Instruction ID: f09ad592d301c46a0a5d4ffb0e1c5c82f29bb257e85abf35ad515e2e2c25bb25
Opcode Fuzzy Hash: 5b44f393fb375284375671bab3ce09434ab0386ff7432b3ca07b03845a6714ce
Instruction Fuzzy Hash: CA32BE716083428FDB20CF98C49075BB7E5BF88744F054A2DECA49B295E372EC59CB96

Uniqueness

Uniqueness Score: -1.00%

Function 6E0AFC00 Relevance: 8.7, APIs: 1, Strings: 3, Instructions: 1739COMMON

Download Yara Rule

Strings

, xrefs: 6E0B0E83
CA@B, xrefs: 6E0B0090
Expression tree is too large (maximum depth %d), xrefs: 6E0B0A93

Memory Dump Source

Source File: 00000011.00000002.1303092111.000000006E051000.00000020.00000001.01000000.00000016.sdmp, Offset: 6E050000, based on PE: true

Associated: 00000011.00000002.1303052213.000000006E050000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303638387.000000006E0CF000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303739246.000000006E0DF000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303779693.000000006E0E0000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303823917.000000006E0E2000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e050000_certutil.jbxd

Similarity

API ID:
String ID: $CA@B$Expression tree is too large (maximum depth %d)
API String ID: 0-3131409723
Opcode ID: f41522afeb7b08a3ca9bbfb82259e1cc15641e86ffc701755c6f8c8346a43c60
Instruction ID: bd9b626ce083f7af0ffa82c3dd1387e2760a986dcfd0db67cc31970b284fae53
Opcode Fuzzy Hash: f41522afeb7b08a3ca9bbfb82259e1cc15641e86ffc701755c6f8c8346a43c60
Instruction Fuzzy Hash: 17E289705083419FD750CF98C980B6BBBE8BF89344F44495CF9999B392E776E841CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6E08CC30 Relevance: 8.7, APIs: 1, Strings: 3, Instructions: 1733COMMON

Download Yara Rule

APIs

sqlite3_free.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,6E0915E7,?,?), ref: 6E08CF5E

Strings

%s.%s, xrefs: 6E08CD74, 6E08D47E
O, xrefs: 6E08DF13
%s.rowid, xrefs: 6E08D49D

Memory Dump Source

Source File: 00000011.00000002.1303092111.000000006E051000.00000020.00000001.01000000.00000016.sdmp, Offset: 6E050000, based on PE: true

Associated: 00000011.00000002.1303052213.000000006E050000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303638387.000000006E0CF000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303739246.000000006E0DF000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303779693.000000006E0E0000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303823917.000000006E0E2000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e050000_certutil.jbxd

Similarity

API ID: sqlite3_free
String ID: %s.%s$%s.rowid$O
API String ID: 2313487548-12142180
Opcode ID: d146d6ad13c484d373c745e7d33f4ea710067da855860c5a22f99b4e3bebed8a
Instruction ID: f3a246567788fdb416aa156cf45e73bd541a456a121ab15613109d7aa1dea72a
Opcode Fuzzy Hash: d146d6ad13c484d373c745e7d33f4ea710067da855860c5a22f99b4e3bebed8a
Instruction Fuzzy Hash: 7CF288706087019FDB24DF58C890B6BBBE8BF49344F014A5EE9948B392E775E851CF92

Uniqueness

Uniqueness Score: -1.00%

Function 6E031A8B Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,6E0379A4), ref: 6E031AF5
WideCharToMultiByte.KERNEL32(00000000,00000000,6E03E3DC,000000FF,00000000,0000003F,00000000,?,?), ref: 6E031B6D
WideCharToMultiByte.KERNEL32(00000000,00000000,6E03E430,000000FF,?,0000003F,00000000,?), ref: 6E031B9A
_free.LIBCMT ref: 6E031AE3

Part of subcall function 6E02C4BF: HeapFree.KERNEL32(00000000,00000000,?,6E03109E,?,00000000,?,00000000,?,6E0310C5,?,00000007,?,?,6E030D6A,?), ref: 6E02C4D5
Part of subcall function 6E02C4BF: GetLastError.KERNEL32(?,?,6E03109E,?,00000000,?,00000000,?,6E0310C5,?,00000007,?,?,6E030D6A,?,?), ref: 6E02C4E7

_free.LIBCMT ref: 6E031CAF

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 2e733462e22ff3457fc673ccfbf79606ace3d59be1e63672d22f804a8b3451b8
Instruction ID: 004587c3afe8ed6abf682ec3709e84b9957551d43c587413af12777481749d2d
Opcode Fuzzy Hash: 2e733462e22ff3457fc673ccfbf79606ace3d59be1e63672d22f804a8b3451b8
Instruction Fuzzy Hash: 2551867190422BAFDB10DFE98C80BAEB7FCEF4A754B2046AAD45497290E7319E458B50

Uniqueness

Uniqueness Score: -1.00%

Function 6E0161C0 Relevance: 6.4, APIs: 4, Instructions: 407COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7945285a1f5fb37100998fa2535f2d3e85cebfae24d60402fe301f04d45ba161
Instruction ID: 4d43880dc0e80914620d4ef38c9dff454f30afc4151332c806c6396657e5e7c4
Opcode Fuzzy Hash: 7945285a1f5fb37100998fa2535f2d3e85cebfae24d60402fe301f04d45ba161
Instruction Fuzzy Hash: CAD105B6A283124FD750CBE4EC8079AB7E8BF88399F440979E849DF201E735D944C792

Uniqueness

Uniqueness Score: -1.00%

Function 6DFA60D0 Relevance: 6.3, APIs: 4, Instructions: 251COMMON

Download Yara Rule

APIs

PORT_SetError_Util.NSSUTIL3(FFFFE005,00000010,00000010,00000010,00000001,6DFA5F26,?,?,?,00000010,00000001,00000010,00000000,?,?,6DFE5C50), ref: 6DFA6113
PORT_SetError_Util.NSSUTIL3(FFFFE005,?,00000010,00000010,00000010,00000001,6DFA5F26,?,?,?,00000010,00000001,00000010,00000000,?,?), ref: 6DFA6131
PORT_SetError_Util.NSSUTIL3(FFFFE001,?,00000010,00000010,00000010,00000001,6DFA5F26,?,?,?,00000010,00000001,00000010,00000000), ref: 6DFA6286
PORT_SetError_Util.NSSUTIL3(FFFFE005,00000010,00000010,00000001,6DFA5F26,?,?,?,00000010,00000001,00000010,00000000,?,?,6DFE5C50,6DFA5D69), ref: 6DFA6433

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: Error_Util
String ID:
API String ID: 1971245937-0
Opcode ID: 4e6ed31bf5cae05d9a8dfc2e37321a286bfec205a07317cccfb96a14a0bfa1c5
Instruction ID: 0ef4068fab7bb1903a385f7d8a536578a2e5aa42070414e174a6322b4e84a831
Opcode Fuzzy Hash: 4e6ed31bf5cae05d9a8dfc2e37321a286bfec205a07317cccfb96a14a0bfa1c5
Instruction Fuzzy Hash: 239127B591DA42CBEB01CF2DA88073ABBE0FB87311F1D462AFD6587245D332956187D2

Uniqueness

Uniqueness Score: -1.00%

Function 6DFD8F8E Relevance: 6.0, APIs: 4, Instructions: 26timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 6DFD8FA0
GetCurrentThreadId.KERNEL32 ref: 6DFD8FAF
GetCurrentProcessId.KERNEL32 ref: 6DFD8FB8
QueryPerformanceCounter.KERNEL32(?), ref: 6DFD8FC5

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: e8c7cc3c6ceeb3a65d8f4eb9e1f96b6ca377a6ddefe87970ff14ebc36c000028
Instruction ID: 565feb9cdd26774dad47a7849ed48347fc69198e149424810b0be59286701a30
Opcode Fuzzy Hash: e8c7cc3c6ceeb3a65d8f4eb9e1f96b6ca377a6ddefe87970ff14ebc36c000028
Instruction Fuzzy Hash: 48F04D71C20209EBCF00DBB4C54DB9EBBF8EF19316F524499A506E7110E734AB049B51

Uniqueness

Uniqueness Score: -1.00%

Function 6DF9AD80 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 392COMMON

Download Yara Rule

APIs

PORT_SetError_Util.NSSUTIL3(FFFFE003), ref: 6DF9AD91
PORT_SetError_Util.NSSUTIL3(FFFFE003), ref: 6DF9AF34

Strings

, xrefs: 6DF9AFDC

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: Error_Util
String ID:
API String ID: 1971245937-3916222277
Opcode ID: f10f18d3aaebae06be63dffc389ac8e191595d56a1a15c8e173744a6c2c144de
Instruction ID: bec17220ad688424be1c9e08ddaae382571c4b1bf8729165effa545ebba35056
Opcode Fuzzy Hash: f10f18d3aaebae06be63dffc389ac8e191595d56a1a15c8e173744a6c2c144de
Instruction Fuzzy Hash: 69E1B77580C3D18BD316CF2D80A017ABFE1AFDB214F95099DF8D61B742C275A90ACB52

Uniqueness

Uniqueness Score: -1.00%

Function 6E023E60 Relevance: 5.3, Strings: 4, Instructions: 310COMMON

Download Yara Rule

Strings

TMP, xrefs: 6E023EAB
TMPDIR, xrefs: 6E023EC3
TEMP, xrefs: 6E023ED6
/_hashXXXXXX, xrefs: 6E023F35

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID:
String ID: /_hashXXXXXX$TEMP$TMP$TMPDIR
API String ID: 0-1198602212
Opcode ID: 37d7130aabd8e6c1c70ad9b20b6309830d86ebc323a3d2619544270d3431e5b2
Instruction ID: 75f340febe6d9fbf109b3b55d0d9cd398d8a11f022c61bea57733d6b7e797bf7
Opcode Fuzzy Hash: 37d7130aabd8e6c1c70ad9b20b6309830d86ebc323a3d2619544270d3431e5b2
Instruction Fuzzy Hash: DEB19B31A082469FC750CEA888403DEB7E5AF95344F448A7CEC58AF386D335D94BC7A2

Uniqueness

Uniqueness Score: -1.00%

Function 6E02D2FB Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6E02D3F3
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6E02D3FD
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6E02D40A

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: f5d076279bbd268c8b216993447347b871b03ed8753f6eaccfffd4cff812ee1e
Instruction ID: 6e01a406a1b892a401992e2080cabdb1843354b02e0c8d6792a9166b54559d6e
Opcode Fuzzy Hash: f5d076279bbd268c8b216993447347b871b03ed8753f6eaccfffd4cff812ee1e
Instruction Fuzzy Hash: FD31B275D1122DABCB61DFA4D888BCCBBF8AF08310F5045EAE81CA7250E7709B858F45

Uniqueness

Uniqueness Score: -1.00%

Function 6DFDB940 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6DFDBA38
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6DFDBA42
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6DFDBA4F

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 48aebf7c03c7e740a71c3bee486cb6b5b9c5464a2e0c0bb42e4e325b121be69f
Instruction ID: b3346653303edd8eda357da31ccac6e9df5891ccd89022737d4e1cb02f394cc8
Opcode Fuzzy Hash: 48aebf7c03c7e740a71c3bee486cb6b5b9c5464a2e0c0bb42e4e325b121be69f
Instruction Fuzzy Hash: 1131E77590122DABCB61DF68D8887DCBBB8BF08310F5142DAE91CA7250EB709F858F45

Uniqueness

Uniqueness Score: -1.00%

Function 6E029903 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,6E029902,000004D2,00000001,?,000004D2,?,6E02C36B), ref: 6E029925
TerminateProcess.KERNEL32(00000000,?,6E029902,000004D2,00000001,?,000004D2,?,6E02C36B), ref: 6E02992C
ExitProcess.KERNEL32 ref: 6E02993E

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: dcf75296ca8646be5a22e00b504d8dbacadfb058690a4ef2f3c0ee8ccd3e962e
Instruction ID: b7c0e9f7b44700d56be365aa965ce2a6f03e6cfb881e9c868430e0b9a0715809
Opcode Fuzzy Hash: dcf75296ca8646be5a22e00b504d8dbacadfb058690a4ef2f3c0ee8ccd3e962e
Instruction Fuzzy Hash: 79E0B635050649AFCF116FA8C918A8D3BADFB4A2A1F904824F8458A131CB75E982DA90

Uniqueness

Uniqueness Score: -1.00%

Function 6DFDADAB Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000002,?,6DFDADAA,00000003,6DFDA814,00000002,00000003,00000002,00000000), ref: 6DFDADCD
TerminateProcess.KERNEL32(00000000,?,6DFDADAA,00000003,6DFDA814,00000002,00000003,00000002,00000000), ref: 6DFDADD4
ExitProcess.KERNEL32 ref: 6DFDADE6

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 06320e529ce10d99f752f6cdac0e95385f35794405a1d5f3c71f22f8966b7ad3
Instruction ID: 0b8299c50f105a5309d45a75f5cd209a60a294aabd293798d92b858fe37a4c03
Opcode Fuzzy Hash: 06320e529ce10d99f752f6cdac0e95385f35794405a1d5f3c71f22f8966b7ad3
Instruction Fuzzy Hash: 90E09231014608BFCF416B58C948B593BBAEB52246B0A4418FA1986130CB35E982DA54

Uniqueness

Uniqueness Score: -1.00%

Function 6E02F393 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 113COMMON

Download Yara Rule

Strings

., xrefs: 6E02F540

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 40cb21e35738477f23f3201da0c5bcb22bb3681b6fa419a4c03d047bcba9b358
Instruction ID: 669dcf76c64aef483a52b39e4c682989872af367900de6f2395e3f37cbc82d74
Opcode Fuzzy Hash: 40cb21e35738477f23f3201da0c5bcb22bb3681b6fa419a4c03d047bcba9b358
Instruction Fuzzy Hash: B93105719001096FDB24CEB8CC90FEA7BFEEF85388F2041A8E958A7241E6709D418B90

Uniqueness

Uniqueness Score: -1.00%

Function 6DFDD673 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 113COMMON

Download Yara Rule

Strings

., xrefs: 6DFDD820

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: d424694bbee9d2764d5fd0e6476776888fe6b93052e600dfdcdeb70393018b4f
Instruction ID: 810168db5a96a3fc020e28b56a0d0fbc8e6b7dc70b354a02dce5aa3d131e8c22
Opcode Fuzzy Hash: d424694bbee9d2764d5fd0e6476776888fe6b93052e600dfdcdeb70393018b4f
Instruction Fuzzy Hash: BE31F47290420AAFDB54CE6CDC94EFA7BBDDB81358F184198E55887251E7309D458FA0

Uniqueness

Uniqueness Score: -1.00%

Function 6DFA30C0 Relevance: 3.3, APIs: 2, Instructions: 269COMMON

Download Yara Rule

APIs

PORT_SetError_Util.NSSUTIL3(FFFFE004), ref: 6DFA3105
PORT_SetError_Util.NSSUTIL3(FFFFE003), ref: 6DFA312F

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: Error_Util
String ID:
API String ID: 1971245937-0
Opcode ID: dc63113b0d2c06bb246d7d6d0ab1b9a1abc8f062f9f7d98965e5c091f18541d5
Instruction ID: 29cefc70baf8f1e5dbc3b046a9d5b619d1bd8c4555f0791fa3df2b89200f6106
Opcode Fuzzy Hash: dc63113b0d2c06bb246d7d6d0ab1b9a1abc8f062f9f7d98965e5c091f18541d5
Instruction Fuzzy Hash: 9A917372508345ABC700CFADCC80A9BBBE8AFC9654F09492DF659C7211EA31DA44CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6DFA56F0 Relevance: 3.0, Strings: 2, Instructions: 469COMMON

Download Yara Rule

Strings

\\\\, xrefs: 6DFA5C06
j, xrefs: 6DFA5C54

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID:
String ID: \\\\$j
API String ID: 0-2409579979
Opcode ID: 5f8afca9cdcf9102772bafe6e900331d03d0c29109524c904c2b6d6d1e09acc7
Instruction ID: 797f1307f4a75dcf33c5bf6453c1f2a0192659cd768c3356b9e006af12d9ffb7
Opcode Fuzzy Hash: 5f8afca9cdcf9102772bafe6e900331d03d0c29109524c904c2b6d6d1e09acc7
Instruction Fuzzy Hash: 56024A726083459FD760CF68C880AABBBE9BFC9304F48492DF999C7311D635E949CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6E01A180 Relevance: 1.8, APIs: 1, Instructions: 324COMMON

Download Yara Rule

APIs

SECOID_FindOIDTag_Util.NSSUTIL3(?,00000160,00000000,00000014,00000000,?,?,?,6E01A12E,00000000,00000160,000000C8), ref: 6E01A30C

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: FindTag_Util
String ID:
API String ID: 1304201149-0
Opcode ID: 9eca7e821f68ab2b92aff50bc3803b82a4b56ad8095f6154aa0ebed6fa6680a6
Instruction ID: cecee77adbb684b2b794b9ff53dd64d420e220857b0dbb1158f0a322c5fcbc67
Opcode Fuzzy Hash: 9eca7e821f68ab2b92aff50bc3803b82a4b56ad8095f6154aa0ebed6fa6680a6
Instruction Fuzzy Hash: C6B10471A0C7930BD7558DF888A03AAB7F2AF81354F758A3DECA18F245E725D40D8782

Uniqueness

Uniqueness Score: -1.00%

Function 6E014410 Relevance: 1.8, APIs: 1, Instructions: 306COMMON

Download Yara Rule

APIs

PORT_Free_Util.NSSUTIL3(00000000,?,00000003,00000000,00000001), ref: 6E01448B

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Free_Util
String ID:
API String ID: 3239092222-0
Opcode ID: 273e0e95d66d9d54fd5fe3abd869b082911492645018df35a534754fbfaf7ca5
Instruction ID: a4c3cf65403151e38c8cc2b8588bff81edb61610e8f72502091b76b9dd3b75e5
Opcode Fuzzy Hash: 273e0e95d66d9d54fd5fe3abd869b082911492645018df35a534754fbfaf7ca5
Instruction Fuzzy Hash: C49128367046026FDB00ABDCE851BDEB3E5EFD931AFC4086ED05A8F161D636851AC693

Uniqueness

Uniqueness Score: -1.00%

Function 6E034118 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,6E034113,?,?,00000008,?,?,6E033DA6,00000000), ref: 6E034345

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: bb26813ef5f0a46413a35a381b4b3bef8d49b95310c45fca960638671d7878fa
Instruction ID: 06f9fcc07a0cd0d2ba0c8b2b6b615c65f09779c80dbe514dc8fb730dc9c12e0e
Opcode Fuzzy Hash: bb26813ef5f0a46413a35a381b4b3bef8d49b95310c45fca960638671d7878fa
Instruction Fuzzy Hash: 27B1A03151061AEFD754CF68C496B58BBE0FF453A4F658658E8E9CF2A1C336E982CB40

Uniqueness

Uniqueness Score: -1.00%

Function 6DFE1935 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,6DFE1930,?,?,00000008,?,?,6DFE15C3,00000000), ref: 6DFE1B62

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 64e03d94013f18ce1906cfff99c753272adc4aff1fbb43e6fdfc34c62409961e
Instruction ID: 2aa00b809860416fbd5800d734dba1e2a37d76c731ed2572f1c772902904aba9
Opcode Fuzzy Hash: 64e03d94013f18ce1906cfff99c753272adc4aff1fbb43e6fdfc34c62409961e
Instruction Fuzzy Hash: 23B14D32220609EFD705CF2DC486BA57BE1FF453A5F258658E8A9CF2A1C335E991CB40

Uniqueness

Uniqueness Score: -1.00%

Function 6DFA2549 Relevance: 1.7, APIs: 1, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8274a35c596e0be63c1e89cfb48023923c6118dfcf09fd25309147743540e82
Instruction ID: 84882b4caa9cf47c4a227f6f8bff34c13762741b65bf054e5e98aa76271cf6e0
Opcode Fuzzy Hash: e8274a35c596e0be63c1e89cfb48023923c6118dfcf09fd25309147743540e82
Instruction Fuzzy Hash: ABA1E77160D2C58ECB21CE3DC8907F97FE1AF86204F4C969DE8D54B286D635D606C761

Uniqueness

Uniqueness Score: -1.00%

Function 6E01AA70 Relevance: 1.7, Strings: 1, Instructions: 453COMMON

Download Yara Rule

Strings

`D|, xrefs: 6E01ABA0

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID:
String ID: `D|
API String ID: 0-2050008356
Opcode ID: 2be19f5ed8bec1f8947239c3b54f9bf0119af02e5b85999f5702d3cd7f0dd194
Instruction ID: c83b63171b2f6a876504be9328cae7175f09c0edc5d8a276503055796a5b1a2c
Opcode Fuzzy Hash: 2be19f5ed8bec1f8947239c3b54f9bf0119af02e5b85999f5702d3cd7f0dd194
Instruction Fuzzy Hash: 0DE116B160C6870BE7188EE8C8A03EB77F2EF85280F34867DD8569F640E774D5488780

Uniqueness

Uniqueness Score: -1.00%

Function 6DFD8DEF Relevance: 1.6, APIs: 1, Instructions: 133COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A,?), ref: 6DFD8E08

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 3b502c3e01ee24f5e251964ca752b2c62309492874fb1bb64f58151d4695863b
Instruction ID: be21d14cbdcf224def91a9aebb6853b83fa340aa19dfd6ce6c1a13295e05dd1a
Opcode Fuzzy Hash: 3b502c3e01ee24f5e251964ca752b2c62309492874fb1bb64f58151d4695863b
Instruction Fuzzy Hash: 3151BEB1921246CFEF48CF99D5817AEBBF9FB49314F19846AD415EB280D3709A00CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6DFBED20 Relevance: 1.5, Instructions: 1490COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f27b3e999919ddf25d4f3c272a7a0baa859bd3dfd37e3f43f2ee8bbf3dac7f2e
Instruction ID: eb8707b725f4be53984ba52d27fb85a776993625d82d41b1d7e2db095b7b8fad
Opcode Fuzzy Hash: f27b3e999919ddf25d4f3c272a7a0baa859bd3dfd37e3f43f2ee8bbf3dac7f2e
Instruction Fuzzy Hash: 49824E2970430723A75159EB5DC1FDB3ADC8E4A25DF49003CEF4455242EFEFA96A82A3

Uniqueness

Uniqueness Score: -1.00%

Function 6DFBA560 Relevance: 1.0, Instructions: 950COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf0bae5d174b937e6b730203ac32ec0d45645f69057d435cdd5376fe2ec95278
Instruction ID: d43cd3cfa1914eba49be1d2e13f6a25e46ce2f3e2656d1ce57b07c47bea4a233
Opcode Fuzzy Hash: bf0bae5d174b937e6b730203ac32ec0d45645f69057d435cdd5376fe2ec95278
Instruction Fuzzy Hash: 88820E716342A59FC708CF1ED8D0AA6B7F3AB8A301786452EE585C7386C735E636C790

Uniqueness

Uniqueness Score: -1.00%

Function 6DFABBD0 Relevance: .9, Instructions: 879COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a34a0014acab8d79f456cedafced160db22568fc8e03569954ea3268a190a69d
Instruction ID: d79a77946541ae0d0bf8c648f9cc3ec3d4ed05c3fa5afb75a7a79b59f147391c
Opcode Fuzzy Hash: a34a0014acab8d79f456cedafced160db22568fc8e03569954ea3268a190a69d
Instruction Fuzzy Hash: 0F820971A183548FD768CF29C89065BB7E1BBCC300F458A2EE599CB351EB30E915CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6DFA9F50 Relevance: .8, Instructions: 780COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17134b9a709efbf71a693c7ab3a634c1942d6e4ebf769f7ce86f6da2825eb832
Instruction ID: 342b24226e207fa4948b1335c84dc34b5bd17039f42106849e737285d04d9300
Opcode Fuzzy Hash: 17134b9a709efbf71a693c7ab3a634c1942d6e4ebf769f7ce86f6da2825eb832
Instruction Fuzzy Hash: 676237746242515FCB08DF2ADC91A6BB3F2F7CA301786852EE546D7681CB34E526CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6DFA8360 Relevance: .8, Instructions: 780COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bef8cd4b4fea9e72fb702ee17dd6d77ad5c8770d3d55c8e93773646881fb5be
Instruction ID: e6c40bd9f6b443fd10a2617d035433fb4cf43fbc6944cac3cbecfc8a5706c5da
Opcode Fuzzy Hash: 7bef8cd4b4fea9e72fb702ee17dd6d77ad5c8770d3d55c8e93773646881fb5be
Instruction Fuzzy Hash: 6F6227746242519FC708DF2ADC91A6AB3F2F7CA301786862EE546D7781CB34E526CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6DFBC000 Relevance: .7, Instructions: 749COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8811667912d6eeb4910f4e8fdb0122fb1468ff3a9d56f0da8f89ab650379786a
Instruction ID: 4dd17e9934c381348032302899d236f006e0d8f68b1916eb650e5b0c6edff33b
Opcode Fuzzy Hash: 8811667912d6eeb4910f4e8fdb0122fb1468ff3a9d56f0da8f89ab650379786a
Instruction Fuzzy Hash: C25225717302A94BCB48CE1DD8E167577F3A78A301786452EE586C73C2CA39E636DB90

Uniqueness

Uniqueness Score: -1.00%

Function 6DF93C40 Relevance: .7, Instructions: 695COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d12593978865dd3a9bad8d3647e5c43de4533b8cb063a56feda2ff56c7415a7
Instruction ID: 5e591e43df6ad87cd60cabdf1485097f0252810fc9d750a5976943a7536b8176
Opcode Fuzzy Hash: 7d12593978865dd3a9bad8d3647e5c43de4533b8cb063a56feda2ff56c7415a7
Instruction Fuzzy Hash: 062281B3B547144BDB4CCE1DCCA23ADB2D3BBD8218B0E853DB84AD3305EA79D9154689

Uniqueness

Uniqueness Score: -1.00%

Function 6DFA0E60 Relevance: .7, Instructions: 651COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ef21cfecb9b8ee46368dacc03aa8635990398637205502dd42e2c3052362ff6
Instruction ID: 8b52a2b5089a338b68c421151e6a0104a6fcb3a3f34ec0a659bcbe17d1c5fc72
Opcode Fuzzy Hash: 1ef21cfecb9b8ee46368dacc03aa8635990398637205502dd42e2c3052362ff6
Instruction Fuzzy Hash: 714221B2B6094E9FF31CD619D952B327293EBDC210F4A817D99138BAD6CD38E463D640

Uniqueness

Uniqueness Score: -1.00%

Function 6DFCDE20 Relevance: .5, Instructions: 502COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87a3e460fd510e865f8bfdeee609deec0981dc130a41ee011854bf3d4d79eec3
Instruction ID: 870f5ed99e77609d7260324bfee42b1a1a1e1170f056922ea0c607e5a5c7e56f
Opcode Fuzzy Hash: 87a3e460fd510e865f8bfdeee609deec0981dc130a41ee011854bf3d4d79eec3
Instruction Fuzzy Hash: 0F32A8716187458FC72CCF29D4A2A6BBBE2BFC8300F45C56EE49A8B255DB30A550CF85

Uniqueness

Uniqueness Score: -1.00%

Function 6DF93060 Relevance: .5, Instructions: 502COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 756e6d93ef67d1fff912424edeeee1e81883fb9c373e701641d95d588a7cb1fa
Instruction ID: 43cded45b26608ca871d133f4ed0a7ca437e3fe93e0bce64f2cc4eaa7e17588b
Opcode Fuzzy Hash: 756e6d93ef67d1fff912424edeeee1e81883fb9c373e701641d95d588a7cb1fa
Instruction Fuzzy Hash: A342A34900E3E25AC306973A60F49EBBFE11CAF109F5EA9DDE4C44B763C055814ADBA7

Uniqueness

Uniqueness Score: -1.00%

Function 6DFD0810 Relevance: .5, Instructions: 501COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b000bbfea007ee8a777ea92707738ae29e71b80407c89b427c80e973bebcaa2
Instruction ID: 05fdf71d238a0729ff09687445a1f26ca08fb754bd2537ac0b5c7e0cfe67ab93
Opcode Fuzzy Hash: 9b000bbfea007ee8a777ea92707738ae29e71b80407c89b427c80e973bebcaa2
Instruction Fuzzy Hash: 3922D776A183549FC714CF69C88095BFBE5BF88314F0A896DEA8997321D771EC14CB82

Uniqueness

Uniqueness Score: -1.00%

Function 6DFCF7F0 Relevance: .5, Instructions: 476COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43e0c0e909b541b5fbcfefacaf8a3825291d158455996fe3fc8ef9eae7f5c57d
Instruction ID: 65987358377e8deb551abf258a01113f31042cb378a7e02c89ca48d5b600bb67
Opcode Fuzzy Hash: 43e0c0e909b541b5fbcfefacaf8a3825291d158455996fe3fc8ef9eae7f5c57d
Instruction Fuzzy Hash: FB0245729083465BD764DF69C880BDBF3EDBFC4304F55492EA68AD3200DB7496198BA3

Uniqueness

Uniqueness Score: -1.00%

Function 6DFD0F30 Relevance: .5, Instructions: 462COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bcc2cdb6d4aa611768092011fe08cf2ee1c7014a48ce65a4316e4d3ebf2ecae
Instruction ID: 424a142872e660b8b17f7040fb836727531cb8d210b46aae7155880e94dcf85b
Opcode Fuzzy Hash: 7bcc2cdb6d4aa611768092011fe08cf2ee1c7014a48ce65a4316e4d3ebf2ecae
Instruction Fuzzy Hash: AC22E571A083459FC7A4CF58C880BDBB7E9FF88314F15892EE989D7211D731A955CB82

Uniqueness

Uniqueness Score: -1.00%

Function 6DFC4160 Relevance: .5, Instructions: 454COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15960842e7f90b38f2133255c25fae8104ee8497e178c0d6087fab3dc0110b6e
Instruction ID: e3971de0448b97bb5bae710ee9aa10067b462e7d37bf37abeb96293066b56120
Opcode Fuzzy Hash: 15960842e7f90b38f2133255c25fae8104ee8497e178c0d6087fab3dc0110b6e
Instruction Fuzzy Hash: DBE1A3729083165BD310CF58D841B9BB7E8AF99754F060A2DFE54D7280E770ED298B93

Uniqueness

Uniqueness Score: -1.00%

Function 6DFCDEE6 Relevance: .4, Instructions: 442COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b5688a9c320f3421dd3da7107b503c1ff201daeadc47ee96eef086f6ff23d5d
Instruction ID: 3ca3af09de50bf4a892df0b94d09de08989cd9f20074eaadf1f59881af0c9ddd
Opcode Fuzzy Hash: 7b5688a9c320f3421dd3da7107b503c1ff201daeadc47ee96eef086f6ff23d5d
Instruction Fuzzy Hash: 5C12A7716187458FC72CCF26D4A2A6BB7E2BFC8300F49C52EE59B8B255CB30A551CB45

Uniqueness

Uniqueness Score: -1.00%

Function 6DFCE4F0 Relevance: .4, Instructions: 417COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4394229e4796b43974490b422c2325e5ffd71625107745f879c9a7358898e032
Instruction ID: 904764dcc9bad7eafa6da0d8b19a816dc1d6e0dcbfe8191d22d2e778c2288a09
Opcode Fuzzy Hash: 4394229e4796b43974490b422c2325e5ffd71625107745f879c9a7358898e032
Instruction Fuzzy Hash: F102C8725187459FCB1DCF25D8A2AABB7F6FF88300F45852EA84B8B251D730A520CB95

Uniqueness

Uniqueness Score: -1.00%

Function 6DFD2640 Relevance: .4, Instructions: 352COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8597debb0144f5c00cfd4baf3e457f47510db2342e97b37431c52edee954703d
Instruction ID: e37be208a0ee1ddd0a48379026d37db88a7b5a8cdb69d4176461607f9914f3c0
Opcode Fuzzy Hash: 8597debb0144f5c00cfd4baf3e457f47510db2342e97b37431c52edee954703d
Instruction Fuzzy Hash: 56D1F571A087158FC758CF5DC88064ABBE1BFC8318F598A2DF999D33A1E371D8458B82

Uniqueness

Uniqueness Score: -1.00%

Function 6DFCC870 Relevance: .4, Instructions: 350COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a4487636ca4cbaa119684a88237eb6c813c6c73b5049783d3e0b5d3b46c07be
Instruction ID: 7a7c98d021874c3f8bf37f676c64e584a6302744cf0c99cf080c6b8b8e5aa4d5
Opcode Fuzzy Hash: 9a4487636ca4cbaa119684a88237eb6c813c6c73b5049783d3e0b5d3b46c07be
Instruction Fuzzy Hash: 45D16E73A147118BC354CE2CC89125EB7E2FB88324F59872DE5A5CB395E738E915CB82

Uniqueness

Uniqueness Score: -1.00%

Function 6DFA7570 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2f52c287bb194460512da6f4487bb0d6a778101afba9e6361587457d6980f0f
Instruction ID: 8b9b7850310288f5678151b44ef7b0b5df5bd9f49c86cf56d27b86b07459c210
Opcode Fuzzy Hash: a2f52c287bb194460512da6f4487bb0d6a778101afba9e6361587457d6980f0f
Instruction Fuzzy Hash: 79B11970B101658FE700CF2DD890229BFF1EBCB305759466AE588DB355D239E916DBE0

Uniqueness

Uniqueness Score: -1.00%

Function 6DFBA1C0 Relevance: .3, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d48685d9447183e9a182e919bfb909c6485770dda082632195bee767ff04d75
Instruction ID: ea5756a8159a766a0dd9003a9b994067277dc37bc710bf4b68c7f7068e48d1ab
Opcode Fuzzy Hash: 2d48685d9447183e9a182e919bfb909c6485770dda082632195bee767ff04d75
Instruction Fuzzy Hash: 09C172755093859FC701CF2DC58496AFFF4EF89204F588A5DE8988B306E772DA05CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6DFD6375 Relevance: .3, Instructions: 288COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea34cea1e93805841f4ce8ff4544f7b8966b561b3590f464bc1c53bdc002097a
Instruction ID: f1266474728beecfa0237d24d1b379a6022307f26aa298a2988e8f7bcc54a201
Opcode Fuzzy Hash: ea34cea1e93805841f4ce8ff4544f7b8966b561b3590f464bc1c53bdc002097a
Instruction Fuzzy Hash: 60C16520C1C78356E222CBBCC444561B760BFEF504F20DB6FBDC5B56A3E7636901AA62

Uniqueness

Uniqueness Score: -1.00%

Function 6DFA6710 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f928f06fff6dc6834fffec7727649947ab80589979964507db99dcade1edbc6
Instruction ID: d6ea582b2e09db57e8a241ecd3d4994fc91815b36c931c12c50e3259ff71217d
Opcode Fuzzy Hash: 9f928f06fff6dc6834fffec7727649947ab80589979964507db99dcade1edbc6
Instruction Fuzzy Hash: 50D17E745193918FC704CF29D09057AFFF1EF9A314B498A9EE8D68B342C235A91ACF91

Uniqueness

Uniqueness Score: -1.00%

Function 6DFD1650 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48a432a6ec41a0b382aca846a15d2922e9c22862ed808659c62f3d73366080e0
Instruction ID: 73226d951e34e1708ce975b97ab9111b49d904ff58e70eec805531acb6184d4b
Opcode Fuzzy Hash: 48a432a6ec41a0b382aca846a15d2922e9c22862ed808659c62f3d73366080e0
Instruction Fuzzy Hash: C0C136B1A187158FC748CF19C88055ABBE1FF8C314F19866EE8689B355DB78E910CF85

Uniqueness

Uniqueness Score: -1.00%

Function 6DFCD9C0 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d340c390fd4130ece3ef235d12be29dc2d79e995785715812d11fa09e5dfa51
Instruction ID: d66a6930b6d57c8c28eca64fa9c3efe193ac989201eb4f86cf146fe34fc69d17
Opcode Fuzzy Hash: 4d340c390fd4130ece3ef235d12be29dc2d79e995785715812d11fa09e5dfa51
Instruction Fuzzy Hash: 5BB150739183459BC364CE68C841A9FB7EDEBC4320F494B2EF1A9C3251E778D9158B92

Uniqueness

Uniqueness Score: -1.00%

Function 6DFD3110 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30fb98523ba5ff00a9f7aef7ee4695b18a36c452e4124a2ca78c6d2e0634ffe2
Instruction ID: 4d82ac893a60543ec322b8c61feb18209d0f0de2c6f84473984ee20cfaead227
Opcode Fuzzy Hash: 30fb98523ba5ff00a9f7aef7ee4695b18a36c452e4124a2ca78c6d2e0634ffe2
Instruction Fuzzy Hash: 61C1AFB2A083418FC758CF29D88061AFBE1BBC8344F55992EF599D3311E735EA098F46

Uniqueness

Uniqueness Score: -1.00%

Function 6DFD5F15 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46f431a126451b5e0531ddc8214087bd3aa4f814b612d63e721634632b167a40
Instruction ID: 2a52135f4a38811bff8374dbe600619ca472f78837e50f4e06c339d091b8ed65
Opcode Fuzzy Hash: 46f431a126451b5e0531ddc8214087bd3aa4f814b612d63e721634632b167a40
Instruction Fuzzy Hash: 6FB17521C1C78256E212CF7CC444561B760BFEF504F20DB6FBDC5B56A3E763A901AA62

Uniqueness

Uniqueness Score: -1.00%

Function 6DFA7130 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35a8caf2fcd38bd89f2868ea1df0f2e1d65c53b313b00ca23d7b0528d122c883
Instruction ID: 75938ab6ee585e18909285b503ffb0ede517e00236a2d1b71b305571489756c2
Opcode Fuzzy Hash: 35a8caf2fcd38bd89f2868ea1df0f2e1d65c53b313b00ca23d7b0528d122c883
Instruction Fuzzy Hash: 64C149B19252A58FD700CF2DD490A2ABBF0EB8A301F46496EF984D7346C734EA15CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 6DFD0110 Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fa6370841a49f74ff39ffb8c3a1e4b04c4c63c80a60cec53ed604919c86df72
Instruction ID: 80d50bd486b3adc7aabfc3a14d63a519c801317e7d959579065c43fd11bd74ef
Opcode Fuzzy Hash: 0fa6370841a49f74ff39ffb8c3a1e4b04c4c63c80a60cec53ed604919c86df72
Instruction Fuzzy Hash: 97B1B4B5A043058FC744CF19C580A0AFBE1BF88714F498AAEE9899B316D734E945CF86

Uniqueness

Uniqueness Score: -1.00%

Function 6E022F00 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a3017871caa168223cb7ccb0f080a97dfa645274c9df4ff0f7e21e4388cae7e
Instruction ID: ed43446ac6c777f729cae9cba2a9ff0761eea94346b02c51a3c0d673230fe9b1
Opcode Fuzzy Hash: 6a3017871caa168223cb7ccb0f080a97dfa645274c9df4ff0f7e21e4388cae7e
Instruction Fuzzy Hash: 13818B6632A2C78FD34ECB6C48404A9EF61BA7610038857DDDC85EF383C514DAA9C7E6

Uniqueness

Uniqueness Score: -1.00%

Function 6DFD5717 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a2cd8e88516ae08b7b9e24f668d43142b85c84841fe0668a5b9e5b78a6b28e
Instruction ID: 7fdb19e84cac20d065e90245f800b22238de9ce34c01884c6d30b55ba8fbab2c
Opcode Fuzzy Hash: 65a2cd8e88516ae08b7b9e24f668d43142b85c84841fe0668a5b9e5b78a6b28e
Instruction Fuzzy Hash: 59916225C20BA765E2231AB9C405A617720FFAFF04B14FB5FB9D4B9993EF3589499200

Uniqueness

Uniqueness Score: -1.00%

Function 6DFD0400 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 734f44b8f583f62061d69012da65a2f047ddec00b0347f70a2dd6017d36abd67
Instruction ID: f4d4248787cbee519f7ac44ae9444e8391a75913f43ebcbb6866632c1e500ca1
Opcode Fuzzy Hash: 734f44b8f583f62061d69012da65a2f047ddec00b0347f70a2dd6017d36abd67
Instruction Fuzzy Hash: 3D81EB757142058FCB48CF6DC99081AFBE2BF8C314B4A85ADE64ACB362D731E954CB85

Uniqueness

Uniqueness Score: -1.00%

Function 6DFC5670 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb87691ac303d833b9bab036bb6a5b3fecb39884444cacd0255d6d56c6ab233d
Instruction ID: 724e3f2b1cfde86f2b9e190c1e34c35a572f612ff7fe1daf0cd9b4397787bf93
Opcode Fuzzy Hash: fb87691ac303d833b9bab036bb6a5b3fecb39884444cacd0255d6d56c6ab233d
Instruction Fuzzy Hash: E15124B25183166FC340DE99CD80DABB7DCAA88148FC40D2EF685C3251E768E61D97B3

Uniqueness

Uniqueness Score: -1.00%

Function 6DFA6E30 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c82645bc5b04dea34d7857a9d4c57ebf4790aa4d16918410660a31f6665298e2
Instruction ID: e5e111731d58a7398ca64e03cb018c3b084112fc6a110880bdc2d56196388236
Opcode Fuzzy Hash: c82645bc5b04dea34d7857a9d4c57ebf4790aa4d16918410660a31f6665298e2
Instruction Fuzzy Hash: A6816F75A342588FD704CF1DD84062ABBF0EB8A301B86496AF984D7356C735FA16CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 6E0152F0 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22a81c9fdfb94ba101a988979a571e18c78a1a884a8d841221703d99810a45e8
Instruction ID: e113659bba25711dd1ae1023e90474ee07060cfbab7745323929be7c57ec2ac9
Opcode Fuzzy Hash: 22a81c9fdfb94ba101a988979a571e18c78a1a884a8d841221703d99810a45e8
Instruction Fuzzy Hash: DB51D5766045015FD601AB989C01FEF37A9AFD870AFC408AEE00A4B162D737851AC7E7

Uniqueness

Uniqueness Score: -1.00%

Function 6DFA6450 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a0283e19df152e7089f5ae25f624d97f2caaad098cf43e2870531dacdfeee0f
Instruction ID: edf8018149620978345fd219460881cad32b282cbdbc339b2217bdfbe599f087
Opcode Fuzzy Hash: 8a0283e19df152e7089f5ae25f624d97f2caaad098cf43e2870531dacdfeee0f
Instruction Fuzzy Hash: 69815F345252A48FC704CF2DD440576BBF1EB9A205B8A859EE4C4DB353C236EA17DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6DFD5377 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80dab852a6c820fbb2ff36514dc74a4ad2a6913984b92f734ef4ed36758a6f03
Instruction ID: f30b6e91edc0dee1dcaf757c671558875194a3a071d72969eabd324ec95e6a3f
Opcode Fuzzy Hash: 80dab852a6c820fbb2ff36514dc74a4ad2a6913984b92f734ef4ed36758a6f03
Instruction Fuzzy Hash: A8818325C20BA765F2231A7DC405A627720FEAFF04B14EB5FBDD4B9993EF3589499200

Uniqueness

Uniqueness Score: -1.00%

Function 6DFD5041 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 210fcaac28b2753f6bbab46c9b50571b6519f6a9928e5daef26cad2d54bc8d96
Instruction ID: 7b30425aba1e93d15b18af0ee88d4be7fed4edbe8104f46e9036ba3aa3dffd5d
Opcode Fuzzy Hash: 210fcaac28b2753f6bbab46c9b50571b6519f6a9928e5daef26cad2d54bc8d96
Instruction Fuzzy Hash: 4C71A521C20BA765F2235A7DC405A617720FFAFF04B10EB4BBDD4B9993EF3589499200

Uniqueness

Uniqueness Score: -1.00%

Function 6DFD0630 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b46cca1658b516aecef8b22c106bdd7b1273f47751168fc8ac4ce0f27f469d4
Instruction ID: 6d7340a6ac11e66b65f046ea5d99eaf1c8d09ce6a481555b1d4d813333ec5fff
Opcode Fuzzy Hash: 6b46cca1658b516aecef8b22c106bdd7b1273f47751168fc8ac4ce0f27f469d4
Instruction Fuzzy Hash: B261D5B5A143058FC348CF19C980A16FBE5BF88314F19CAAEE5498B362E771E945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6DFA1800 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f50ea51ff0f8288e83566b6f8fb180542a3fead0eddbcb9c97da37150f60282b
Instruction ID: 2fe9a18cefdca04605be90053222206464bd77fe13dd1345b183fbefa42dfca0
Opcode Fuzzy Hash: f50ea51ff0f8288e83566b6f8fb180542a3fead0eddbcb9c97da37150f60282b
Instruction Fuzzy Hash: 1341B073F109254BE70CC91ADC6627AB6C3D7C8354F1AC23CD967977C5D87499168680

Uniqueness

Uniqueness Score: -1.00%

Function 6DFD23C0 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c5dc79f64c0b5fdbde4d40923b1eedc77e864f534c89b92a62397753ebf142f
Instruction ID: abf70d16fba9945413f4b2fd3d389e03020e68c3b4cdbd2de3203090ef0c34ff
Opcode Fuzzy Hash: 0c5dc79f64c0b5fdbde4d40923b1eedc77e864f534c89b92a62397753ebf142f
Instruction Fuzzy Hash: 4851CEB2A087058FC30CDF19D89165AB7E1EFC8314F094B2EE96AD7381D634E915CB95

Uniqueness

Uniqueness Score: -1.00%

Function 6DFD1BD0 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9fbc23026d5d44543bef2b8c85fd3330e715dbe4d2b43445deee58432255bf9
Instruction ID: 6623844cddb0c9cd04d81dabe911da2d37933be76dcf0909f807df33f8d990c0
Opcode Fuzzy Hash: e9fbc23026d5d44543bef2b8c85fd3330e715dbe4d2b43445deee58432255bf9
Instruction Fuzzy Hash: CF41D24582EB9805C703B73A40161A6FBE19EFB15D709C74BF8F43B272E316B589A361

Uniqueness

Uniqueness Score: -1.00%

Function 6DFA4D10 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f74d274e4de9e464b3cedae241996da74a318b11331f7305696eee5431f27730
Instruction ID: ff2c085dd44d66362c097aaf1afa80e42fbb2e19d15623fd99027b6edb3e5dac
Opcode Fuzzy Hash: f74d274e4de9e464b3cedae241996da74a318b11331f7305696eee5431f27730
Instruction Fuzzy Hash: DB410D72B187114B8718CE3E885311FF6E5ABDC314F46863DB4AAE7264D675CD448A82

Uniqueness

Uniqueness Score: -1.00%

Function 6DFA4E80 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c8e7dc589dc8f4139218b4839e3d0e38981abbdc2dbcc2e6542c62cdff064d9
Instruction ID: 1042b9904c6c83aeefd522f1eb5b02b3a0bf3f668720b04e75a456c8eaf9fed5
Opcode Fuzzy Hash: 8c8e7dc589dc8f4139218b4839e3d0e38981abbdc2dbcc2e6542c62cdff064d9
Instruction Fuzzy Hash: 34419F616097868BD304CE6D98406AFBBD5ABDA200F8C497DF9C5C7342DA14EA0DC7E3

Uniqueness

Uniqueness Score: -1.00%

Function 6DFA2F10 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33a2316affbd64c64e97b98432d7df6b19466b51235ccd4834b1ab71d572e3de
Instruction ID: 586b5303cfbfa99bc913c956d3f484eb33b0f7a1a5904145ca4717bc0cbf90ca
Opcode Fuzzy Hash: 33a2316affbd64c64e97b98432d7df6b19466b51235ccd4834b1ab71d572e3de
Instruction Fuzzy Hash: 3F31577155D385AAC251DAAC9C4498FBFD8DBD6204F480A9DF5C8A7202D229D60DC7B3

Uniqueness

Uniqueness Score: -1.00%

Function 6DFD1DE0 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0ab6a1c0a28e244003f04f667a4c8bc7a09b31d9c63e929d53bdd11e95f85e9
Instruction ID: b03e9af51d07a6d21a46f2d67c25720d1c565e2242c8f6e44e756950c9f2c251
Opcode Fuzzy Hash: c0ab6a1c0a28e244003f04f667a4c8bc7a09b31d9c63e929d53bdd11e95f85e9
Instruction Fuzzy Hash: A3213811319BC58BD315DA6D888025AFED1DBAA100F88CDBDE8DAD7B43D514E90EC3A2

Uniqueness

Uniqueness Score: -1.00%

Function 6DFD49A0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e866a8c4db90395ada8d441b41f99f5bbd8de0c6698e82ae68e4678ce18e3df2
Instruction ID: f6f61de9bee89f9bf4088d84e66c49d80caa64f34b1d7f9c12a8dab0ab86a284
Opcode Fuzzy Hash: e866a8c4db90395ada8d441b41f99f5bbd8de0c6698e82ae68e4678ce18e3df2
Instruction Fuzzy Hash: 40214175C19F9647E703AB345403663F710AFFB294B11E747FCE0399A6CB11B645A240

Uniqueness

Uniqueness Score: -1.00%

Function 6E055C30 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1303092111.000000006E051000.00000020.00000001.01000000.00000016.sdmp, Offset: 6E050000, based on PE: true

Associated: 00000011.00000002.1303052213.000000006E050000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303638387.000000006E0CF000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303739246.000000006E0DF000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303779693.000000006E0E0000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303823917.000000006E0E2000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e050000_certutil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3e618c9f052749a1120e69be24cdeb9b97fd3c658e456897a399de79fccbdb1
Instruction ID: e85342bdba5c5632c06f86ac90f425321fdb8d2afdfb1204f728f6f3cd7e303b
Opcode Fuzzy Hash: c3e618c9f052749a1120e69be24cdeb9b97fd3c658e456897a399de79fccbdb1
Instruction Fuzzy Hash: 4711E139100B058FD7108FA8DA84B93B7E9FF40718F448828D85A9B791D7B5F891CB51

Uniqueness

Uniqueness Score: -1.00%

Function 6DFD47F0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8063add7c991812e1d922fce050981259758baca996108e84af136b9b6376aa6
Instruction ID: a35555d9c77b66a42aa5b9b847e930a20fbead9e1c0a8a49e8d8f8496d2ea953
Opcode Fuzzy Hash: 8063add7c991812e1d922fce050981259758baca996108e84af136b9b6376aa6
Instruction Fuzzy Hash: CD113D66C1DFD647E703AB399803641F710AFE71A4700EB56FCF13A5AADB11BA54A340

Uniqueness

Uniqueness Score: -1.00%

Function 6DFD4BA0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acc6a8795c596b57661d2873b8efe5ada77c17fab4345595de07334d03ea2d0c
Instruction ID: da8ad7cd832c44227da3e97d7ce720ff61f6afd3d254b246f6e6339de789a4b1
Opcode Fuzzy Hash: acc6a8795c596b57661d2873b8efe5ada77c17fab4345595de07334d03ea2d0c
Instruction Fuzzy Hash: C0118165C08F8643E7235B359403791AB10AFF75A4700DB66FCEA39EB3DB16F644A240

Uniqueness

Uniqueness Score: -1.00%

Function 6E02F168 Relevance: .0, Instructions: 23COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f720643e528d52846d04048a5f42966e09c611c0338fad47acb9d9a895424d73
Instruction ID: fc2cfa441dd7a3bf3b29a87f51df1bd5b82b103f28462d057fe5db08a1e5ca7e
Opcode Fuzzy Hash: f720643e528d52846d04048a5f42966e09c611c0338fad47acb9d9a895424d73
Instruction Fuzzy Hash: FCE08C32A21228EFC711CBD8C914A9AF3FCFB09A51F6145AAF914E3200C2B0DE00D7C0

Uniqueness

Uniqueness Score: -1.00%

Function 6DFDD448 Relevance: .0, Instructions: 23COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f245b21c8005085570ba3476a843b92c1bc3d3f8e084f326c18bb22d9b2d73ce
Instruction ID: 4cef0eb3c41af71cacd6b230d6a901bf5e5193734540564288f3cc75a6c1ba31
Opcode Fuzzy Hash: f245b21c8005085570ba3476a843b92c1bc3d3f8e084f326c18bb22d9b2d73ce
Instruction Fuzzy Hash: 2CE04F72915228EBC711CA8C8900A59B3ECEB46A10B154596F914D3110C2749E00CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 6DFB9800 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284memoryCOMMON

Download Yara Rule

APIs

PORT_Alloc_Util.NSSUTIL3(?), ref: 6DFB9899
PORT_SetError_Util.NSSUTIL3(FFFFE013,?,6DFB97EF,00000000,00000001,?,6DFA3C54), ref: 6DFB98AE
PR_Open.NSPR4(?,00000001,00000000,?,?,?,?,6DFB97EF,00000000,00000001,?,6DFA3C54), ref: 6DFB9907
PR_Read.NSPR4(00000000,?,0000000C), ref: 6DFB9925
PR_Seek.NSPR4(00000000,00000000,00000000,?), ref: 6DFB9980
PR_Close.NSPR4(00000000), ref: 6DFB9A00
PORT_Free_Util.NSSUTIL3(?), ref: 6DFB9B23
PORT_Free_Util.NSSUTIL3(?), ref: 6DFB9B34
PORT_Free_Util.NSSUTIL3(?), ref: 6DFB9B45
PORT_Free_Util.NSSUTIL3(?), ref: 6DFB9B56
PORT_Free_Util.NSSUTIL3(?), ref: 6DFB9B67

Strings

.dll, xrefs: 6DFB98C9
@, xrefs: 6DFB984D
.chk, xrefs: 6DFB98F1

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: Util$Free_$Alloc_CloseError_OpenReadSeek
String ID: .chk$.dll$@
API String ID: 1072788041-845694866
Opcode ID: 125d20b923c0c2868729f0c3085618e1adf28278ef9c794709e5d28e18ab7fee
Instruction ID: 205bff397520e68198f57ba10e64b397f32e551bb2872315b4d12bb14050349a
Opcode Fuzzy Hash: 125d20b923c0c2868729f0c3085618e1adf28278ef9c794709e5d28e18ab7fee
Instruction Fuzzy Hash: CC91A4B1A08346ABD710DF69DC84B6B77ECEF95304F05442DF949D6101EB75EA04CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6E0133E0 Relevance: 36.3, APIs: 24, Instructions: 275
memoryCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E6E0133E0(intOrPtr __eax) {
				intOrPtr* _t55;
				intOrPtr _t56;
				signed int _t59;
				void* _t60;
				void* _t61;
				intOrPtr _t70;
				intOrPtr _t71;
				signed int _t72;
				signed int _t73;
				intOrPtr* _t74;
				intOrPtr* _t76;
				void* _t78;
				void* _t79;

				_t74 = 0;
				_t73 = _t72 | 0xffffffff;
				 *((intOrPtr*)(_t78 + 0x10)) = 0;
				if( *((intOrPtr*)(_t78 + 0x30)) == 0 ||  *((intOrPtr*)(_t78 + 0x34)) == 0) {
					L43:
					return 0;
				} else {
					_push(0x800);
					L6E025ABE();
					_push(0x800);
					 *((intOrPtr*)(_t78 + 0x14)) = __eax;
					L6E025ABE();
					_t70 = __eax;
					_t79 = _t78 + 8;
					_t55 =  *((intOrPtr*)(_t79 + 0xc));
					if(_t55 != 0) {
						if(__eax != 0) {
							_push(0x38);
							_push(_t55);
							L6E025AD0();
							_push(0xb0);
							_push(__eax);
							_t76 = _t55;
							L6E025AD0();
							_t74 = _t55;
							_t79 = _t79 + 0x10;
							if(_t74 != 0 && _t76 != 0) {
								 *_t74 = __eax;
								_push(_t79 + 0x14);
								_push( *((intOrPtr*)(_t79 + 0x38)));
								_push( *((intOrPtr*)(_t79 + 0x40)));
								_t59 = E6E019FC0();
								_t73 = _t59;
								_t79 = _t79 + 0xc;
								if(_t73 == 0) {
									_t71 =  *((intOrPtr*)(_t79 + 0x14));
									if(_t71 != 0) {
										_push(_t71);
										_push(0x6e035938);
										_push(_t76);
										_push( *((intOrPtr*)(_t79 + 0x1c)));
										L6E025AEE();
										_t73 = _t59;
										_t79 = _t79 + 0x10;
										if(_t73 != 0) {
											L6E025AB8();
											if(_t59 == 0xffffe009) {
												_push(0xffffe00f);
												L6E025AB2();
												_t79 = _t79 + 4;
											}
										} else {
											_t11 = _t76 + 0x10; // 0x10
											_t60 = _t11;
											_push(_t60);
											L6E025B12();
											_t61 = _t60 + 0xfffffff0;
											_t79 = _t79 + 4;
											if(_t61 > 0xb8) {
												L21:
												_t73 = _t73 | 0xffffffff;
											} else {
												_t12 = _t61 + E6E013740; // 0x8d502845
												switch( *((intOrPtr*)(( *_t12 & 0x000000ff) * 4 +  &M6E01372C))) {
													case 0:
														 *((intOrPtr*)(_t74 + 4)) = 1;
														E6E01B750(_t74);
														_t16 = _t76 + 0x28; // 0x28
														_push(_t16);
														_t65 = _t79 + 0x20;
														_push(_t65);
														_push(_t70);
														L6E025AD6();
														_t79 = _t79 + 0x10;
														if(_t65 == 0) {
															_t66 = _t79 + 0x18;
															_push(_t66);
															_push(0x6e0356d8);
															_push(_t74);
															_push(_t70);
															L6E025AEE();
															_t73 = _t66;
															_t79 = _t79 + 0x10;
															if(_t73 != 0) {
																_t67 = _t79 + 0x18;
																_push(_t67);
																_push(0x6e035788);
																_push(_t74);
																_push(_t70);
																L6E025AEE();
																_t73 = _t67;
																_t79 = _t79 + 0x10;
																if(_t73 == 0) {
																	if( *((intOrPtr*)(_t74 + 0x20)) != 2) {
																		L20:
																		_push(0xffffe009);
																		L6E025AB2();
																		_t79 = _t79 + 4;
																		goto L21;
																	} else {
																		_t68 =  *((intOrPtr*)(_t74 + 0x1c));
																		if( *_t68 != 2 ||  *((char*)(_t68 + 1)) != 0 ||  *((intOrPtr*)(_t74 + 0x2c)) != 1) {
																			goto L20;
																		} else {
																			_t69 =  *((intOrPtr*)(_t74 + 0x28));
																			if( *_t69 != 0) {
																				goto L20;
																			} else {
																				 *((intOrPtr*)(_t74 + 0x1c)) = _t69;
																				 *((intOrPtr*)(_t74 + 0x20)) = 1;
																			}
																		}
																	}
																}
															}
														}
														goto L36;
													case 1:
														 *((intOrPtr*)(__esi + 4)) = 2;
														__eax = E6E01B6A0(__esi);
														_t28 = __ebp + 0x28; // 0x28
														__eax = _t28;
														_push(_t28);
														__eax = __esp + 0x20;
														_push(__eax);
														_push(__ebx);
														L6E025AD6();
														__esp = __esp + 0x10;
														if(__eax == 0) {
															__eax = __esp + 0x18;
															_push(__eax);
															_push(0x6e035838);
															_push(__esi);
															_push(__ebx);
															L6E025AEE();
															__esp = __esp + 0x10;
															if(__eax == 0) {
																_t31 = __esi + 8; // 0x8
																_t31 = E6E01B730(_t31);
																__eax = __ebp + 0x1c;
																_push(__ebp + 0x1c);
																__eax = __esp + 0x2c;
																_push(__eax);
																_push(__ebx);
																L6E025AD6();
																__esp = __esp + 0x10;
																if(__eax == 0) {
																	__eax = __esp + 0x24;
																	_push(__esp + 0x24);
																	_push(0x6e035688);
																	_t35 = __esi + 8; // 0x8
																	__eax = _t35;
																	_push(_t35);
																	_push(__ebx);
																	L6E025AEE();
																	__esp = __esp + 0x10;
																}
															}
														}
														goto L36;
													case 2:
														 *((intOrPtr*)(__esi + 4)) = 4;
														__eax = E6E01B670(__esi);
														_t37 = __ebp + 0x28; // 0x28
														__eax = _t37;
														_push(_t37);
														__eax = __esp + 0x20;
														_push(__eax);
														_push(__ebx);
														L6E025AD6();
														__esp = __esp + 0x10;
														if(__eax == 0) {
															__eax = __esp + 0x18;
															_push(__esp + 0x18);
															_push(0x6e035878);
															_push(__esi);
															_push(__ebx);
															L6E025AEE();
															__esp = __esp + 0x10;
														}
														goto L36;
													case 3:
														 *((intOrPtr*)(__esi + 4)) = 5;
														__eax = E6E01B6D0(__esi);
														_t41 = __ebp + 0x28; // 0x28
														__eax = _t41;
														_push(_t41);
														__eax = __esp + 0x20;
														_push(__eax);
														_push(__ebx);
														L6E025AD6();
														__esp = __esp + 0x10;
														if(__eax == 0) {
															__eax = __esp + 0x18;
															_push(__eax);
															_push(0x6e0358d8);
															_push(__esi);
															_push(__ebx);
															L6E025AEE();
															__esp = __esp + 0x10;
															if(__eax == 0) {
																_t44 = __esi + 8; // 0x8
																_t44 = E6E01B710(_t44);
																__eax = __ebp + 0x1c;
																_push(__eax);
																_t46 = __esi + 0x70; // 0x70
																_push(_t46);
																_push(__ebx);
																L6E025AD6();
																__esp = __esp + 0x10;
																if(__eax == 0) {
																	_t47 = __esi + 8; // 0x8
																	__eax = _t47;
																	_t48 = __esi + 0x70; // 0x70
																	__eax = _t48;
																	if(E6E01B380(__ebx, _t48, _t47) == 0) {
																		__eax =  *((intOrPtr*)(__esi + 0x94));
																		if(__eax != 0) {
																			 *((intOrPtr*)(__esi + 0x94)) = __eax;
																		}
																	}
																}
															}
														}
														goto L36;
													case 4:
														goto L21;
												}
											}
										}
									}
								}
							}
							L36:
							_t55 =  *((intOrPtr*)(_t79 + 0x10));
						}
						_push(1);
						_push(_t55);
						L6E025AC4();
						_t79 = _t79 + 8;
					}
					_t56 =  *((intOrPtr*)(_t79 + 0x10));
					if(_t56 != 0) {
						_push(1);
						_push(_t56);
						L6E025AE8();
						_t79 = _t79 + 8;
					}
					if(_t73 == 0) {
						return _t74;
					} else {
						if(_t70 != 0) {
							_push(1);
							_push(_t70);
							L6E025AC4();
						}
						goto L43;
					}
				}
			}

0x6e0133e5
0x6e0133e8
0x6e0133eb
0x6e0133f3
0x6e01371c
0x6e013722
0x6e013403
0x6e013403
0x6e013408
0x6e01340d
0x6e013412
0x6e013416
0x6e01341b
0x6e01341d
0x6e013420
0x6e013426
0x6e01342e
0x6e013435
0x6e013437
0x6e013438
0x6e01343d
0x6e013442
0x6e013443
0x6e013445
0x6e01344a
0x6e01344c
0x6e013451
0x6e013463
0x6e013465
0x6e013466
0x6e01346a
0x6e01346e
0x6e013473
0x6e013475
0x6e01347a
0x6e013480
0x6e013486
0x6e01348c
0x6e01348d
0x6e013492
0x6e013493
0x6e013497
0x6e01349c
0x6e01349e
0x6e0134a3
0x6e0136cb
0x6e0136d5
0x6e0136d7
0x6e0136dc
0x6e0136e1
0x6e0136e1
0x6e0134a9
0x6e0134a9
0x6e0134a9
0x6e0134ac
0x6e0134ad
0x6e0134b2
0x6e0134b5
0x6e0134bd
0x6e013572
0x6e013572
0x6e0134c3
0x6e0134c3
0x6e0134ca
0x00000000
0x6e0134d2
0x6e0134d9
0x6e0134de
0x6e0134e1
0x6e0134e2
0x6e0134e6
0x6e0134e7
0x6e0134e8
0x6e0134ed
0x6e0134f2
0x6e0134f8
0x6e0134fc
0x6e0134fd
0x6e013502
0x6e013503
0x6e013504
0x6e013509
0x6e01350b
0x6e013510
0x6e013516
0x6e01351a
0x6e01351b
0x6e013520
0x6e013521
0x6e013522
0x6e013527
0x6e013529
0x6e01352e
0x6e013538
0x6e013565
0x6e013565
0x6e01356a
0x6e01356f
0x00000000
0x6e01353a
0x6e01353a
0x6e013540
0x00000000
0x6e01354e
0x6e01354e
0x6e013554
0x00000000
0x6e013556
0x6e013556
0x6e013559
0x6e013559
0x6e013554
0x6e013540
0x6e013538
0x6e01352e
0x6e013510
0x00000000
0x00000000
0x6e01357b
0x6e013582
0x6e013587
0x6e013587
0x6e01358a
0x6e01358b
0x6e01358f
0x6e013590
0x6e013591
0x6e013596
0x6e01359b
0x6e0135a1
0x6e0135a5
0x6e0135a6
0x6e0135ab
0x6e0135ac
0x6e0135ad
0x6e0135b4
0x6e0135b9
0x6e0135bf
0x6e0135c3
0x6e0135c8
0x6e0135cb
0x6e0135cc
0x6e0135d0
0x6e0135d1
0x6e0135d2
0x6e0135d7
0x6e0135dc
0x6e0135e2
0x6e0135e6
0x6e0135e7
0x6e0135ec
0x6e0135ec
0x6e0135ef
0x6e0135f0
0x6e0135f1
0x6e0135f6
0x6e0135f9
0x6e0135dc
0x6e0135b9
0x00000000
0x00000000
0x6e013601
0x6e013608
0x6e01360d
0x6e01360d
0x6e013610
0x6e013611
0x6e013615
0x6e013616
0x6e013617
0x6e01361c
0x6e013621
0x6e013627
0x6e01362b
0x6e01362c
0x6e013631
0x6e013632
0x6e013633
0x6e013638
0x6e01363b
0x00000000
0x00000000
0x6e013643
0x6e01364a
0x6e01364f
0x6e01364f
0x6e013652
0x6e013653
0x6e013657
0x6e013658
0x6e013659
0x6e01365e
0x6e013663
0x6e013665
0x6e013669
0x6e01366a
0x6e01366f
0x6e013670
0x6e013671
0x6e013678
0x6e01367d
0x6e01367f
0x6e013683
0x6e013688
0x6e01368b
0x6e01368c
0x6e01368f
0x6e013690
0x6e013691
0x6e013698
0x6e01369d
0x6e01369f
0x6e01369f
0x6e0136a3
0x6e0136a3
0x6e0136b4
0x6e0136b6
0x6e0136be
0x6e0136c3
0x6e0136c3
0x6e0136be
0x6e0136b4
0x6e01369d
0x6e01367d
0x00000000
0x00000000
0x00000000
0x00000000
0x6e0134ca
0x6e0134bd
0x6e0134a3
0x6e013486
0x6e01347a
0x6e0136e4
0x6e0136e4
0x6e0136e8
0x6e0136e9
0x6e0136eb
0x6e0136ec
0x6e0136f1
0x6e0136f1
0x6e0136f4
0x6e0136fa
0x6e0136fc
0x6e0136fe
0x6e0136ff
0x6e013704
0x6e013704
0x6e013709
0x6e01372b
0x6e01370b
0x6e01370d
0x6e01370f
0x6e013711
0x6e013712
0x6e013717
0x00000000
0x6e01370d
0x6e013709

APIs

PORT_NewArena_Util.NSSUTIL3(00000800,00000000,00000000,?,?,?,?,?,?,6E0120EB,00000018,?), ref: 6E013408
PORT_NewArena_Util.NSSUTIL3(00000800,00000800,00000000,00000000,?,?,?,?,?,?,6E0120EB,00000018,?), ref: 6E013416
PORT_ArenaZAlloc_Util.NSSUTIL3(?,00000038,?,00000000,?,?,?,?,?,?,6E0120EB,00000018,?), ref: 6E013438
PORT_ArenaZAlloc_Util.NSSUTIL3(00000000,000000B0,?,00000038,?,00000000,?,?,?,?,?,?,6E0120EB,00000018,?), ref: 6E013445

Part of subcall function 6E019FC0: PORT_SetError_Util.NSSUTIL3(FFFFE001,6E013473,?,?,?,?,?,?,?,00000000), ref: 6E019FCE

SEC_QuickDERDecodeItem_Util.NSSUTIL3(?,00000000,6E035938,?,?,?,?,?,?,?,?,00000000), ref: 6E013497
SECOID_GetAlgorithmTag_Util.NSSUTIL3(00000010,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6E0134AD
SECITEM_CopyItem_Util.NSSUTIL3(00000000,?,00000028,00000000), ref: 6E0134E8
SEC_QuickDERDecodeItem_Util.NSSUTIL3(00000000,00000000,6E0356D8,?), ref: 6E013504
SEC_QuickDERDecodeItem_Util.NSSUTIL3(00000000,00000000,6E035788,?), ref: 6E013522
SECITEM_CopyItem_Util.NSSUTIL3(00000000,?,00000028,00000000), ref: 6E013591
SEC_QuickDERDecodeItem_Util.NSSUTIL3(00000000,00000000,6E035838,?), ref: 6E0135AD
SECITEM_CopyItem_Util.NSSUTIL3(00000000,?,6E0120EB,00000008), ref: 6E0135D2
SEC_QuickDERDecodeItem_Util.NSSUTIL3(00000000,00000008,6E035688,?), ref: 6E0135F1
SECITEM_CopyItem_Util.NSSUTIL3(00000000,?,00000028,00000000), ref: 6E013617
SEC_QuickDERDecodeItem_Util.NSSUTIL3(00000000,00000000,6E035878,?), ref: 6E013633
SECITEM_CopyItem_Util.NSSUTIL3(00000000,?,00000028,00000000), ref: 6E013659
SEC_QuickDERDecodeItem_Util.NSSUTIL3(00000000,00000000,6E0358D8,?), ref: 6E013671
SECITEM_CopyItem_Util.NSSUTIL3(00000000,00000070,6E0120EB,00000008), ref: 6E013691
PORT_GetError_Util.NSSUTIL3(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6E0136CB
PORT_SetError_Util.NSSUTIL3(FFFFE00F,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6E0136DC
PORT_FreeArena_Util.NSSUTIL3(?,00000001,00000000,?,?,?,?,?,?,6E0120EB,00000018,?), ref: 6E0136EC
SECITEM_ZfreeItem_Util.NSSUTIL3(?,00000001,00000000,?,?,?,?,?,?,6E0120EB,00000018,?), ref: 6E0136FF
PORT_FreeArena_Util.NSSUTIL3(00000000,00000001,00000000,?,?,?,?,?,?,6E0120EB,00000018,?), ref: 6E013712

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Util$Item_$DecodeQuick$Copy$Arena_$Error_$Alloc_ArenaFree$AlgorithmTag_Zfree
String ID:
API String ID: 1576164735-0
Opcode ID: e53b558e1a52fe090bd3ab8c559e52ea629e1c9a36d98f3d373e465ac2d61f32
Instruction ID: d0f589032344b9756cab69e28ff8b7ec4e325ac7132bd7fba1670fb79c0f7a7c
Opcode Fuzzy Hash: e53b558e1a52fe090bd3ab8c559e52ea629e1c9a36d98f3d373e465ac2d61f32
Instruction Fuzzy Hash: C781C3B64083066FE311DAF48C85BD772ECAB58294F450D3AF9699B344F739D50887A2

Uniqueness

Uniqueness Score: -1.00%

Function 6E011100 Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 193fileCOMMON

Download Yara Rule

APIs

NSSBase64_EncodeItem_Util.NSSUTIL3(00000000,?,0000001D,?,?), ref: 6E0111E0
PR_smprintf.NSPR4(%s/%s,?,00000062), ref: 6E011250
PR_Access.NSPR4(?,00000001,?,?,?,?,?,?,?,?,?,?), ref: 6E011268
PR_MkDir.NSPR4(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6E011287
PR_OpenFile.NSPR4(00000000,0000002A,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6E01129B
PR_GetError.NSPR4(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6E0112AA
PR_Delete.NSPR4(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6E0112B5
PR_smprintf_free.NSPR4(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6E0112BC
PR_Write.NSPR4(00000000,?,?), ref: 6E0112CA
PR_GetError.NSPR4(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6E0112D2
PR_Close.NSPR4(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6E0112DD
PR_Delete.NSPR4(00000000), ref: 6E0112F2
PR_smprintf_free.NSPR4(00000000), ref: 6E0112F9
PR_SetError.NSPR4(?,00000000,?,?,?,?,?,?,?,?,?), ref: 6E011321

Strings

&, xrefs: 6E011213
%s/%s, xrefs: 6E01124B
&, xrefs: 6E01115B

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Error$DeleteR_smprintf_free$AccessBase64_CloseEncodeFileItem_OpenR_smprintfUtilWrite
String ID: %s/%s$&$&
API String ID: 3983755725-3961742526
Opcode ID: 1a78db02d6b5a562f5641046af4708a5a2309ddab77f7dbbd864615e9b99e849
Instruction ID: 7ab7aac190a26897ec432d078ed51cd2ceff26b4db7049a3d6094b644b68f99e
Opcode Fuzzy Hash: 1a78db02d6b5a562f5641046af4708a5a2309ddab77f7dbbd864615e9b99e849
Instruction Fuzzy Hash: 7261B074508346AFDB14CFD4C844B9ABBF9FF5A344F044818F8889B251E774E918CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6E020BD0 Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 442
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E6E020BD0(intOrPtr __eax) {
				signed int* _t175;
				signed short _t185;
				signed int _t187;
				intOrPtr _t191;
				signed int _t208;
				intOrPtr _t209;
				void* _t210;
				signed int _t221;
				signed int _t222;
				signed short _t233;
				signed int* _t237;
				intOrPtr _t246;
				signed int _t261;
				signed int _t262;
				signed short _t263;
				signed int _t264;
				signed short _t265;
				signed int _t266;
				signed int _t268;
				char _t283;
				signed int _t310;
				signed int _t311;
				signed int _t318;
				intOrPtr _t323;
				signed int _t324;
				signed int _t326;
				signed int _t327;
				signed int _t328;
				signed int* _t329;
				intOrPtr _t330;
				signed int _t331;
				intOrPtr _t332;
				signed int _t339;
				signed int _t344;
				signed int _t345;
				void* _t348;
				signed char* _t350;
				signed char* _t353;
				signed int _t355;
				signed int* _t357;
				signed int _t360;
				signed int _t368;
				void* _t369;
				void* _t370;
				void* _t371;

				_t331 = 0x32;
				 *((intOrPtr*)(_t369 + 0x30)) = 0;
				_t261 = 0;
				 *((intOrPtr*)(_t369 + 0x1c)) = 0;
				_push(0x800);
				 *(_t369 + 0x10) = 0x32;
				 *((intOrPtr*)(_t369 + 0x2c)) = 0;
				 *((intOrPtr*)(_t369 + 0x38)) = 0;
				 *((intOrPtr*)(_t369 + 0x44)) = 0;
				 *((intOrPtr*)(_t369 + 0x40)) = 0;
				 *((intOrPtr*)(_t369 + 0x28)) = 0;
				L6E025ABE();
				_t323 = __eax;
				_t370 = _t369 + 4;
				 *((intOrPtr*)(_t370 + 0x10)) = __eax;
				if(__eax != 0) {
					_t357 =  *(_t370 + 0x60);
					if(_t357[1] < 0x10) {
						L55:
						_push(0xffffe012);
						L6E025AB2();
						_t371 = _t370 + 4;
						goto L56;
					} else {
						_t344 =  *_t357;
						_t283 =  *((intOrPtr*)(_t344 + 6));
						 *((char*)(_t370 + 0x13)) = _t283;
						 *(_t370 + 0x40) = 0 | _t283 != 0x00000000;
						 *(_t370 + 0x58) = 0 |  *((intOrPtr*)(_t344 + 7)) != 0x00000000;
						_t175 =  *(_t370 + 0x68);
						if(_t175 != 0) {
							 *_t175 =  *(_t370 + 0x40);
							_t331 =  *(_t370 + 0x14);
						}
						if(_t283 == 0) {
							L11:
							if( *_t344 != _t261 ||  *((char*)(_t344 + 1)) < 6) {
								goto L15;
							} else {
								if(_t357[1] < 0x26) {
									goto L55;
								} else {
									 *(_t370 + 0x14) = ((( *(_t344 + 0x10) & 0x000000ff) << 0x00000008 |  *(_t344 + 0x11) & 0x000000ff) << 0x00000008 |  *(_t344 + 0x12) & 0x000000ff) << 0x00000008 |  *(_t344 + 0x13) & 0x000000ff;
									_t331 =  *(_t370 + 0x14);
									 *(_t370 + 0x30) = ((( *(_t344 + 0x14) & 0x000000ff) << 0x00000008 |  *(_t344 + 0x15) & 0x000000ff) << 0x00000008 |  *(_t344 + 0x16) & 0x000000ff) << 0x00000008 |  *(_t344 + 0x17) & 0x000000ff;
									_t261 = 1;
									 *((intOrPtr*)(_t370 + 0x2c)) = 1;
									 *(_t370 + 0x48) = 0 |  *((intOrPtr*)(_t344 + 0x19)) != 0x00000000;
									 *(_t370 + 0x44) = 0 |  *((intOrPtr*)(_t344 + 0x1a)) != 0x00000000;
									goto L15;
								}
							}
						} else {
							_push( *(_t370 + 0x60));
							_push(_t323);
							L6E025B7E();
							_t371 = _t370 + 8;
							 *(_t371 + 0x24) = _t175;
							if(_t175 == 0) {
								L56:
								_push(1);
								_push( *(_t371 + 0x1c));
								L6E025AC4();
								return 0;
							} else {
								_t283 =  *((intOrPtr*)(_t371 + 0x13));
								if(_t283 == 0) {
									goto L11;
								} else {
									if( *_t344 != _t261) {
										L15:
										if(_t283 != 0 && _t261 == 0) {
											_t331 = 0;
											 *(_t370 + 0x30) = 0x64;
											 *(_t370 + 0x14) = 0;
										}
										_t324 = _t357[1];
										 *(_t370 + 0x54) = ((( *(_t344 + 8) & 0x000000ff) << 0x00000008 |  *(_t344 + 9) & 0x000000ff) << 0x00000008 |  *(_t344 + 0xa) & 0x000000ff) << 0x00000008 |  *(_t344 + 0xb) & 0x000000ff;
										 *(_t370 + 0x50) = ((( *(_t344 + 0xc) & 0x000000ff) << 0x00000008 |  *(_t344 + 0xd) & 0x000000ff) << 0x00000008 |  *(_t344 + 0xe) & 0x000000ff) << 0x00000008 |  *(_t344 + 0xf) & 0x000000ff;
										 *(_t370 + 0x4c) = (( *(_t344 + 4) & 0x000000ff) << 0x00000008 |  *(_t344 + 5) & 0x000000ff) & 0x0000ffff;
										_t185 = (( *(_t344 + 2) & 0x000000ff) << 0x00000008 |  *(_t344 + 3) & 0x000000ff) & 0x0000ffff;
										_t262 = _t185 & 0x0000ffff;
										 *(_t370 + 0x20) = _t185;
										_t70 = _t262 + 2; // 0x2
										if(_t324 < _t70) {
											goto L55;
										} else {
											_t187 =  *_t357;
											 *(_t370 + 0x1c) = _t187;
											_t345 = ( *(_t187 + _t262 + 1) & 0x000000ff | ( *(_t187 + _t262) & 0x000000ff) << 0x00000008) & 0x0000ffff;
											_t263 = _t262 + _t345;
											 *(_t370 + 0x28) = _t263;
											_t76 = _t263 + 2; // 0x2
											if(_t324 < _t76) {
												goto L55;
											} else {
												_t77 = _t345 + 1; // 0x5
												_t191 = _t77;
												_push(_t191);
												_push( *(_t370 + 0x1c));
												L6E025ACA();
												_t371 = _t370 + 8;
												 *((intOrPtr*)(_t371 + 0x34)) = _t191;
												if(_t191 == 0) {
													goto L56;
												} else {
													E6E0267A0( *((intOrPtr*)(_t371 + 0x3c)), ( *(_t371 + 0x20) & 0x0000ffff) +  *(_t371 + 0x1c) + 2, _t345);
													_t370 = _t371 + 0xc;
													 *((char*)(_t345 +  *(_t371 + 0x40))) = 0;
													_t85 = _t263 + 4; // 0x4
													_t326 = _t357[1];
													if(_t326 < _t85) {
														goto L55;
													} else {
														_t264 = ( *( *(_t370 + 0x1c) + _t263 + 3) & 0x000000ff | ( *( *(_t370 + 0x1c) + _t263 + 2) & 0x000000ff) << 0x00000008) & 0x0000ffff;
														if(_t264 == 0) {
															L26:
															_t348 =  *(_t370 + 0x28) + 4 + _t264;
															if( *((char*)(_t370 + 0x13)) != 0 ||  *((intOrPtr*)(_t370 + 0x2c)) == 0) {
																L34:
																_t265 =  *(_t370 + 0x4c);
																if(_t265 <  *(_t370 + 0x20) || (_t265 & 0x0000ffff) >= _t348) {
																	_t327 = _t357[1];
																	_t310 = _t265 & 0x0000ffff;
																	if(_t327 < _t310 + 2) {
																		goto L55;
																	} else {
																		_t350 =  *_t357 + _t310;
																		_t360 = ( *_t350 & 0x000000ff) << 0x00000008 & 0x0000ffff | _t350[1] & 0x000000ff;
																		 *(_t370 + 0x1c) = _t360;
																		if(_t265 >=  *(_t370 + 0x20)) {
																			L39:
																			if(_t327 < (_t360 << 5) + 2 + _t310) {
																				goto L55;
																			} else {
																				_t208 = _t360 * 4;
																				_push(_t208);
																				_push( *(_t370 + 0x1c));
																				L6E025AD0();
																				_t311 = _t208;
																				_t371 = _t370 + 8;
																				 *(_t371 + 0x28) = _t311;
																				if(_t311 == 0) {
																					goto L56;
																				} else {
																					_t266 = 0;
																					if(_t360 == 0) {
																						L53:
																						_t209 =  *((intOrPtr*)(_t371 + 0x44));
																						L6E025BC6();
																						_t332 = _t209;
																						_t210 = E6E0215F0( *((intOrPtr*)(_t371 + 0x58)), _t360);
																						L6E025BBA();
																						__imp__PR_smprintf_free(_t332,  *((intOrPtr*)(_t371 + 0x78)),  *((intOrPtr*)(_t371 + 0x70)),  *((intOrPtr*)(_t371 + 0x5c)), _t332, _t311, _t360, _t209,  *((intOrPtr*)(_t371 + 0x74)),  *((intOrPtr*)(_t371 + 0x60)),  *((intOrPtr*)(_t371 + 0x58)), _t209, _t331,  *((intOrPtr*)(_t371 + 0x38)),  *((intOrPtr*)(_t371 + 0x58)),  *((intOrPtr*)(_t371 + 0x50)));
																						_push(1);
																						_push( *((intOrPtr*)(_t371 + 0x64)));
																						L6E025AC4();
																						return _t210;
																					} else {
																						_t353 =  &(_t350[4]);
																						while(1) {
																							_t368 = ((( *(_t353 - 2) & 0x000000ff) << 0x00000008 |  *(_t353 - 1) & 0x000000ff) << 0x00000008 |  *_t353 & 0x000000ff) << 0x00000008 | _t353[1] & 0x000000ff;
																							_t339 = (((_t353[2] & 0x000000ff) << 0x00000008 | _t353[3] & 0x000000ff) << 0x00000008 | _t353[4] & 0x000000ff) << 0x00000008 | _t353[5] & 0x000000ff;
																							_t318 = (((_t353[6] & 0x000000ff) << 0x00000008 | _t353[7] & 0x000000ff) << 0x00000008 | _t353[8] & 0x000000ff) << 0x00000008 | _t353[9] & 0x000000ff;
																							_t221 = _t353[0xb] & 0x000000ff;
																							 *(_t371 + 0x4c) = _t318;
																							 *(_t371 + 0x20) = _t221;
																							if( *((intOrPtr*)(_t371 + 0x3c)) != 0 &&  *((char*)(_t371 + 0x13)) != 0 && _t368 != 2) {
																								_push("slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512]");
																								_push("slotFlags");
																								L6E025BA2();
																								_t318 =  *(_t371 + 0x54);
																								_t371 = _t371 + 8;
																								_t339 = _t339 | _t221;
																								_t221 =  *(_t371 + 0x20);
																							}
																							if(_t221 != 0 &&  *((intOrPtr*)(_t371 + 0x2c)) == 0) {
																								 *(_t371 + 0x14) = 0x64;
																							}
																							_push(0);
																							_push(_t221);
																							_t222 = _t353[0xa] & 0x000000ff;
																							_push(_t222);
																							_push(_t318);
																							_push(_t339);
																							_push(_t368);
																							L6E025BAE();
																							_t311 =  *(_t371 + 0x40);
																							_t371 = _t371 + 0x18;
																							 *(_t311 + _t266 * 4) = _t222;
																							if(_t222 == 0) {
																								break;
																							}
																							_t360 =  *(_t371 + 0x1c);
																							_t266 = _t266 + 1;
																							_t353 =  &(_t353[0x20]);
																							if(_t266 < _t360) {
																								continue;
																							} else {
																								_t331 =  *(_t371 + 0x14);
																								goto L53;
																							}
																							goto L57;
																						}
																						E6E0215F0(_t311, _t266);
																						_t371 = _t371 + 8;
																						goto L56;
																					}
																				}
																			}
																		} else {
																			_t331 =  *(_t370 + 0x14);
																			if(( *(_t370 + 0x20) & 0x0000ffff) < (_t360 << 5) + 2 + _t310) {
																				goto L55;
																			} else {
																				goto L39;
																			}
																		}
																	}
																} else {
																	goto L55;
																}
															} else {
																_t328 = _t357[1];
																if(_t328 < _t348 + 2) {
																	goto L55;
																} else {
																	_t233 = ( *( *(_t370 + 0x1c) + _t348 + 1) & 0x000000ff | ( *( *(_t370 + 0x1c) + _t348) & 0x000000ff) << 0x00000008) & 0x0000ffff;
																	 *(_t370 + 0x28) = _t233;
																	if(_t233 == 0) {
																		L33:
																		_t348 = _t348 + 2 + (_t233 & 0x0000ffff);
																		goto L34;
																	} else {
																		_t268 = _t233 & 0x0000ffff;
																		if(_t328 < _t348 + 2 + _t268) {
																			goto L55;
																		} else {
																			_t111 = _t268 + 1; // 0x1
																			_t237 = _t111;
																			_push(_t237);
																			_push( *(_t370 + 0x1c));
																			L6E025ACA();
																			_t329 = _t237;
																			_t371 = _t370 + 8;
																			 *(_t371 + 0x24) = _t329;
																			if(_t329 == 0) {
																				goto L56;
																			} else {
																				E6E0267A0(_t329,  *(_t371 + 0x1c) + 2 + _t348, _t268);
																				_t370 = _t371 + 0xc;
																				 *((char*)(_t268 +  *((intOrPtr*)(_t371 + 0x30)))) = 0;
																				_t233 =  *(_t370 + 0x28);
																				goto L33;
																			}
																		}
																	}
																}
															}
														} else {
															_t355 = _t264;
															if(_t326 <  *(_t370 + 0x28) + 4 + _t355) {
																goto L55;
															} else {
																_t93 = _t355 + 1; // 0x1
																_t246 = _t93;
																_push(_t246);
																_push( *(_t370 + 0x1c));
																L6E025ACA();
																_t330 = _t246;
																_t371 = _t370 + 8;
																 *((intOrPtr*)(_t371 + 0x38)) = _t330;
																if(_t330 == 0) {
																	goto L56;
																} else {
																	E6E0267A0(_t330,  *(_t371 + 0x1c) +  *(_t371 + 0x28) + 4, _t355);
																	_t370 = _t371 + 0xc;
																	 *((char*)(_t355 +  *((intOrPtr*)(_t371 + 0x44)))) = 0;
																	goto L26;
																}
															}
														}
													}
												}
											}
										}
									} else {
										if( *((char*)(_t344 + 1)) <= 4) {
											 *((intOrPtr*)(_t371 + 0x3c)) = 1;
										}
										goto L11;
									}
								}
							}
						}
					}
				} else {
					return __eax;
				}
				L57:
			}

0x6e020bd5
0x6e020bda
0x6e020be2
0x6e020be4
0x6e020bec
0x6e020bf1
0x6e020bf5
0x6e020bfd
0x6e020c05
0x6e020c0d
0x6e020c15
0x6e020c19
0x6e020c1e
0x6e020c20
0x6e020c23
0x6e020c29
0x6e020c32
0x6e020c3b
0x6e021150
0x6e021150
0x6e021155
0x6e02115a
0x00000000
0x6e020c41
0x6e020c41
0x6e020c46
0x6e020c4b
0x6e020c52
0x6e020c5e
0x6e020c62
0x6e020c68
0x6e020c6e
0x6e020c70
0x6e020c70
0x6e020c76
0x6e020caf
0x6e020cb1
0x00000000
0x6e020cb9
0x6e020cbd
0x00000000
0x6e020cc3
0x6e020ce6
0x6e020cf3
0x6e020d0e
0x6e020d12
0x6e020d1a
0x6e020d1e
0x6e020d2a
0x00000000
0x6e020d2a
0x6e020cbd
0x6e020c78
0x6e020c78
0x6e020c7c
0x6e020c7d
0x6e020c82
0x6e020c85
0x6e020c8b
0x6e02115d
0x6e02115d
0x6e02115f
0x6e021163
0x6e021174
0x6e020c91
0x6e020c91
0x6e020c97
0x00000000
0x6e020c99
0x6e020c9b
0x6e020d2e
0x6e020d30
0x6e020d36
0x6e020d38
0x6e020d40
0x6e020d40
0x6e020d51
0x6e020d6a
0x6e020d8d
0x6e020da3
0x6e020db2
0x6e020db5
0x6e020db8
0x6e020dbc
0x6e020dc1
0x00000000
0x6e020dc7
0x6e020dc7
0x6e020dca
0x6e020dde
0x6e020de1
0x6e020de3
0x6e020de7
0x6e020dec
0x00000000
0x6e020df2
0x6e020df2
0x6e020df2
0x6e020df5
0x6e020df6
0x6e020dfa
0x6e020dff
0x6e020e02
0x6e020e08
0x00000000
0x6e020e0e
0x6e020e24
0x6e020e2d
0x6e020e30
0x6e020e34
0x6e020e37
0x6e020e3c
0x00000000
0x6e020e42
0x6e020e57
0x6e020e5d
0x6e020eb0
0x6e020eb7
0x6e020ebe
0x6e020f53
0x6e020f53
0x6e020f5c
0x6e020f69
0x6e020f6c
0x6e020f74
0x00000000
0x6e020f7a
0x6e020f7d
0x6e020f8d
0x6e020f8f
0x6e020f98
0x6e020fb7
0x6e020fc3
0x00000000
0x6e020fc9
0x6e020fc9
0x6e020fd0
0x6e020fd1
0x6e020fd5
0x6e020fda
0x6e020fdc
0x6e020fdf
0x6e020fe5
0x00000000
0x6e020feb
0x6e020feb
0x6e020fef
0x6e0210dc
0x6e0210e0
0x6e0210fd
0x6e021107
0x6e021109
0x6e02111b
0x6e021126
0x6e02112c
0x6e02112e
0x6e021132
0x6e021143
0x6e020ff5
0x6e020ff5
0x6e021000
0x6e02102a
0x6e021042
0x6e02105a
0x6e021061
0x6e021065
0x6e021069
0x6e02106d
0x6e02107b
0x6e021080
0x6e021085
0x6e02108a
0x6e02108e
0x6e021091
0x6e021093
0x6e021093
0x6e021099
0x6e0210a2
0x6e0210a2
0x6e0210aa
0x6e0210ac
0x6e0210ad
0x6e0210b1
0x6e0210b2
0x6e0210b3
0x6e0210b4
0x6e0210b5
0x6e0210ba
0x6e0210be
0x6e0210c1
0x6e0210c6
0x00000000
0x00000000
0x6e0210c8
0x6e0210cc
0x6e0210cd
0x6e0210d2
0x00000000
0x6e0210d8
0x6e0210d8
0x00000000
0x6e0210d8
0x00000000
0x6e0210d2
0x6e021146
0x6e02114b
0x00000000
0x6e02114b
0x6e020fef
0x6e020fe5
0x6e020f9a
0x6e020fa9
0x6e020fb1
0x00000000
0x00000000
0x00000000
0x00000000
0x6e020fb1
0x6e020f98
0x00000000
0x00000000
0x00000000
0x6e020ecf
0x6e020ecf
0x6e020ed7
0x00000000
0x6e020edd
0x6e020ef1
0x6e020ef4
0x6e020efb
0x6e020f4b
0x6e020f51
0x00000000
0x6e020efd
0x6e020efd
0x6e020f07
0x00000000
0x6e020f0d
0x6e020f0d
0x6e020f0d
0x6e020f10
0x6e020f11
0x6e020f15
0x6e020f1a
0x6e020f1c
0x6e020f1f
0x6e020f25
0x00000000
0x6e020f2b
0x6e020f37
0x6e020f40
0x6e020f43
0x6e020f47
0x00000000
0x6e020f47
0x6e020f25
0x6e020f07
0x6e020efb
0x6e020ed7
0x6e020e5f
0x6e020e63
0x6e020e6c
0x00000000
0x6e020e72
0x6e020e72
0x6e020e72
0x6e020e75
0x6e020e76
0x6e020e7a
0x6e020e7f
0x6e020e81
0x6e020e84
0x6e020e8a
0x00000000
0x6e020e90
0x6e020ea0
0x6e020ea9
0x6e020eac
0x00000000
0x6e020eac
0x6e020e8a
0x6e020e6c
0x6e020e5d
0x6e020e3c
0x6e020e08
0x6e020dec
0x6e020ca1
0x6e020ca5
0x6e020ca7
0x6e020ca7
0x00000000
0x6e020ca5
0x6e020c9b
0x6e020c97
0x6e020c8b
0x6e020c76
0x6e020c30
0x6e020c30
0x6e020c30
0x00000000

APIs

PORT_NewArena_Util.NSSUTIL3(?,?,?,?,00000800), ref: 6E020C19
PORT_ArenaStrdup_Util.NSSUTIL3(00000000,?,00000004,00000000,0000000A), ref: 6E020C7D

Strings

d, xrefs: 6E0210A2
slotFlags, xrefs: 6E021080
slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512], xrefs: 6E02107B
d, xrefs: 6E020D38

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Util$ArenaArena_Strdup_
String ID: d$d$slotFlags$slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512]
API String ID: 443542217-3984357275
Opcode ID: b52df7e862f8a656d0b97150e8ebbe13225e873ec0f04f27ab30400edb7f1b6f
Instruction ID: af51277cb03d6ea53011be5525a8045382d9ded23c157a5806d22498dc242cef
Opcode Fuzzy Hash: b52df7e862f8a656d0b97150e8ebbe13225e873ec0f04f27ab30400edb7f1b6f
Instruction Fuzzy Hash: 07F106709083915FD321CFA988A076BBFE5AFC5345F08493DF8E587241E27AD908DB62

Uniqueness

Uniqueness Score: -1.00%

Function 6DFB65B0 Relevance: 31.9, APIs: 21, Instructions: 385memoryCOMMON

Download Yara Rule

APIs

PR_Lock.NSPR4(?,?,?,00000000,00000000,?,?,?,?,?,6DFB6CB3,?,?,?,?,?), ref: 6DFB65D1
SECITEM_CompareItem_Util.NSSUTIL3(?,?,?,?,?,?,?,?,6DFB6CB3,?,?,?,?,?), ref: 6DFB65F7
PORT_ZAlloc_Util.NSSUTIL3(0000033C,?,?,?,?,?,?,6DFB6CB3,?,?,?,?,?), ref: 6DFB661C
SECITEM_CopyItem_Util.NSSUTIL3(00000013,?,?,?,?,?,?,?,?,?,6DFB6CB3,?,?,?,?,?), ref: 6DFB667A
PR_WaitCondVar.NSPR4(000000FF,?,?,?,?,?,?,6DFB6CB3,?,?,?,?,?), ref: 6DFB66BA
PR_Unlock.NSPR4(?,?,?,?,?,?,6DFB6CB3,?,?,?,?,?), ref: 6DFB66C6
PORT_SetError_Util.NSSUTIL3(FFFFE001,?,?,00000000,00000000,?,?,?,?,?,6DFB6CB3,?,?,?,?,?), ref: 6DFB66E1
PORT_ZFree_Util.NSSUTIL3(?,0000033C,?,?,?,?,?,?,?,?,?,?,6DFB6CB3,?,?,?), ref: 6DFB66FA
PR_Unlock.NSPR4(?,?,?,?,?,?,?,?,6DFB6CB3,?,?,?,?,?), ref: 6DFB670A
PORT_SetError_Util.NSSUTIL3(FFFFE013,?,?,?,?,?,?,?,?,?,6DFB6CB3,?,?,?,?,?), ref: 6DFB6733
PORT_SetError_Util.NSSUTIL3(FFFFE013,?,?,?,?,?,?,?,6DFB6CB3,?,?,?,?,?), ref: 6DFB674B
PR_Unlock.NSPR4(?,?,?,?,?,?,6DFB6CB3,?,?,?,?,?), ref: 6DFB6766
PORT_Alloc_Util.NSSUTIL3(?,?,?,?,?,?,?,?,?,?,?,?,?,6DFB6CB3,?,?), ref: 6DFB67CA
PORT_SetError_Util.NSSUTIL3(FFFFE013,?,?,?,?,?,?,?,?,?,?,?,?,?,6DFB6CB3,?), ref: 6DFB67DF
PORT_ZFree_Util.NSSUTIL3(?,?), ref: 6DFB686C
PORT_SetError_Util.NSSUTIL3(FFFFE005,?,?,?,?,?,?,?,?,?,?,6DFB6CB3,?,?,?,?), ref: 6DFB68A7
PR_NotifyAllCondVar.NSPR4 ref: 6DFB6991
PR_Unlock.NSPR4(?,?,?,?,?,?,?,?,?,?,?,?,6DFB6CB3,?,?,?), ref: 6DFB69E9
PORT_SetError_Util.NSSUTIL3(FFFFE002,?,?,?,?,?,?,?,?,?,6DFB6CB3,?,?,?,?,?), ref: 6DFB6A01
PORT_SetError_Util.NSSUTIL3(FFFFE005,?,?,?,?,?,?,?,?,?,6DFB6CB3,?,?,?,?,?), ref: 6DFB6A19
PR_NotifyCondVar.NSPR4(?,?,?,?,?,?,?,?,?,?,?,?,6DFB6CB3,?,?,?), ref: 6DFB6A7A

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: Util$Error_$Unlock$Cond$Alloc_Free_Item_Notify$CompareCopyLockWait
String ID:
API String ID: 1932142151-0
Opcode ID: 4282d445355fce3b7c1a62aea84716a9690043c947663c26d8809e6713de3bd5
Instruction ID: 2bfbb2cc5b79168170b27131ed711eacaf060e46efff5850cad4416c447b7fb9
Opcode Fuzzy Hash: 4282d445355fce3b7c1a62aea84716a9690043c947663c26d8809e6713de3bd5
Instruction Fuzzy Hash: F9D1C3B1804205ABCB009F6DEC84B5B7BF9EF45318F114539FA188B251EB76D929C7D2

Uniqueness

Uniqueness Score: -1.00%

Function 6DFADCC0 Relevance: 30.4, APIs: 20, Instructions: 395memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSSUTIL3(00000800), ref: 6DFADCE6
PORT_SetError_Util.NSSUTIL3(FFFFE013), ref: 6DFADCF9
PORT_ArenaZAlloc_Util.NSSUTIL3(00000000,0000001C), ref: 6DFADD0E
PORT_SetError_Util.NSSUTIL3(FFFFE013), ref: 6DFADD21
PORT_FreeArena_Util.NSSUTIL3(00000000,00000001,FFFFE013), ref: 6DFADD29
PORT_SetError_Util.NSSUTIL3(FFFFE005), ref: 6DFAE11A

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: Util$Error_$Arena_$Alloc_ArenaFree
String ID:
API String ID: 1144393034-0
Opcode ID: 9d48a0cfbd1620dccac3a932869147f3f04e9ea4d9f848c92ca90ea30de7c88a
Instruction ID: 70b5d23d42e95c3716017c9b05c44ca00675f78c7176531db066c923a04c4f35
Opcode Fuzzy Hash: 9d48a0cfbd1620dccac3a932869147f3f04e9ea4d9f848c92ca90ea30de7c88a
Instruction Fuzzy Hash: 66B1D4B3D0921597D71086ACAC40A8FB3DC9F84764F0A0636FE65D7280FB66D919C7A3

Uniqueness

Uniqueness Score: -1.00%

Function 6DFB5400 Relevance: 28.8, APIs: 19, Instructions: 343memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSSUTIL3(00000800), ref: 6DFB5456
PORT_SetError_Util.NSSUTIL3(FFFFE013), ref: 6DFB546D
PORT_ArenaZAlloc_Util.NSSUTIL3(00000000,00000070), ref: 6DFB5482
PORT_SetError_Util.NSSUTIL3(FFFFE013), ref: 6DFB5497
PORT_FreeArena_Util.NSSUTIL3(00000000,00000001,FFFFE013), ref: 6DFB549F
SECITEM_AllocItem_Util.NSSUTIL3(?,?,00000001), ref: 6DFB553C
PORT_SetError_Util.NSSUTIL3(FFFFE005), ref: 6DFB557F
PORT_SetError_Util.NSSUTIL3(FFFFE001), ref: 6DFB5718
PORT_FreeArena_Util.NSSUTIL3(?,00000001), ref: 6DFB5726
PORT_SetError_Util.NSSUTIL3(FFFFE005), ref: 6DFB57D4

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: Util$Error_$Arena_$Free$AllocAlloc_ArenaItem_
String ID:
API String ID: 2947440340-0
Opcode ID: 340e1f92bfda261b8293f073f5555e3c19d71c6e0d6f8b94ce06a66e67fd1e2f
Instruction ID: 53b942f4c00ea55651b99584a245e3b79a22557d8fb6e43bd3bc11da9519646f
Opcode Fuzzy Hash: 340e1f92bfda261b8293f073f5555e3c19d71c6e0d6f8b94ce06a66e67fd1e2f
Instruction Fuzzy Hash: E1A1F9B2A0C3095BD7109AADEC80AAF73D9EF80354F140939FB54C2250F77ADA598793

Uniqueness

Uniqueness Score: -1.00%

Function 6E01B410 Relevance: 28.7, APIs: 19, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E6E01B410(void* __eax, intOrPtr _a4) {
				signed int _t39;
				intOrPtr _t52;
				void* _t55;
				void* _t56;
				void* _t57;

				_push(0x800);
				L6E025ABE();
				_t55 = __eax;
				_t57 = _t56 + 4;
				if(__eax != 0) {
					_t52 = _a4;
					_t39 =  *(_t52 + 4);
					if(_t39 > 5) {
						L9:
						_push(0);
						_push(_t55);
						L6E025AC4();
						_t39 = 0;
						goto L10;
					} else {
						switch( *((intOrPtr*)(_t39 * 4 +  &M6E01B614))) {
							case 0:
								_push(0x98);
								_push(__eax);
								L6E025AD0();
								_t48 = _t39;
								_t59 = _t57 + 8;
								if(_t48 == 0) {
									_push(0xffffe013);
									L6E025AB2();
									_t57 = _t59 + 4;
									goto L9;
								} else {
									 *_t48 = __eax;
									 *(_t48 + 4) =  *(_t52 + 4);
									if( *(_t52 + 4) == 0) {
										L10:
										return _t39;
									} else {
										_push(_t52 + 0x18);
										_t9 = _t48 + 0xc; // 0xc
										_t41 = _t9;
										_push(_t41);
										_push(__eax);
										L6E025AD6();
										_t57 = _t59 + 0xc;
										if(_t41 != 0) {
											goto L9;
										} else {
											_t42 = _t52 + 0x24;
											goto L21;
										}
									}
								}
								goto L28;
							case 1:
								_push(0x98);
								_push(__esi);
								L6E025AD0();
								__ebx = __eax;
								__esp = __esp + 8;
								if(__ebx == 0) {
									goto L9;
								} else {
									 *__ebx = __esi;
									 *((intOrPtr*)(__ebx + 4)) =  *((intOrPtr*)(__edi + 4));
									_push(__edi + 0x30);
									_t14 = __ebx + 0x30; // 0x30
									_push(_t14);
									_push(__esi);
									L6E025AD6();
									__esp = __esp + 0xc;
									if(__eax != 0) {
										goto L9;
									} else {
										__eax = __edi + 0xc;
										_push(__edi + 0xc);
										_t16 = __ebx + 0xc; // 0xc
										__eax = _t16;
										_push(__eax);
										_push(__esi);
										L6E025AD6();
										__esp = __esp + 0xc;
										if(__eax != 0) {
											goto L9;
										} else {
											__eax = __edi + 0x18;
											_push(__edi + 0x18);
											_t18 = __ebx + 0x18; // 0x18
											__eax = _t18;
											_push(__eax);
											_push(__esi);
											L6E025AD6();
											__esp = __esp + 0xc;
											if(__eax != 0) {
												goto L9;
											} else {
												__eax = __edi + 0x24;
												_push(__edi + 0x24);
												_t20 = __ebx + 0x24; // 0x24
												__eax = _t20;
												_push(__eax);
												_push(__esi);
												L6E025AD6();
												__esp = __esp + 0xc;
												if(__eax != 0) {
													goto L9;
												} else {
													_pop(__edi);
													__eax = __ebx;
													_pop(__ebx);
													return __ebx;
												}
											}
										}
									}
								}
								goto L28;
							case 2:
								goto L9;
							case 3:
								_push(0x98);
								_push(__esi);
								L6E025AD0();
								__ebx = __eax;
								__esp = __esp + 8;
								if(__ebx == 0) {
									goto L9;
								} else {
									 *__ebx = __esi;
									 *((intOrPtr*)(__ebx + 4)) =  *((intOrPtr*)(__edi + 4));
									_push(__edi + 0x24);
									_t24 = __ebx + 0x24; // 0x24
									_push(_t24);
									_push(__esi);
									L6E025AD6();
									__esp = __esp + 0xc;
									if(__eax != 0) {
										goto L9;
									} else {
										__eax = __edi + 0xc;
										_push(__edi + 0xc);
										_t26 = __ebx + 0xc; // 0xc
										__eax = _t26;
										_push(__eax);
										_push(__esi);
										L6E025AD6();
										__esp = __esp + 0xc;
										if(__eax != 0) {
											goto L9;
										} else {
											__eax = __edi + 0x18;
											L21:
											_push(_t42);
											_t28 = _t48 + 0x18; // 0x18
											_t43 = _t28;
											_push(_t43);
											_push(_t55);
											L6E025AD6();
											_t57 = _t57 + 0xc;
											if(_t43 != 0) {
												goto L9;
											} else {
												return _t48;
											}
										}
									}
								}
								goto L28;
							case 4:
								_push(0x98);
								_push(__esi);
								L6E025AD0();
								__ebx = __eax;
								__esp = __esp + 8;
								if(__ebx == 0) {
									goto L9;
								} else {
									 *__ebx = __esi;
									 *((intOrPtr*)(__ebx + 4)) =  *((intOrPtr*)(__edi + 4));
									_push(__edi + 0x8c);
									_t32 = __ebx + 0x8c; // 0x8c
									_push(_t32);
									_push(__esi);
									L6E025AD6();
									__esp = __esp + 0xc;
									if(__eax != 0) {
										goto L9;
									} else {
										__eax = __edi + 0x70;
										 *((intOrPtr*)(__ebx + 8)) = __esi;
										_push(__edi + 0x70);
										_t35 = __ebx + 0x70; // 0x70
										__eax = _t35;
										_push(__eax);
										_push(__esi);
										L6E025AD6();
										__esp = __esp + 0xc;
										if(__eax != 0) {
											goto L9;
										} else {
											__eax = __edi + 0x80;
											_push(__edi + 0x80);
											_t37 = __ebx + 0x80; // 0x80
											__eax = _t37;
											_push(__eax);
											_push(__esi);
											L6E025AD6();
											__esp = __esp + 0xc;
											if(__eax != 0) {
												goto L9;
											} else {
												_pop(__edi);
												__eax = __ebx;
												_pop(__ebx);
												return __ebx;
											}
										}
									}
								}
								goto L28;
						}
					}
				} else {
					_push(0xffffe013);
					L6E025AB2();
					return 0;
				}
				L28:
			}

0x6e01b411
0x6e01b416
0x6e01b41b
0x6e01b41d
0x6e01b422
0x6e01b437
0x6e01b43b
0x6e01b441
0x6e01b496
0x6e01b496
0x6e01b498
0x6e01b499
0x6e01b4a1
0x00000000
0x6e01b443
0x6e01b443
0x00000000
0x6e01b44a
0x6e01b44f
0x6e01b450
0x6e01b455
0x6e01b457
0x6e01b45c
0x6e01b489
0x6e01b48e
0x6e01b493
0x00000000
0x6e01b45e
0x6e01b45e
0x6e01b463
0x6e01b46a
0x6e01b4a3
0x6e01b4a6
0x6e01b46c
0x6e01b46f
0x6e01b470
0x6e01b470
0x6e01b473
0x6e01b474
0x6e01b475
0x6e01b47a
0x6e01b47f
0x00000000
0x6e01b481
0x6e01b481
0x00000000
0x6e01b481
0x6e01b47f
0x6e01b46a
0x00000000
0x00000000
0x6e01b4a7
0x6e01b4ac
0x6e01b4ad
0x6e01b4b2
0x6e01b4b4
0x6e01b4b9
0x00000000
0x6e01b4bb
0x6e01b4bb
0x6e01b4c0
0x6e01b4c6
0x6e01b4c7
0x6e01b4ca
0x6e01b4cb
0x6e01b4cc
0x6e01b4d1
0x6e01b4d6
0x00000000
0x6e01b4d8
0x6e01b4d8
0x6e01b4db
0x6e01b4dc
0x6e01b4dc
0x6e01b4df
0x6e01b4e0
0x6e01b4e1
0x6e01b4e6
0x6e01b4eb
0x00000000
0x6e01b4ed
0x6e01b4ed
0x6e01b4f0
0x6e01b4f1
0x6e01b4f1
0x6e01b4f4
0x6e01b4f5
0x6e01b4f6
0x6e01b4fb
0x6e01b500
0x00000000
0x6e01b502
0x6e01b502
0x6e01b505
0x6e01b506
0x6e01b506
0x6e01b509
0x6e01b50a
0x6e01b50b
0x6e01b510
0x6e01b515
0x00000000
0x6e01b51b
0x6e01b51b
0x6e01b51c
0x6e01b51e
0x6e01b520
0x6e01b520
0x6e01b515
0x6e01b500
0x6e01b4eb
0x6e01b4d6
0x00000000
0x00000000
0x00000000
0x00000000
0x6e01b521
0x6e01b526
0x6e01b527
0x6e01b52c
0x6e01b52e
0x6e01b533
0x00000000
0x6e01b539
0x6e01b539
0x6e01b53e
0x6e01b544
0x6e01b545
0x6e01b548
0x6e01b549
0x6e01b54a
0x6e01b54f
0x6e01b554
0x00000000
0x6e01b55a
0x6e01b55a
0x6e01b55d
0x6e01b55e
0x6e01b55e
0x6e01b561
0x6e01b562
0x6e01b563
0x6e01b568
0x6e01b56d
0x00000000
0x6e01b573
0x6e01b573
0x6e01b576
0x6e01b576
0x6e01b577
0x6e01b577
0x6e01b57a
0x6e01b57b
0x6e01b57c
0x6e01b581
0x6e01b586
0x00000000
0x6e01b58c
0x6e01b591
0x6e01b591
0x6e01b586
0x6e01b56d
0x6e01b554
0x00000000
0x00000000
0x6e01b592
0x6e01b597
0x6e01b598
0x6e01b59d
0x6e01b59f
0x6e01b5a4
0x00000000
0x6e01b5aa
0x6e01b5aa
0x6e01b5af
0x6e01b5b8
0x6e01b5b9
0x6e01b5bf
0x6e01b5c0
0x6e01b5c1
0x6e01b5c6
0x6e01b5cb
0x00000000
0x6e01b5d1
0x6e01b5d1
0x6e01b5d4
0x6e01b5d7
0x6e01b5d8
0x6e01b5d8
0x6e01b5db
0x6e01b5dc
0x6e01b5dd
0x6e01b5e2
0x6e01b5e7
0x00000000
0x6e01b5ed
0x6e01b5ed
0x6e01b5f3
0x6e01b5f4
0x6e01b5f4
0x6e01b5fa
0x6e01b5fb
0x6e01b5fc
0x6e01b601
0x6e01b606
0x00000000
0x6e01b60c
0x6e01b60c
0x6e01b60d
0x6e01b60f
0x6e01b611
0x6e01b611
0x6e01b606
0x6e01b5e7
0x6e01b5cb
0x00000000
0x00000000
0x6e01b443
0x6e01b424
0x6e01b424
0x6e01b429
0x6e01b434
0x6e01b434
0x00000000

APIs

PORT_NewArena_Util.NSSUTIL3(00000800,?,6E014D84,00000000), ref: 6E01B416
PORT_SetError_Util.NSSUTIL3(FFFFE013,00000000), ref: 6E01B429

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Util$Arena_Error_
String ID:
API String ID: 1115575410-0
Opcode ID: 0bc985086bfdd95efaacd8e2899dd8e07cca8a4213c4ca425a653775ffae0c2a
Instruction ID: 4caef58f07d01f18e69ba602f74ac6c80e14ebe8d9743f54ea9ebd1fd1b3ed50
Opcode Fuzzy Hash: 0bc985086bfdd95efaacd8e2899dd8e07cca8a4213c4ca425a653775ffae0c2a
Instruction Fuzzy Hash: 2151ADB2505512ABE7419AD49DC2BD7B3ECFF18258F048236ED048B60DF734E619CAE6

Uniqueness

Uniqueness Score: -1.00%

Function 6E012780 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 182
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E6E012780(signed int __eax) {
				void* __edi;
				void* __esi;
				intOrPtr _t37;
				void* _t41;
				intOrPtr* _t42;
				signed int _t43;
				signed int _t48;
				void* _t50;
				signed int _t51;
				intOrPtr _t52;
				void* _t54;
				void* _t56;
				signed int _t60;
				intOrPtr _t65;
				signed int _t66;
				signed int _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				void* _t72;
				void* _t73;
				void* _t74;
				void* _t77;
				void* _t78;

				_t65 =  *((intOrPtr*)(_t72 + 0x64));
				_t67 = _t66 | 0xffffffff;
				 *((intOrPtr*)(_t72 + 0xc)) = 0;
				if(_t65 != 0) {
					_push(0x800);
					 *(_t72 + 0x18) = "password-check";
					 *((intOrPtr*)(_t72 + 0x1c)) = 0xe;
					 *((intOrPtr*)(_t72 + 0x24)) = 0;
					L6E025ABE();
					_t60 = __eax;
					_t73 = _t72 + 4;
					if(__eax != 0) {
						_t69 = 0;
						_push(0x800);
						 *((intOrPtr*)(_t73 + 0x70)) = 0;
						 *((intOrPtr*)(_t73 + 0x28)) = 0;
						 *((intOrPtr*)(_t73 + 0x3c)) = 0;
						L6E025ABE();
						_t74 = _t73 + 4;
						 *((intOrPtr*)(_t74 + 0x10)) = __eax;
						if(__eax != 0) {
							_push( *((intOrPtr*)(_t74 + 0x70)) + 0xc);
							_push(0x6e035380);
							_t41 = _t74 + 0x4c;
							_push(_t41);
							_push(__eax);
							L6E025AEE();
							_t77 = _t74 + 0x10;
							if(_t41 != 0) {
								L9:
								_t42 =  *((intOrPtr*)(_t77 + 0x24));
								if(_t42 != 0) {
									_push(_t42);
									L6E025A9A();
									_t77 = _t77 + 4;
									 *((intOrPtr*)(_t77 + 0x24)) = 0;
								}
							} else {
								_t52 = _t77 + 0x44;
								_push(_t52);
								L6E025B12();
								 *((intOrPtr*)(_t77 + 0x18)) = _t52;
								_push(_t77 + 0x54);
								_push(0x6e035340);
								_t54 = _t77 + 0x38;
								_push(_t54);
								_push( *((intOrPtr*)(_t77 + 0x20)));
								L6E025AEE();
								_t77 = _t77 + 0x14;
								if(_t54 != 0) {
									goto L9;
								} else {
									_push(_t77 + 0x2c);
									_t56 = _t77 + 0x24;
									_push(_t56);
									_push(0);
									L6E025AD6();
									_t77 = _t77 + 0xc;
									if(_t56 != 0) {
										goto L9;
									} else {
										_t42 = _t77 + 0x5c;
										_push(_t42);
										L6E025ADC();
										_t69 = _t42;
										_t77 = _t77 + 4;
										 *((intOrPtr*)(_t77 + 0x6c)) = _t69;
										if(_t69 == 0) {
											goto L9;
										}
									}
								}
							}
							_push(0);
							_push( *((intOrPtr*)(_t77 + 0x14)));
							L6E025AC4();
							_t74 = _t77 + 8;
							if(_t69 != 0) {
								_push(0x24);
								_push(_t60);
								L6E025AD0();
								_t71 = _t42;
								_t78 = _t74 + 8;
								if(_t71 != 0) {
									_t43 = _t78 + 0x20;
									 *_t71 = _t60;
									_push(_t43);
									_t25 = _t71 + 0xc; // 0xc
									_push(_t60);
									L6E025AD6();
									_t67 = _t43;
									_t78 = _t78 + 0xc;
									if(_t67 == 0) {
										_t27 = _t71 + 0x18; // 0x18
										_t67 = E6E011930(_t27, _t60, _t27,  *((intOrPtr*)(_t78 + 0x18)),  *((intOrPtr*)(_t78 + 0x6c)));
										_t78 = _t78 + 0x10;
										if(_t67 == 0) {
											_push(1);
											_push(_t71);
											_push(_t78 + 0x20);
											_push(_t65);
											_t67 = E6E013270();
											_t78 = _t78 + 0x10;
											if(_t67 == 0) {
												_t48 =  *(_t65 + 8);
												if(_t48 != 0) {
													_push(1);
													_push(_t48);
													L6E025AE2();
													_t78 = _t78 + 8;
													 *(_t65 + 8) = _t67;
												}
												_t67 = E6E011740(_t65,  *((intOrPtr*)(_t78 + 0x70)));
												_t78 = _t78 + 8;
												if(_t67 == 0) {
													_t50 = E6E011AF0(_t65, _t49);
													_t78 = _t78 + 8;
													if(_t50 == 0) {
														_t51 = E6E0116E0(_t65, _t67, _t65);
														_t78 = _t78 + 4;
														 *(_t65 + 8) = _t51;
													} else {
														_t67 = _t67 | 0xffffffff;
													}
												}
											}
										}
									}
								}
								_push(1);
								_push( *((intOrPtr*)(_t78 + 0x70)));
								L6E025AE2();
								_t74 = _t78 + 8;
							}
						}
						_push(1);
						_push(_t60);
						L6E025AC4();
						_t37 =  *((intOrPtr*)(_t74 + 0x2c));
						if(_t37 != 0) {
							_push(_t37);
							L6E025A9A();
						}
						return _t67;
					} else {
						return __eax | 0xffffffff;
					}
				} else {
					return __eax | _t67;
				}
			}

0x6e012785
0x6e012789
0x6e01278c
0x6e012796
0x6e0127a1
0x6e0127a6
0x6e0127ae
0x6e0127b6
0x6e0127be
0x6e0127c3
0x6e0127c5
0x6e0127ca
0x6e0127d7
0x6e0127d9
0x6e0127de
0x6e0127e2
0x6e0127e6
0x6e0127ea
0x6e0127f1
0x6e0127f4
0x6e0127fa
0x6e012807
0x6e012808
0x6e01280d
0x6e012811
0x6e012812
0x6e012813
0x6e012818
0x6e01281d
0x6e01287a
0x6e01287a
0x6e012880
0x6e012882
0x6e012883
0x6e012888
0x6e01288b
0x6e01288b
0x6e01281f
0x6e01281f
0x6e012823
0x6e012824
0x6e012829
0x6e012831
0x6e012832
0x6e012837
0x6e01283b
0x6e01283c
0x6e012840
0x6e012845
0x6e01284a
0x00000000
0x6e01284c
0x6e012850
0x6e012851
0x6e012855
0x6e012856
0x6e012857
0x6e01285c
0x6e012861
0x00000000
0x6e012863
0x6e012863
0x6e012867
0x6e012868
0x6e01286d
0x6e01286f
0x6e012872
0x6e012878
0x00000000
0x00000000
0x6e012878
0x6e012861
0x6e01284a
0x6e012893
0x6e012895
0x6e012899
0x6e01289e
0x6e0128a3
0x6e0128a9
0x6e0128ab
0x6e0128ac
0x6e0128b1
0x6e0128b3
0x6e0128b8
0x6e0128be
0x6e0128c2
0x6e0128c5
0x6e0128c6
0x6e0128ca
0x6e0128cb
0x6e0128d0
0x6e0128d2
0x6e0128d7
0x6e0128dd
0x6e0128eb
0x6e0128ed
0x6e0128f2
0x6e0128f4
0x6e0128f6
0x6e0128fb
0x6e0128fc
0x6e012902
0x6e012904
0x6e012909
0x6e01290b
0x6e012910
0x6e012912
0x6e012914
0x6e012915
0x6e01291a
0x6e01291d
0x6e01291d
0x6e01292a
0x6e01292c
0x6e012931
0x6e012935
0x6e01293a
0x6e01293f
0x6e012947
0x6e01294c
0x6e01294f
0x6e012941
0x6e012941
0x6e012941
0x6e01293f
0x6e012931
0x6e012909
0x6e0128f2
0x6e0128d7
0x6e012952
0x6e012954
0x6e012958
0x6e01295d
0x6e01295d
0x6e0128a3
0x6e012960
0x6e012962
0x6e012963
0x6e012968
0x6e012972
0x6e012974
0x6e012975
0x6e01297a
0x6e012985
0x6e0127cc
0x6e0127d5
0x6e0127d5
0x6e012799
0x6e01279f
0x6e01279f

APIs

PORT_NewArena_Util.NSSUTIL3(?,?,?,?,00000800,?), ref: 6E0127BE

Strings

password-check, xrefs: 6E0127A6

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Arena_Util
String ID: password-check
API String ID: 702427320-2616774086
Opcode ID: 34e80c3a4771573c0e0eecec0c2af3ae9352c571a6ba832be2f0119f8f0d1b23
Instruction ID: 6635fa8a7fd05a8341e06609943a0c24d5f88f0482322f36d515f09511e5ab85
Opcode Fuzzy Hash: 34e80c3a4771573c0e0eecec0c2af3ae9352c571a6ba832be2f0119f8f0d1b23
Instruction Fuzzy Hash: F451AFB29083056FE6119AE48C82BDBB6ECAF50798F440D39FD989B240F775D90587D3

Uniqueness

Uniqueness Score: -1.00%

Function 6E01FD20 Relevance: 27.3, APIs: 18, Instructions: 258
memoryCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E6E01FD20() {
				void* __ebx;
				void* _t58;
				signed int _t59;
				intOrPtr _t60;
				intOrPtr _t63;
				intOrPtr _t64;
				signed int _t66;
				intOrPtr _t70;
				void* _t84;
				void* _t87;
				signed int _t99;
				signed int _t100;
				signed int _t101;
				intOrPtr* _t104;
				void* _t109;
				intOrPtr _t113;
				signed int _t114;
				signed int _t115;
				intOrPtr* _t116;
				char* _t117;
				void* _t118;
				void* _t119;
				void* _t120;
				void* _t121;
				void* _t122;
				void* _t124;
				void* _t127;
				void* _t128;
				void* _t129;
				void* _t133;

				_t116 =  *((intOrPtr*)(_t118 + 0x2c));
				_t113 =  *((intOrPtr*)(_t118 + 0x30));
				_t59 = E6E01F5D0(_t58, _t113, _t116);
				_t114 = _t59;
				_t119 = _t118 + 8;
				if(_t114 != 0) {
					_t3 = _t114 + 0x14; // 0x14
					_t103 = _t3;
					_push(_t3);
					_push( *((intOrPtr*)(_t119 + 0x3c)));
					L6E025B2A();
					_t133 = _t119 + 8;
					if(_t59 == 0) {
						E6E01FFF0(_t103, _t113, _t103, _t116, _t59);
						_t133 = _t133 + 0x10;
					}
					_t59 = E6E01CAD0(_t114);
					_t119 = _t133 + 4;
				}
				_push(0x800);
				L6E025ABE();
				_t99 = _t59;
				_t120 = _t119 + 4;
				if(_t99 != 0) {
					_push(0x38);
					_push(_t99);
					L6E025ACA();
					_t115 = _t59;
					_t121 = _t120 + 8;
					if(_t115 != 0) {
						_t104 = _t116;
						 *(_t115 + 0xc) = _t99;
						 *_t115 = 6;
						 *((intOrPtr*)(_t115 + 4)) = 8;
						 *(_t115 + 8) = 0;
						_t109 = _t104 + 1;
						do {
							_t60 =  *_t104;
							_t104 = _t104 + 1;
						} while (_t60 != 0);
						_t59 = _t104 - _t109 + 1;
						_push(_t59);
						_push(_t99);
						 *(_t121 + 0x18) = _t59;
						L6E025ACA();
						_t122 = _t121 + 8;
						 *(_t115 + 0x10) = _t59;
						if(_t59 == 0) {
							goto L8;
						} else {
							E6E0267A0(_t59, _t116,  *((intOrPtr*)(_t122 + 0x10)));
							_push( *((intOrPtr*)(_t122 + 0x44)));
							_t14 = _t115 + 0x14; // 0x14
							_t59 = _t14;
							_push(_t59);
							_push(_t99);
							L6E025AD6();
							_t122 = _t122 + 0x18;
							if(_t59 != 0) {
								goto L8;
							} else {
								_t63 =  *((intOrPtr*)(_t122 + 0x3c));
								if(_t63 == 0) {
									 *(_t115 + 0x24) = 0;
									 *(_t115 + 0x28) = 0;
									goto L17;
								} else {
									_push(_t63);
									_t16 = _t115 + 0x20; // 0x20
									_t59 = _t16;
									_push(_t59);
									_push(_t99);
									L6E025AD6();
									_t122 = _t122 + 0xc;
									if(_t59 != 0) {
										goto L8;
									} else {
										L17:
										_t64 =  *((intOrPtr*)(_t122 + 0x40));
										if(_t64 == 0) {
											 *(_t115 + 0x30) = 0;
											 *(_t115 + 0x34) = 0;
											goto L21;
										} else {
											_push(_t64);
											_t20 = _t115 + 0x2c; // 0x2c
											_t64 = _t20;
											_push(_t64);
											_push(_t99);
											L6E025AD6();
											_t122 = _t122 + 0xc;
											if(_t64 == 0) {
												L21:
												__imp__PR_EnterMonitor( *((intOrPtr*)(_t113 + 4)));
												E6E01C880(_t64, _t113, _t116);
												_t66 = E6E01FFF0(_t99, _t113,  *((intOrPtr*)(_t122 + 0x4c)), _t116, 1);
												_t100 = _t66;
												_t124 = _t122 + 0x1c;
												if(_t100 != 0) {
													L27:
													__imp__PR_ExitMonitor( *((intOrPtr*)(_t113 + 4)));
													E6E01CAD0(_t115);
													return _t100;
												} else {
													_push(0x800);
													L6E025ABE();
													_t101 = _t66;
													_t124 = _t124 + 4;
													if(_t101 == 0) {
														L26:
														_t100 = _t101 | 0xffffffff;
														goto L27;
													} else {
														_t70 =  *(_t115 + 0x1c) +  *(_t115 + 0x34) + 9 +  *(_t115 + 0x28);
														_push(_t70);
														_push(_t101);
														 *((intOrPtr*)(_t124 + 0x24)) = _t70;
														L6E025ACA();
														_t127 = _t124 + 8;
														 *((intOrPtr*)(_t127 + 0x18)) = _t70;
														if(_t70 != 0) {
															_t31 = _t70 + 3; // 0x3
															_t117 = _t31;
															 *_t117 =  *(_t115 + 0x1c) >> 8;
															 *((char*)(_t117 + 1)) =  *(_t115 + 0x1c) & 0x000000ff;
															 *((char*)(_t117 + 2)) =  *(_t115 + 0x28) >> 8;
															 *((char*)(_t117 + 3)) =  *(_t115 + 0x28) & 0x000000ff;
															 *((char*)(_t117 + 4)) =  *(_t115 + 0x34) >> 8;
															 *((char*)(_t117 + 5)) =  *(_t115 + 0x34) & 0x000000ff;
															_t43 = _t117 + 6; // 0x9
															E6E0267A0(_t43,  *((intOrPtr*)(_t115 + 0x18)),  *(_t115 + 0x1c));
															_t82 =  *(_t115 + 0x28);
															_t128 = _t127 + 0xc;
															if( *(_t115 + 0x28) != 0) {
																E6E0267A0( *(_t115 + 0x1c) + 6 + _t117,  *(_t115 + 0x24), _t82);
																E6E0267A0( *(_t115 + 0x1c) +  *(_t115 + 0x28) + 6 + _t117,  *(_t115 + 0x30),  *(_t115 + 0x34));
																_t128 = _t128 + 0x18;
															}
															_t84 = E6E01CCF0( *(_t115 + 0x10), _t101, _t128 + 0x20);
															_t129 = _t128 + 0xc;
															if(_t84 != 0) {
																goto L25;
															} else {
																_t87 = E6E01E320(_t113, _t115, _t129 + 0x24, _t129 + 0x14);
																_t129 = _t129 + 0x10;
																if(_t87 != 0) {
																	goto L25;
																} else {
																	L6E025AC4();
																	__imp__PR_ExitMonitor( *((intOrPtr*)(_t113 + 4)), _t101, _t87);
																	E6E01CAD0(_t115);
																	return 0;
																}
															}
														} else {
															_push(0xffffe013);
															L6E025AB2();
															_t129 = _t127 + 4;
															L25:
															_push(0);
															_push(_t101);
															L6E025AC4();
															_t124 = _t129 + 8;
															goto L26;
														}
													}
												}
											} else {
												goto L8;
											}
										}
									}
								}
							}
						}
					} else {
						_push(0xffffe013);
						L6E025AB2();
						_t122 = _t121 + 4;
						L8:
						_push(0);
						_push(_t99);
						L6E025AC4();
						return _t59 | 0xffffffff;
					}
				} else {
					_push(0xffffe013);
					L6E025AB2();
					return _t59 | 0xffffffff;
				}
			}

0x6e01fd25
0x6e01fd2b
0x6e01fd31
0x6e01fd36
0x6e01fd38
0x6e01fd3d
0x6e01fd3f
0x6e01fd3f
0x6e01fd42
0x6e01fd43
0x6e01fd47
0x6e01fd4c
0x6e01fd51
0x6e01fd57
0x6e01fd5c
0x6e01fd5c
0x6e01fd60
0x6e01fd65
0x6e01fd65
0x6e01fd68
0x6e01fd6d
0x6e01fd72
0x6e01fd74
0x6e01fd79
0x6e01fd93
0x6e01fd95
0x6e01fd96
0x6e01fd9b
0x6e01fd9d
0x6e01fda2
0x6e01fdc7
0x6e01fdc9
0x6e01fdcc
0x6e01fdd2
0x6e01fdd9
0x6e01fde0
0x6e01fde3
0x6e01fde3
0x6e01fde5
0x6e01fde6
0x6e01fdec
0x6e01fdef
0x6e01fdf0
0x6e01fdf1
0x6e01fdf5
0x6e01fdfa
0x6e01fdfd
0x6e01fe02
0x00000000
0x6e01fe04
0x6e01fe0a
0x6e01fe0f
0x6e01fe13
0x6e01fe13
0x6e01fe16
0x6e01fe17
0x6e01fe18
0x6e01fe1d
0x6e01fe22
0x00000000
0x6e01fe24
0x6e01fe24
0x6e01fe2a
0x6e01fe44
0x6e01fe4b
0x00000000
0x6e01fe2c
0x6e01fe2c
0x6e01fe2d
0x6e01fe2d
0x6e01fe30
0x6e01fe31
0x6e01fe32
0x6e01fe37
0x6e01fe3c
0x00000000
0x6e01fe42
0x6e01fe52
0x6e01fe52
0x6e01fe58
0x6e01fe71
0x6e01fe78
0x00000000
0x6e01fe5a
0x6e01fe5a
0x6e01fe5b
0x6e01fe5b
0x6e01fe5e
0x6e01fe5f
0x6e01fe60
0x6e01fe65
0x6e01fe6a
0x6e01fe7f
0x6e01fe82
0x6e01fe8a
0x6e01fe97
0x6e01fe9c
0x6e01fe9e
0x6e01fea3
0x6e01fef7
0x6e01fefa
0x6e01ff04
0x6e01ff15
0x6e01fea5
0x6e01fea5
0x6e01feaa
0x6e01feaf
0x6e01feb1
0x6e01feb6
0x6e01fef4
0x6e01fef4
0x00000000
0x6e01feb8
0x6e01fec4
0x6e01fec6
0x6e01fec7
0x6e01fec8
0x6e01fecc
0x6e01fed1
0x6e01fed4
0x6e01feda
0x6e01ff16
0x6e01ff16
0x6e01ff1f
0x6e01ff26
0x6e01ff2f
0x6e01ff36
0x6e01ff3f
0x6e01ff46
0x6e01ff49
0x6e01ff53
0x6e01ff58
0x6e01ff5b
0x6e01ff60
0x6e01ff6f
0x6e01ff88
0x6e01ff8d
0x6e01ff8d
0x6e01ff99
0x6e01ff9e
0x6e01ffa3
0x00000000
0x6e01ffa9
0x6e01ffb5
0x6e01ffba
0x6e01ffbf
0x00000000
0x6e01ffc5
0x6e01ffc7
0x6e01ffcf
0x6e01ffdb
0x6e01ffec
0x6e01ffec
0x6e01ffbf
0x6e01fedc
0x6e01fedc
0x6e01fee1
0x6e01fee6
0x6e01fee9
0x6e01fee9
0x6e01feeb
0x6e01feec
0x6e01fef1
0x00000000
0x6e01fef1
0x6e01feda
0x6e01feb6
0x6e01fe6c
0x00000000
0x6e01fe6c
0x6e01fe6a
0x6e01fe58
0x6e01fe3c
0x6e01fe2a
0x6e01fe22
0x6e01fda4
0x6e01fda4
0x6e01fda9
0x6e01fdae
0x6e01fdb1
0x6e01fdb1
0x6e01fdb3
0x6e01fdb4
0x6e01fdc6
0x6e01fdc6
0x6e01fd7b
0x6e01fd7b
0x6e01fd80
0x6e01fd92
0x6e01fd92

APIs

Part of subcall function 6E01F5D0: PORT_NewArena_Util.NSSUTIL3(00000800,?,?,?,?,?,?,?,00000000,?,?,6E01E14B,?,?,?,?), ref: 6E01F5DB
Part of subcall function 6E01F5D0: PORT_SetError_Util.NSSUTIL3(FFFFE013,?,?,?,?,?,00000000,?,?,6E01E14B,?,?,?,?,?), ref: 6E01F5EE

SECITEM_ItemsAreEqual_Util.NSSUTIL3(?,00000014,00000000,?,?,6E01E14B,?,?,?,?,?), ref: 6E01FD47
PORT_NewArena_Util.NSSUTIL3(00000800,00000000,?,?,6E01E14B,?,?,?,?,?), ref: 6E01FD6D
PORT_SetError_Util.NSSUTIL3(FFFFE013,?,00000000,?,?,6E01E14B,?,?,?,?,?), ref: 6E01FD80
PORT_ArenaAlloc_Util.NSSUTIL3(00000000,00000038,?,00000000,?,?,6E01E14B,?,?,?,?,?), ref: 6E01FD96
PORT_SetError_Util.NSSUTIL3(FFFFE013,?,?,?,00000000,?,?,6E01E14B,?,?,?,?,?), ref: 6E01FDA9
PORT_FreeArena_Util.NSSUTIL3(00000000,00000000,?,?,?,?,?,00000000,?,?,6E01E14B,?,?,?,?,?), ref: 6E01FDB4
PORT_ArenaAlloc_Util.NSSUTIL3(00000000,?,?,?,?,00000000,?,?,6E01E14B,?,?,?,?,?), ref: 6E01FDF5
SECITEM_CopyItem_Util.NSSUTIL3(00000000,00000014,?,00000000,?,?,?,?,?,?,?,00000000,?,?,6E01E14B,?), ref: 6E01FE18
SECITEM_CopyItem_Util.NSSUTIL3(00000000,00000020,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6E01FE32
SECITEM_CopyItem_Util.NSSUTIL3(00000000,0000002C,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6E01FE60
PR_EnterMonitor.NSPR4(00000008,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,6E01E14B), ref: 6E01FE82
PORT_NewArena_Util.NSSUTIL3(00000800), ref: 6E01FEAA
PORT_ArenaAlloc_Util.NSSUTIL3(00000000,?), ref: 6E01FECC
PORT_SetError_Util.NSSUTIL3(FFFFE013), ref: 6E01FEE1
PORT_FreeArena_Util.NSSUTIL3(00000000,00000000), ref: 6E01FEEC
PR_ExitMonitor.NSPR4(00000008), ref: 6E01FEFA

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Util$Arena_$Error_$Alloc_ArenaCopyItem_$FreeMonitor$EnterEqual_ExitItems
String ID:
API String ID: 4157341579-0
Opcode ID: 3f2e5e3fd7adc780aa9c6644c3e0376f420ea8d2afd2adbe86e9c45e8ee89b7c
Instruction ID: 27d8666c5e568d90126d6b02c831fd13e09ebcf36ac7c82a5d5e247835df7d75
Opcode Fuzzy Hash: 3f2e5e3fd7adc780aa9c6644c3e0376f420ea8d2afd2adbe86e9c45e8ee89b7c
Instruction Fuzzy Hash: 118107B25087006FD7109FE49C81BEB77ECEF11258F440A3DF9868B606E736E51987A2

Uniqueness

Uniqueness Score: -1.00%

Function 6DFAFD40 Relevance: 25.8, APIs: 17, Instructions: 280memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSSUTIL3(00000800,00000000), ref: 6DFAFD89
PORT_ArenaZAlloc_Util.NSSUTIL3(00000000,000000A8,?,?,?,?,00000000,?), ref: 6DFAFDA7
PORT_FreeArena_Util.NSSUTIL3(00000000,00000001,?,?,?,?,?,00000000,?), ref: 6DFAFDB8
PORT_SetError_Util.NSSUTIL3(FFFFE005), ref: 6DFB004C

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: Util$Arena_$Alloc_ArenaError_Free
String ID:
API String ID: 3977766762-0
Opcode ID: 6ddc1841824720c4d90c776fbc0a162c89e1fa9e744c4469c225fb800f2d2e5d
Instruction ID: 22d954cb46c9c58de3bc1a5c232b70a7d1cd3d3aeeaa41e6d61fa6e72bcb5f14
Opcode Fuzzy Hash: 6ddc1841824720c4d90c776fbc0a162c89e1fa9e744c4469c225fb800f2d2e5d
Instruction Fuzzy Hash: 9991DD72904206AFD751DEA9CD80FAA77ECAF04354F090235FE58CB242E7B5E954CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E012B90 Relevance: 24.9, APIs: 10, Strings: 4, Instructions: 380
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E6E012B90() {
				void* _t95;
				char* _t99;
				char _t100;
				void* _t104;
				intOrPtr _t106;
				void* _t109;
				void* _t112;
				void* _t116;
				void* _t118;
				void* _t122;
				void* _t125;
				intOrPtr* _t139;
				void* _t143;
				intOrPtr* _t144;
				void* _t148;
				signed int _t149;
				signed int _t150;
				intOrPtr _t151;
				void* _t154;
				void* _t157;
				intOrPtr _t163;
				char* _t164;
				intOrPtr _t166;
				char* _t172;
				char* _t173;
				intOrPtr* _t174;
				char* _t175;
				intOrPtr* _t176;
				char* _t177;
				intOrPtr _t178;
				intOrPtr* _t179;
				intOrPtr* _t180;
				intOrPtr _t181;
				intOrPtr _t183;
				intOrPtr _t185;
				intOrPtr _t186;
				intOrPtr _t187;
				intOrPtr _t188;
				void* _t189;
				void* _t190;
				intOrPtr* _t192;
				char _t194;
				void* _t195;
				intOrPtr _t196;
				intOrPtr* _t198;
				void* _t199;
				void* _t201;
				void* _t202;
				intOrPtr _t203;
				intOrPtr _t205;
				char* _t207;
				char* _t208;
				char* _t209;
				void* _t210;
				void* _t211;
				void* _t212;
				void* _t213;
				void* _t215;
				void* _t216;
				void* _t229;

				_t163 =  *((intOrPtr*)(_t210 + 0x54));
				_t209 = 0;
				 *((intOrPtr*)(_t210 + 0xc)) = 0;
				_t92 =  *((intOrPtr*)(_t163 + 4));
				if( *((intOrPtr*)(_t163 + 4)) == 0) {
					L74:
					return 0;
				}
				_t192 = E6E0125D0(_t92, _t92);
				_t211 = _t210 + 4;
				 *((intOrPtr*)(_t211 + 0xc)) = _t192;
				if(_t192 == 0) {
					L73:
					goto L74;
				}
				 *((intOrPtr*)(_t163 + 4)) = 0;
				_t95 = E6E013030(_t94, _t192);
				_t212 = _t211 + 4;
				if(_t95 != 2) {
					L68:
					_t194 =  *(_t212 + 0x60);
					_t183 =  *((intOrPtr*)(_t194 + 0x1c));
					_t195 =  *_t194;
					__imp__PR_Lock(_t183);
					 *((intOrPtr*)( *((intOrPtr*)(_t195 + 0x18))))(_t195, 0);
					__imp__PR_Unlock(_t183);
					E6E011F50( *(_t212 + 0x20));
					_t99 =  *(_t212 + 0x28);
					_t213 = _t212 + 0x14;
					if(_t99 != 0) {
						_push(1);
						_push(_t99);
						L6E025AE2();
						_t213 = _t213 + 8;
					}
					if(_t209 != 0) {
						_t100 =  *_t209;
						if(_t100 != 0) {
							_push(0);
							_push(_t100);
							L6E025AC4();
						}
					}
					goto L73;
				}
				 *(_t212 + 0x28) = "global-salt";
				 *((intOrPtr*)(_t212 + 0x2c)) = 0xb;
				_t185 =  *((intOrPtr*)(_t192 + 0x1c));
				_t196 =  *_t192;
				__imp__PR_Lock(_t185);
				_t104 =  *((intOrPtr*)( *((intOrPtr*)(_t196 + 0xc))))(_t196, _t212 + 0x34, _t212 + 0x40, 0);
				_t197 = _t104;
				__imp__PR_Unlock(_t185);
				_t212 = _t212 + 0x18;
				if(_t104 != 0) {
					goto L68;
				}
				_t106 = E6E0117B0(_t212 + 0x38, _t212 + 0x38);
				_t212 = _t212 + 4;
				 *((intOrPtr*)(_t212 + 0x14)) = _t106;
				if(_t106 == 0) {
					goto L68;
				}
				_t198 =  *((intOrPtr*)(_t212 + 0x14));
				 *(_t212 + 0x20) = "password-check";
				 *((intOrPtr*)(_t212 + 0x2c)) = 0xe;
				_t109 = E6E011A30(_t198, _t212 + 0x20, _t212 + 0x58, _t197);
				_t215 = _t212 + 0x10;
				if(_t109 == 0) {
					_t112 = E6E011A70(_t163, _t215 + 0x30, _t215 + 0x3c, 0);
					_t212 = _t215 + 0x10;
					if(_t112 != 0) {
						goto L68;
					}
					_push(2);
					_push(_t212 + 0x54);
					_t209 = E6E011810();
					_t212 = _t212 + 8;
					if(_t209 == 0) {
						goto L68;
					}
					_t52 =  &(_t209[0x18]); // 0x18
					_t175 = _t52;
					 *(_t212 + 0x48) = _t209[0x18];
					 *(_t212 + 0x58) = _t175[4];
					 *(_t212 + 0x60) = _t175[8];
					_t209[0x1c] = 0;
					_t116 = E6E011930(_t212 + 0x48, 0, _t175, 6, _t212 + 0x48);
					_t212 = _t212 + 0x10;
					if(_t116 != 0) {
						goto L68;
					}
					_push(1);
					_push(_t209);
					_push(_t212 + 0x20);
					_push(_t163);
					_t118 = E6E013270();
					_t212 = _t212 + 0x10;
					if(_t118 != 0) {
						goto L68;
					}
					E6E01B650(_t209);
					_t216 = _t212 + 4;
					L41:
					_t209 = 0;
					_t122 = E6E011AB0(_t198, _t216 + 0x28, _t216 + 0x44, 3);
					_t212 = _t216 + 0x10;
					if(_t122 != 0) {
						goto L68;
					}
					do {
						if( *((intOrPtr*)(_t212 + 0x44)) <= 1) {
							goto L66;
						}
						_t186 =  *((intOrPtr*)(_t212 + 0x24));
						_t164 =  *(_t212 + 0x20);
						if(_t186 != 0xb) {
							L50:
							if(_t186 !=  *((intOrPtr*)(_t212 + 0x1c))) {
								L63:
								if(_t164[_t186 - 1] == 0) {
									_push(2);
									_push(_t212 + 0x40);
									_t199 = E6E011810();
									_t212 = _t212 + 8;
									if(_t199 != 0) {
										_push(0);
										_push(_t199);
										_push(_t212 + 0x20);
										_push( *(_t212 + 0x60));
										 *(_t199 + 8) =  *(_t212 + 0x20);
										E6E013270();
										 *(_t199 + 8) = _t209;
										E6E01B650(_t199);
										_t212 = _t212 + 0x14;
									}
								}
								goto L66;
							}
							_t176 =  *((intOrPtr*)(_t212 + 0x18));
							_t172 = _t164;
							_t201 = _t186 - 4;
							if(_t201 < 0) {
								L55:
								if(_t201 == 0xfffffffc) {
									goto L66;
								}
								L56:
								if( *_t172 !=  *_t176 || _t201 != 0xfffffffd && (_t172[1] !=  *((intOrPtr*)(_t176 + 1)) || _t201 != 0xfffffffe && (_t172[2] !=  *((intOrPtr*)(_t176 + 2)) || _t201 != 0xffffffff && _t172[3] !=  *((intOrPtr*)(_t176 + 3))))) {
									goto L63;
								} else {
									goto L66;
								}
							}
							while( *_t172 ==  *_t176) {
								_t172 =  &(_t172[4]);
								_t176 = _t176 + 4;
								_t201 = _t201 - 4;
								if(_t201 >= 0) {
									continue;
								}
								goto L55;
							}
							goto L56;
						}
						_t173 = _t164;
						_t177 = "global-salt";
						_t202 = 7;
						while( *_t173 ==  *_t177) {
							_t173 =  &(_t173[4]);
							_t177 =  &(_t177[4]);
							_t202 = _t202 - 4;
							if(_t202 >= 0) {
								continue;
							}
							if( *_t173 !=  *_t177 || _t173[2] != _t177[2]) {
								goto L50;
							} else {
								goto L66;
							}
						}
						goto L50;
						L66:
						_t125 = E6E011AB0( *((intOrPtr*)(_t212 + 0x1c)), _t212 + 0x28, _t212 + 0x44, 7);
						_t212 = _t212 + 0x10;
					} while (_t125 == 0);
					_t209 = 0;
					goto L68;
				}
				_t139 = _t198;
				_t187 =  *((intOrPtr*)(_t139 + 0x1c));
				_t203 =  *_t139;
				__imp__PR_Lock(_t187);
				_t143 =  *((intOrPtr*)( *((intOrPtr*)(_t203 + 0x14))))(_t203, _t215 + 0x3c, _t215 + 0x50, 3);
				__imp__PR_Unlock(_t187);
				_t212 = _t215 + 0x18;
				if(_t143 != 0) {
					goto L68;
				} else {
					goto L7;
				}
				do {
					L7:
					if( *((intOrPtr*)(_t212 + 0x4c)) <= 1) {
						goto L29;
					}
					_t166 =  *((intOrPtr*)(_t212 + 0x34));
					_t174 =  *((intOrPtr*)(_t212 + 0x30));
					if(_t166 != 0xb) {
						if(_t166 == 0xe) {
							_t179 = _t174;
							_t189 = _t166 - 4;
							_t207 = "password-check";
							while( *_t179 ==  *_t207) {
								_t179 = _t179 + 4;
								_t207 =  &(_t207[4]);
								_t189 = _t189 - 4;
								if(_t189 >= 0) {
									continue;
								}
								goto L19;
							}
						}
						goto L20;
					} else {
						_t180 = _t174;
						_t208 = "global-salt";
						_t190 = 7;
						while( *_t180 ==  *_t208) {
							_t180 = _t180 + 4;
							_t208 =  &(_t208[4]);
							_t190 = _t190 - 4;
							if(_t190 >= 0) {
								continue;
							}
							if( *_t180 ==  *_t208) {
								_t229 =  *((intOrPtr*)(_t180 + 2)) - _t208[2];
								L19:
								if(_t229 == 0) {
									goto L29;
								}
							}
							break;
						}
						L20:
						if( *((char*)(_t174 + _t166 - 1)) != 0) {
							goto L29;
						}
						_t149 = "Server-Key";
						while(1) {
							_t178 =  *_t174;
							if(_t178 !=  *_t149) {
								break;
							}
							if(_t178 == 0) {
								L26:
								_t150 = 0;
								L28:
								if(_t150 == 0) {
									_t151 = 1;
									L31:
									if(_t151 == 0) {
										goto L68;
									}
									_t167 =  *(_t212 + 0x60);
									 *(_t212 + 0x38) = "fake-password-check";
									 *((intOrPtr*)(_t212 + 0x44)) = 0x13;
									 *(_t212 + 0x58) = "1";
									 *((intOrPtr*)(_t212 + 0x5c)) = 1;
									_t154 = E6E011A70( *(_t212 + 0x60), _t212 + 0x30, _t212 + 0x38, 0);
									_t212 = _t212 + 0x10;
									if(_t154 != 0) {
										goto L68;
									}
									_t157 = E6E011A70(_t167, _t212 + 0x38, _t212 + 0x4c, _t154);
									_t212 = _t212 + 0x10;
									if(_t157 != 0) {
										goto L68;
									}
									_t198 =  *((intOrPtr*)(_t212 + 0x10));
									goto L41;
								}
								goto L29;
							}
							_t181 =  *((intOrPtr*)(_t174 + 1));
							if(_t181 !=  *((intOrPtr*)(_t149 + 1))) {
								break;
							}
							_t174 = _t174 + 2;
							_t149 = _t149 + 2;
							if(_t181 != 0) {
								continue;
							}
							goto L26;
						}
						asm("sbb eax, eax");
						_t150 = _t149 | 0x00000001;
						goto L28;
					}
					L29:
					_t144 =  *((intOrPtr*)(_t212 + 0x10));
					_t188 =  *((intOrPtr*)(_t144 + 0x1c));
					_t205 =  *_t144;
					__imp__PR_Lock(_t188);
					_t148 =  *((intOrPtr*)( *((intOrPtr*)(_t205 + 0x14))))(_t205, _t212 + 0x3c, _t212 + 0x50, 7);
					__imp__PR_Unlock(_t188);
					_t212 = _t212 + 0x18;
				} while (_t148 == 0);
				_t151 = 0;
				goto L31;
			}

0x6e012b94
0x6e012b99
0x6e012b9b
0x6e012b9f
0x6e012ba4
0x6e012ffd
0x6e013003
0x6e013003
0x6e012bb1
0x6e012bb3
0x6e012bb6
0x6e012bbc
0x6e012ffb
0x00000000
0x6e012ffb
0x6e012bc4
0x6e012bc7
0x6e012bcc
0x6e012bd1
0x6e012fa6
0x6e012fa6
0x6e012faa
0x6e012fad
0x6e012fb0
0x6e012fbc
0x6e012fbf
0x6e012fc9
0x6e012fce
0x6e012fd2
0x6e012fd8
0x6e012fda
0x6e012fdc
0x6e012fdd
0x6e012fe2
0x6e012fe2
0x6e012fe7
0x6e012fe9
0x6e012fee
0x6e012ff0
0x6e012ff2
0x6e012ff3
0x6e012ff8
0x6e012fee
0x00000000
0x6e012fe7
0x6e012bd7
0x6e012bdf
0x6e012be7
0x6e012bea
0x6e012bed
0x6e012c02
0x6e012c05
0x6e012c07
0x6e012c0d
0x6e012c12
0x00000000
0x00000000
0x6e012c1d
0x6e012c22
0x6e012c25
0x6e012c2b
0x00000000
0x00000000
0x6e012c32
0x6e012c3f
0x6e012c49
0x6e012c51
0x6e012c56
0x6e012c5b
0x6e012dfc
0x6e012e01
0x6e012e06
0x00000000
0x00000000
0x6e012e10
0x6e012e12
0x6e012e18
0x6e012e1a
0x6e012e1f
0x00000000
0x00000000
0x6e012e28
0x6e012e28
0x6e012e2f
0x6e012e3a
0x6e012e43
0x6e012e47
0x6e012e4e
0x6e012e53
0x6e012e58
0x00000000
0x00000000
0x6e012e5e
0x6e012e60
0x6e012e65
0x6e012e66
0x6e012e67
0x6e012e6c
0x6e012e71
0x00000000
0x00000000
0x6e012e78
0x6e012e7d
0x6e012e80
0x6e012e86
0x6e012e8f
0x6e012e94
0x6e012e99
0x00000000
0x00000000
0x6e012ea0
0x6e012ea5
0x00000000
0x00000000
0x6e012eab
0x6e012eaf
0x6e012eb6
0x6e012ee9
0x6e012eed
0x6e012f43
0x6e012f48
0x6e012f4e
0x6e012f50
0x6e012f56
0x6e012f58
0x6e012f5d
0x6e012f6b
0x6e012f6d
0x6e012f6e
0x6e012f6f
0x6e012f70
0x6e012f73
0x6e012f79
0x6e012f7c
0x6e012f81
0x6e012f81
0x6e012f5d
0x00000000
0x6e012f48
0x6e012eef
0x6e012ef5
0x6e012ef7
0x6e012efa
0x6e012f11
0x6e012f14
0x00000000
0x00000000
0x6e012f16
0x6e012f1a
0x00000000
0x00000000
0x00000000
0x00000000
0x6e012f1a
0x6e012f00
0x6e012f06
0x6e012f09
0x6e012f0c
0x6e012f0f
0x00000000
0x00000000
0x00000000
0x6e012f0f
0x00000000
0x6e012f00
0x6e012eb8
0x6e012eba
0x6e012ebf
0x6e012ec4
0x6e012eca
0x6e012ecd
0x6e012ed0
0x6e012ed3
0x00000000
0x00000000
0x6e012edb
0x00000000
0x00000000
0x00000000
0x00000000
0x6e012edb
0x00000000
0x6e012f84
0x6e012f94
0x6e012f99
0x6e012f9c
0x6e012fa4
0x00000000
0x6e012fa4
0x6e012c61
0x6e012c63
0x6e012c66
0x6e012c69
0x6e012c7f
0x6e012c84
0x6e012c8a
0x6e012c8f
0x00000000
0x00000000
0x00000000
0x00000000
0x6e012c95
0x6e012c95
0x6e012c9a
0x00000000
0x00000000
0x6e012ca0
0x6e012ca4
0x6e012cab
0x6e012ce4
0x6e012ce6
0x6e012ce8
0x6e012ceb
0x6e012cf0
0x6e012cf6
0x6e012cf9
0x6e012cfc
0x6e012cff
0x00000000
0x00000000
0x00000000
0x6e012d04
0x6e012cf0
0x00000000
0x6e012cad
0x6e012cad
0x6e012caf
0x6e012cb4
0x6e012cc0
0x6e012cc6
0x6e012cc9
0x6e012ccc
0x6e012ccf
0x00000000
0x00000000
0x6e012cd7
0x6e012cdc
0x6e012d07
0x6e012d07
0x00000000
0x00000000
0x6e012d07
0x00000000
0x6e012cd7
0x6e012d09
0x6e012d0e
0x00000000
0x00000000
0x6e012d10
0x6e012d15
0x6e012d15
0x6e012d19
0x00000000
0x00000000
0x6e012d1d
0x6e012d31
0x6e012d31
0x6e012d3a
0x6e012d3c
0x6e012de8
0x6e012d7a
0x6e012d7c
0x00000000
0x00000000
0x6e012d82
0x6e012d91
0x6e012d9b
0x6e012da3
0x6e012dab
0x6e012db3
0x6e012db8
0x6e012dbd
0x00000000
0x00000000
0x6e012dcf
0x6e012dd4
0x6e012dd9
0x00000000
0x00000000
0x6e012ddf
0x00000000
0x6e012ddf
0x00000000
0x6e012d3c
0x6e012d1f
0x6e012d25
0x00000000
0x00000000
0x6e012d27
0x6e012d2a
0x6e012d2f
0x00000000
0x00000000
0x00000000
0x6e012d2f
0x6e012d35
0x6e012d37
0x00000000
0x6e012d37
0x6e012d42
0x6e012d42
0x6e012d46
0x6e012d49
0x6e012d4c
0x6e012d62
0x6e012d67
0x6e012d6d
0x6e012d70
0x6e012d78
0x00000000

APIs

Part of subcall function 6E0125D0: PORT_ZAlloc_Util.NSSUTIL3(00000024,?,6E01263B,00000000,?,?,?,?,6E01931D,?,?,?,6E0197A0,00000000), ref: 6E0125D3
Part of subcall function 6E0125D0: PORT_SetError_Util.NSSUTIL3(FFFFE013,00000000), ref: 6E0125E6

PR_Lock.NSPR4(?), ref: 6E012BED
PR_Unlock.NSPR4(?), ref: 6E012C07

Part of subcall function 6E0117B0: PORT_ZAlloc_Util.NSSUTIL3(0000000C,?,6E011739,?,?,?,?,?,?,?,6E01273C,00000000), ref: 6E0117B3

Part of subcall function 6E011A30: PR_Lock.NSPR4(?,?,?,6E012C56,?,?), ref: 6E011A3C
Part of subcall function 6E011A30: PR_Unlock.NSPR4(?), ref: 6E011A57

PR_Lock.NSPR4(?,?,?,?,00000000,?,?,?,?,?,?,?,?,?), ref: 6E012C69
PR_Unlock.NSPR4(?,?,?,?,00000000,?,?,?,?,?,?,?,?,?), ref: 6E012C84
PR_Lock.NSPR4(?), ref: 6E012D4C
PR_Unlock.NSPR4(?), ref: 6E012D67
PR_Lock.NSPR4(?,?,?), ref: 6E012FB0
PR_Unlock.NSPR4(?), ref: 6E012FBF
SECITEM_FreeItem_Util.NSSUTIL3(?,00000001), ref: 6E012FDD
PORT_FreeArena_Util.NSSUTIL3(?,00000000), ref: 6E012FF3

Strings

fake-password-check, xrefs: 6E012D91
Server-Key, xrefs: 6E012D10
global-salt, xrefs: 6E012BD7, 6E012CAF, 6E012EBA
password-check, xrefs: 6E012C3F, 6E012CEB

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: LockUnlockUtil$Alloc_Free$Arena_Error_Item_
String ID: Server-Key$fake-password-check$global-salt$password-check
API String ID: 1731304325-2012437039
Opcode ID: a457daa20d7fc55a245df5e7f573f97e1c199006a5d85034550219bc79d9fef4
Instruction ID: 42cd04433c1779cfccfddcd23dbb4ec861655c2688c89ee8d3ccb1788eed2adb
Opcode Fuzzy Hash: a457daa20d7fc55a245df5e7f573f97e1c199006a5d85034550219bc79d9fef4
Instruction Fuzzy Hash: F0D1D07290C2829FD7108FD4C840BDBB7E9AF87394F44096CF985AF241E731E9459B92

Uniqueness

Uniqueness Score: -1.00%

Function 6E09AE60 Relevance: 24.8, APIs: 1, Strings: 13, Instructions: 335COMMON

Download Yara Rule

Strings

SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %' , xrefs: 6E09B0CF
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';, xrefs: 6E09B141
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence' , xrefs: 6E09B128
BEGIN;, xrefs: 6E09B014
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %', xrefs: 6E09B0E8
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0, xrefs: 6E09B108
cannot VACUUM - SQL statements in progress, xrefs: 6E09AEFA
ATTACH '' AS vacuum_db;, xrefs: 6E09AF73
INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0), xrefs: 6E09B15A
ATTACH ':memory:' AS vacuum_db;, xrefs: 6E09AF6C, 6E09AF7C
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0, xrefs: 6E09B0B6
cannot VACUUM from within a transaction, xrefs: 6E09AED6
PRAGMA vacuum_db.synchronous=OFF, xrefs: 6E09AFFB

Memory Dump Source

Source File: 00000011.00000002.1303092111.000000006E051000.00000020.00000001.01000000.00000016.sdmp, Offset: 6E050000, based on PE: true

Associated: 00000011.00000002.1303052213.000000006E050000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303638387.000000006E0CF000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303739246.000000006E0DF000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303779693.000000006E0E0000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303823917.000000006E0E2000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e050000_certutil.jbxd

Similarity

API ID:
String ID: ATTACH '' AS vacuum_db;$ATTACH ':memory:' AS vacuum_db;$BEGIN;$INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)$PRAGMA vacuum_db.synchronous=OFF$SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %' $SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0$SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'$SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence' $SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';$SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0$cannot VACUUM - SQL statements in progress$cannot VACUUM from within a transaction
API String ID: 0-4153872865
Opcode ID: f8d0e70353e9ed36d1c38867e4923271163ef3d559137d1ecb36136d0f7af33d
Instruction ID: 5f63cd6f08e02cd1b02283526459778ed5e10d719429c1736564dcff288adfee
Opcode Fuzzy Hash: f8d0e70353e9ed36d1c38867e4923271163ef3d559137d1ecb36136d0f7af33d
Instruction Fuzzy Hash: 15B1F2B1804700AFD711DFE48840B9B7BF8AF95368F181918F8995B346E734E905ABA6

Uniqueness

Uniqueness Score: -1.00%

Function 6E01C280 Relevance: 24.3, APIs: 16, Instructions: 320
memoryCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E6E01C280(signed int __eax) {
				signed int _t129;
				signed int _t138;
				signed int _t150;
				signed int _t153;
				signed int _t154;
				signed int _t156;
				intOrPtr _t159;
				signed int _t160;
				signed int _t161;
				signed int _t163;
				signed int _t175;
				signed int _t177;
				signed int _t180;
				void* _t181;
				void* _t182;
				signed char* _t184;
				signed int _t186;
				signed int _t189;
				signed int _t195;
				signed int _t197;
				signed int _t198;
				signed int _t200;
				signed int _t203;
				signed int _t206;
				signed int _t207;
				signed int _t208;
				intOrPtr _t209;
				signed int _t210;
				signed int _t212;
				signed int _t213;
				signed char* _t215;
				signed char* _t216;
				signed char* _t217;
				intOrPtr _t218;
				signed int _t219;
				signed int _t220;
				void* _t221;
				void* _t222;
				void* _t223;
				void* _t226;

				_t129 = __eax;
				_t209 =  *((intOrPtr*)(_t222 + 0x2c));
				_t218 =  *((intOrPtr*)(_t209 + 0xc));
				_push(_t218);
				 *((intOrPtr*)(_t222 + 0x30)) = _t218;
				L6E025B6C();
				_push( *((intOrPtr*)(_t222 + 0x38)));
				 *((intOrPtr*)(_t222 + 0x28)) = __eax;
				_push(_t209 + 0x10);
				_push(_t218);
				L6E025AD6();
				_t223 = _t222 + 0x10;
				if(__eax != 0) {
					L47:
					_push( *(_t223 + 0x20));
					_push(_t218);
					L6E025B72();
					return _t129 | 0xffffffff;
				} else {
					_t210 =  *(_t223 + 0x30);
					if( *((intOrPtr*)(_t210 + 8)) >= 6) {
						_t175 = ( *( *(_t210 + 4)) & 0x000000ff) << 0x00000008 | ( *(_t210 + 4))[1] & 0x000000ff;
						 *(_t209 + 0x1c) = _t175;
						_t184 =  *(_t210 + 4);
						 *(_t223 + 0x14) = _t175;
						_t206 = (_t184[2] & 0x000000ff) << 0x00000008 | _t184[3] & 0x000000ff;
						 *(_t223 + 0x10) = (_t184[4] & 0x000000ff) << 8;
						_t186 =  *(_t223 + 0x10) | _t184[5] & 0x000000ff;
						 *(_t223 + 0x1c) = _t206;
						 *(_t223 + 0x10) = _t186;
						_t138 = _t186 + 6 + _t206;
						 *(_t223 + 0x24) = _t138;
						_t129 = _t138 + _t175 * 4;
						 *(_t223 + 0x18) = _t129;
						if( *((intOrPtr*)(_t210 + 8)) < _t129) {
							goto L2;
						} else {
							_t212 = _t175 + _t175 * 2 << 2;
							_push(_t212);
							_push(_t218);
							L6E025ACA();
							_push(_t212);
							_push(_t218);
							 *(_t209 + 0x24) = _t129;
							L6E025ACA();
							_t223 = _t223 + 0x10;
							 *(_t209 + 0x28) = _t129;
							if( *(_t209 + 0x24) == 0 || _t129 == 0) {
								L8:
								_push(0xffffe013);
								L6E025AB2();
								_t223 = _t223 + 4;
								goto L47;
							} else {
								_t213 =  *(_t223 + 0x1c);
								if(_t213 <= 1) {
									 *(_t209 + 0x20) = 0;
									goto L11;
								} else {
									_push(_t213);
									_push(_t218);
									L6E025ACA();
									_t203 = _t129;
									_t223 = _t223 + 8;
									 *(_t209 + 0x20) = _t203;
									if(_t203 != 0) {
										_t129 = E6E0267A0(_t203,  *((intOrPtr*)( *(_t223 + 0x30) + 4)) + 6, _t213);
										_t223 = _t223 + 0xc;
										L11:
										 *(_t209 + 0x30) = 0;
										if( *(_t223 + 0x10) <= 1) {
											 *(_t209 + 0x2c) = 0;
											goto L16;
										} else {
											_push(8);
											_push(_t218);
											L6E025ACA();
											_t223 = _t223 + 8;
											 *(_t209 + 0x2c) = _t129;
											if(_t129 == 0) {
												goto L8;
											} else {
												_push( *(_t223 + 0x10));
												_push(_t218);
												L6E025ACA();
												_t223 = _t223 + 8;
												 *( *(_t209 + 0x2c)) = _t129;
												_t129 =  *(_t209 + 0x2c);
												_t202 =  *_t129;
												if( *_t129 == 0) {
													goto L8;
												} else {
													E6E0267A0(_t202,  *((intOrPtr*)( *(_t223 + 0x30) + 4)) + 6 + _t213,  *(_t223 + 0x10));
													_t223 = _t223 + 0xc;
													 *(_t209 + 0x30) = 1;
													L16:
													_t207 =  *(_t223 + 0x18);
													_t215 =  *((intOrPtr*)( *(_t223 + 0x30) + 4)) +  *(_t223 + 0x24);
													if(_t175 != 0) {
														_t220 = 0;
														do {
															_t195 =  *_t215 & 0x000000ff;
															_t220 = _t220 + 0xc;
															_t161 = _t215[1] & 0x000000ff;
															_t215 =  &(_t215[2]);
															_t197 = _t195 << 0x00000008 | _t161;
															_t207 = _t207 + _t197;
															 *( *(_t209 + 0x24) + _t220 - 4) = _t197;
															_t175 = _t175 - 1;
														} while (_t175 != 0);
														_t175 =  *(_t223 + 0x14);
														_t218 =  *((intOrPtr*)(_t223 + 0x2c));
														if(_t175 != 0) {
															_t221 = 0;
															 *(_t223 + 0x24) = _t175;
															do {
																_t198 =  *_t215 & 0x000000ff;
																_t221 = _t221 + 0xc;
																_t163 = _t215[1] & 0x000000ff;
																_t215 =  &(_t215[2]);
																_t200 = _t198 << 0x00000008 | _t163;
																_t207 = _t207 + _t200;
																 *( *(_t209 + 0x28) + _t221 - 4) = _t200;
																_t175 = _t175 - 1;
															} while (_t175 != 0);
															_t218 =  *((intOrPtr*)(_t223 + 0x2c));
															_t175 =  *(_t223 + 0x14);
														}
													}
													_t129 =  *(_t223 + 0x30);
													if(_t207 >  *((intOrPtr*)(_t129 + 8))) {
														goto L2;
													} else {
														 *(_t223 + 0x1c) = 0;
														if(_t175 == 0) {
															L29:
															 *(_t223 + 0x18) = 0;
															if(_t175 == 0) {
																L33:
																_t177 =  *((intOrPtr*)( *(_t223 + 0x30) + 8)) +  *((intOrPtr*)( *(_t223 + 0x30) + 4));
																 *(_t223 + 0x14) = _t177;
																if( *(_t223 + 0x10) != 0 || _t177 - _t215 <= 1) {
																	L44:
																	_push( *(_t223 + 0x20));
																	_push(_t218);
																	L6E025B78();
																	return 0;
																} else {
																	_t216 =  &(_t215[2]);
																	_t189 = ( *_t215 & 0x000000ff) << 0x00000008 | _t215[1] & 0x000000ff;
																	_t208 = _t189;
																	 *(_t209 + 0x30) = _t189;
																	_t129 = _t208 + _t208;
																	if(_t177 - _t216 < _t129) {
																		goto L47;
																	} else {
																		_t129 = _t208 * 4;
																		_push(_t129);
																		_push(_t218);
																		L6E025ACA();
																		_t223 = _t223 + 8;
																		 *(_t209 + 0x2c) = _t129;
																		if(_t129 == 0) {
																			goto L8;
																		} else {
																			_t219 = 0;
																			if( *(_t209 + 0x30) <= 0) {
																				L42:
																				if(_t216 != _t177) {
																					goto L46;
																				} else {
																					_t218 =  *((intOrPtr*)(_t223 + 0x2c));
																					goto L44;
																				}
																			} else {
																				while(1) {
																					_t129 = _t177 - _t216;
																					if(_t129 < 2) {
																						break;
																					}
																					_t217 =  &(_t216[2]);
																					_t180 = ( *_t216 & 0x000000ff) << 0x00000008 | _t216[1] & 0x000000ff;
																					_t129 =  *(_t223 + 0x14) - _t217;
																					if(_t129 < _t180) {
																						break;
																					} else {
																						_push(_t180);
																						_push( *(_t223 + 0x30));
																						L6E025ACA();
																						_t226 = _t223 + 8;
																						 *( *(_t209 + 0x2c) + _t219 * 4) = _t129;
																						_t129 =  *(_t209 + 0x2c);
																						if(_t129 == 0) {
																							_push(0xffffe013);
																							L6E025AB2();
																							_t223 = _t226 + 4;
																							break;
																						} else {
																							_t129 = E6E0267A0( *((intOrPtr*)(_t129 + _t219 * 4)), _t217, _t180);
																							_t216 =  &(_t217[_t180]);
																							_t219 = _t219 + 1;
																							_t177 =  *(_t226 + 0x20);
																							_t223 = _t226 + 0xc;
																							if(_t219 <  *(_t209 + 0x30)) {
																								continue;
																							} else {
																								goto L42;
																							}
																						}
																					}
																					goto L48;
																				}
																				L46:
																				_t218 =  *((intOrPtr*)(_t223 + 0x2c));
																				goto L47;
																			}
																		}
																	}
																}
															} else {
																_t181 = 0;
																while(1) {
																	_t150 =  *(_t181 +  *(_t209 + 0x28) + 8);
																	_push(_t150);
																	_push(_t218);
																	 *(_t223 + 0x24) = _t150;
																	L6E025ACA();
																	_t223 = _t223 + 8;
																	 *(_t181 +  *(_t209 + 0x28) + 4) = _t150;
																	_t129 =  *(_t181 +  *(_t209 + 0x28) + 4);
																	if(_t129 == 0) {
																		goto L8;
																	}
																	E6E0267A0(_t129, _t215,  *(_t223 + 0x1c));
																	_t153 =  *(_t223 + 0x24);
																	_t223 = _t223 + 0xc;
																	_t215 =  &(_t215[ *(_t223 + 0x1c)]);
																	_t154 = _t153 + 1;
																	_t181 = _t181 + 0xc;
																	 *(_t223 + 0x18) = _t154;
																	if(_t154 <  *(_t223 + 0x14)) {
																		continue;
																	} else {
																		goto L33;
																	}
																	goto L48;
																}
																goto L8;
															}
														} else {
															_t182 = 0;
															while(1) {
																_t156 =  *(_t182 +  *(_t209 + 0x24) + 8);
																_push(_t156);
																_push(_t218);
																 *(_t223 + 0x20) = _t156;
																L6E025ACA();
																_t223 = _t223 + 8;
																 *(_t182 +  *(_t209 + 0x24) + 4) = _t156;
																_t129 =  *(_t182 +  *(_t209 + 0x24) + 4);
																if(_t129 == 0) {
																	goto L8;
																}
																E6E0267A0(_t129, _t215,  *(_t223 + 0x18));
																_t159 =  *((intOrPtr*)(_t223 + 0x28));
																_t223 = _t223 + 0xc;
																_t215 =  &(_t215[ *(_t223 + 0x18)]);
																_t160 = _t159 + 1;
																_t182 = _t182 + 0xc;
																 *(_t223 + 0x1c) = _t160;
																if(_t160 <  *(_t223 + 0x14)) {
																	continue;
																} else {
																	_t175 =  *(_t223 + 0x14);
																	goto L29;
																}
																goto L48;
															}
															goto L8;
														}
													}
												}
											}
										}
									} else {
										goto L8;
									}
								}
							}
						}
					} else {
						L2:
						_push(0xffffe012);
						L6E025AB2();
						_t223 = _t223 + 4;
						goto L47;
					}
				}
				L48:
			}

0x6e01c280
0x6e01c287
0x6e01c28b
0x6e01c28e
0x6e01c28f
0x6e01c293
0x6e01c298
0x6e01c29f
0x6e01c2a3
0x6e01c2a4
0x6e01c2a5
0x6e01c2aa
0x6e01c2af
0x6e01c636
0x6e01c636
0x6e01c63a
0x6e01c63b
0x6e01c64d
0x6e01c2b5
0x6e01c2b5
0x6e01c2bd
0x6e01c2de
0x6e01c2e0
0x6e01c2e3
0x6e01c2e6
0x6e01c2f5
0x6e01c2fe
0x6e01c30a
0x6e01c30c
0x6e01c310
0x6e01c317
0x6e01c319
0x6e01c31d
0x6e01c320
0x6e01c327
0x00000000
0x6e01c329
0x6e01c32c
0x6e01c32f
0x6e01c330
0x6e01c331
0x6e01c336
0x6e01c337
0x6e01c338
0x6e01c33b
0x6e01c340
0x6e01c343
0x6e01c34a
0x6e01c36c
0x6e01c36c
0x6e01c371
0x6e01c376
0x00000000
0x6e01c350
0x6e01c350
0x6e01c357
0x6e01c395
0x00000000
0x6e01c359
0x6e01c359
0x6e01c35a
0x6e01c35b
0x6e01c360
0x6e01c362
0x6e01c365
0x6e01c36a
0x6e01c38b
0x6e01c390
0x6e01c39c
0x6e01c3a1
0x6e01c3a8
0x6e01c3fa
0x00000000
0x6e01c3aa
0x6e01c3aa
0x6e01c3ac
0x6e01c3ad
0x6e01c3b2
0x6e01c3b5
0x6e01c3ba
0x00000000
0x6e01c3bc
0x6e01c3bc
0x6e01c3c0
0x6e01c3c1
0x6e01c3c9
0x6e01c3cc
0x6e01c3ce
0x6e01c3d1
0x6e01c3d5
0x00000000
0x6e01c3d7
0x6e01c3e9
0x6e01c3ee
0x6e01c3f1
0x6e01c401
0x6e01c405
0x6e01c40c
0x6e01c412
0x6e01c414
0x6e01c416
0x6e01c416
0x6e01c419
0x6e01c41c
0x6e01c420
0x6e01c426
0x6e01c42b
0x6e01c42d
0x6e01c431
0x6e01c431
0x6e01c436
0x6e01c43a
0x6e01c440
0x6e01c442
0x6e01c444
0x6e01c450
0x6e01c450
0x6e01c453
0x6e01c456
0x6e01c45a
0x6e01c460
0x6e01c465
0x6e01c467
0x6e01c46b
0x6e01c46b
0x6e01c470
0x6e01c474
0x6e01c474
0x6e01c440
0x6e01c478
0x6e01c47f
0x00000000
0x6e01c485
0x6e01c485
0x6e01c48f
0x6e01c4e6
0x6e01c4e6
0x6e01c4f0
0x6e01c543
0x6e01c54d
0x6e01c554
0x6e01c558
0x6e01c60e
0x6e01c60e
0x6e01c612
0x6e01c613
0x6e01c624
0x6e01c56b
0x6e01c572
0x6e01c578
0x6e01c57a
0x6e01c57c
0x6e01c583
0x6e01c588
0x00000000
0x6e01c58e
0x6e01c58e
0x6e01c595
0x6e01c596
0x6e01c597
0x6e01c59c
0x6e01c59f
0x6e01c5a4
0x00000000
0x6e01c5aa
0x6e01c5aa
0x6e01c5af
0x6e01c606
0x6e01c608
0x00000000
0x6e01c60a
0x6e01c60a
0x00000000
0x6e01c60a
0x6e01c5b1
0x6e01c5b1
0x6e01c5b3
0x6e01c5b8
0x00000000
0x00000000
0x6e01c5c1
0x6e01c5c7
0x6e01c5cd
0x6e01c5d1
0x00000000
0x6e01c5d3
0x6e01c5d3
0x6e01c5d4
0x6e01c5d8
0x6e01c5e0
0x6e01c5e3
0x6e01c5e6
0x6e01c5eb
0x6e01c625
0x6e01c62a
0x6e01c62f
0x00000000
0x6e01c5ed
0x6e01c5f2
0x6e01c5f7
0x6e01c5f9
0x6e01c5fa
0x6e01c5fe
0x6e01c604
0x00000000
0x00000000
0x00000000
0x00000000
0x6e01c604
0x6e01c5eb
0x00000000
0x6e01c5d1
0x6e01c632
0x6e01c632
0x00000000
0x6e01c632
0x6e01c5af
0x6e01c5a4
0x6e01c588
0x6e01c4f2
0x6e01c4f2
0x6e01c4f4
0x6e01c4f7
0x6e01c4fb
0x6e01c4fc
0x6e01c4fd
0x6e01c501
0x6e01c509
0x6e01c50c
0x6e01c513
0x6e01c519
0x00000000
0x00000000
0x6e01c525
0x6e01c52a
0x6e01c52e
0x6e01c531
0x6e01c535
0x6e01c536
0x6e01c539
0x6e01c541
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6e01c541
0x00000000
0x6e01c4f4
0x6e01c491
0x6e01c491
0x6e01c493
0x6e01c496
0x6e01c49a
0x6e01c49b
0x6e01c49c
0x6e01c4a0
0x6e01c4a8
0x6e01c4ab
0x6e01c4b2
0x6e01c4b8
0x00000000
0x00000000
0x6e01c4c4
0x6e01c4c9
0x6e01c4cd
0x6e01c4d0
0x6e01c4d4
0x6e01c4d5
0x6e01c4d8
0x6e01c4e0
0x00000000
0x6e01c4e2
0x6e01c4e2
0x00000000
0x6e01c4e2
0x00000000
0x6e01c4e0
0x00000000
0x6e01c493
0x6e01c48f
0x6e01c47f
0x6e01c3d5
0x6e01c3ba
0x00000000
0x00000000
0x00000000
0x6e01c36a
0x6e01c357
0x6e01c34a
0x6e01c2bf
0x6e01c2bf
0x6e01c2bf
0x6e01c2c4
0x6e01c2c9
0x00000000
0x6e01c2c9
0x6e01c2bd
0x00000000

APIs

PORT_ArenaMark_Util.NSSUTIL3(00000001,00000000,00000000,00000000,00000000,?,?,6E01D69F,00000000,?,?), ref: 6E01C293
SECITEM_CopyItem_Util.NSSUTIL3(00000001,?,?,00000001,00000000,00000000,00000000,00000000,?,?,6E01D69F,00000000,?,?), ref: 6E01C2A5
PORT_SetError_Util.NSSUTIL3(FFFFE012,00000000,00000000,00000000,00000000,?,?,6E01D69F,00000000,?,?), ref: 6E01C2C4
PORT_ArenaAlloc_Util.NSSUTIL3(00000001,?,00000000,00000000,00000000,00000000,?,?,6E01D69F,00000000,?,?), ref: 6E01C331
PORT_ArenaAlloc_Util.NSSUTIL3(00000001,?,00000001,?,00000000,00000000,00000000,00000000,?,?,6E01D69F,00000000,?,?), ref: 6E01C33B
PORT_ArenaAlloc_Util.NSSUTIL3(00000001,?,?,?,?,?,00000000,00000000,00000000,00000000,?,?,6E01D69F,00000000,?,?), ref: 6E01C35B
PORT_SetError_Util.NSSUTIL3(FFFFE013,?,?,?,?,00000000,00000000,00000000,00000000,?,?,6E01D69F,00000000,?,?), ref: 6E01C371
PORT_ArenaRelease_Util.NSSUTIL3(00000001,?,00000000,00000000,00000000,00000000,?,?,6E01D69F,00000000,?,?), ref: 6E01C63B

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Util$Arena$Alloc_$Error_$CopyItem_Mark_Release_
String ID:
API String ID: 1854098273-0
Opcode ID: ea2392d7d7cbf64fbf9549c36f0a7ac4f30fd343e78d2f89687ba674c4b357d3
Instruction ID: 93a2fe530eecae17f1ceab11efb708ec703aa5b6115126c90b6c99179400d696
Opcode Fuzzy Hash: ea2392d7d7cbf64fbf9549c36f0a7ac4f30fd343e78d2f89687ba674c4b357d3
Instruction Fuzzy Hash: EFC1B1709083169FD754CFE9C8D0A6ABBE4FF48348F04493DE8999B601E735E914CB96

Uniqueness

Uniqueness Score: -1.00%

Function 6E01D0C0 Relevance: 24.2, APIs: 16, Instructions: 161
memoryCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E6E01D0C0(intOrPtr __eax, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16, intOrPtr* _a20, intOrPtr _a24) {
				intOrPtr _t29;
				intOrPtr* _t31;
				intOrPtr _t33;
				intOrPtr _t35;
				intOrPtr* _t38;
				intOrPtr _t39;
				intOrPtr _t40;
				intOrPtr* _t42;
				void* _t44;
				intOrPtr _t45;
				intOrPtr _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				void* _t51;
				void* _t53;
				void* _t54;

				_push(0x800);
				L6E025ABE();
				_t45 = __eax;
				_t49 = _t48 + 4;
				if(__eax != 0) {
					_push(0x34);
					_push(__eax);
					L6E025ACA();
					_t46 = __eax;
					_t50 = _t49 + 8;
					if(__eax != 0) {
						_push(_a4);
						 *((intOrPtr*)(__eax + 8)) = _a24;
						_t4 = _t46 + 0x10; // 0x10
						_t29 = _t4;
						_push(_t29);
						_push(__eax);
						 *((intOrPtr*)(__eax + 0xc)) = __eax;
						 *((intOrPtr*)(__eax)) = 3;
						 *((intOrPtr*)(__eax + 4)) = 8;
						L6E025AD6();
						_t51 = _t50 + 0xc;
						if(_t29 != 0) {
							goto L5;
						} else {
							_t38 = _a16;
							 *((intOrPtr*)(__eax + 0x1c)) = 1;
							 *((intOrPtr*)(__eax + 0x30)) = _t29;
							if(_t38 == 0 ||  *_t38 == _t29) {
								 *((intOrPtr*)(_t46 + 0x20)) = 0;
								goto L14;
							} else {
								_t42 = _t38;
								_t44 = _t42 + 1;
								do {
									_t35 =  *_t42;
									_t42 = _t42 + 1;
								} while (_t35 != 0);
								_t47 = _t42 - _t44 + 1;
								_push(_t42 - _t44 + 1);
								_push(__eax);
								L6E025ACA();
								_t51 = _t51 + 8;
								 *((intOrPtr*)(__eax + 0x20)) = _t35;
								if(_t35 == 0) {
									goto L5;
								} else {
									E6E0267A0(_t35, _t38, _t47);
									_t51 = _t51 + 0xc;
									L14:
									_t31 = _a20;
									if(_t31 == 0 ||  *_t31 == 0) {
										 *((intOrPtr*)(_t46 + 0x2c)) = 0;
										goto L24;
									} else {
										_t33 = E6E01AA30(_t31);
										_t39 = _t33;
										_t53 = _t51 + 4;
										if(_t39 != 0) {
											_push(4);
											_push(_t45);
											L6E025ACA();
											_t50 = _t53 + 8;
											 *((intOrPtr*)(_t46 + 0x2c)) = _t33;
											_push(_t39);
											if(_t33 != 0) {
												_push(_t45);
												L6E025B7E();
												_t54 = _t50 + 8;
												 *((intOrPtr*)( *((intOrPtr*)(_t46 + 0x2c)))) = _t33;
												_t31 =  *((intOrPtr*)(_t46 + 0x2c));
												if( *_t31 != 0) {
													 *((intOrPtr*)(_t46 + 0x30)) = 1;
												}
												_push(_t39);
												L6E025A9A();
												_t51 = _t54 + 4;
												L24:
												_push(0xc);
												_push(_t45);
												L6E025ACA();
												_push(0xc);
												_push(_t45);
												 *((intOrPtr*)(_t46 + 0x24)) = _t31;
												L6E025ACA();
												_t40 =  *((intOrPtr*)(_t46 + 0x24));
												_t51 = _t51 + 0x10;
												 *((intOrPtr*)(_t46 + 0x28)) = _t31;
												if(_t40 == 0 || _t31 == 0) {
													goto L5;
												} else {
													_push(_a8);
													_push(_t40);
													_push(_t45);
													L6E025AD6();
													_t51 = _t51 + 0xc;
													if(_t31 != 0) {
														goto L5;
													} else {
														_push(_a12);
														_push( *((intOrPtr*)(_t46 + 0x28)));
														_push(_t45);
														L6E025AD6();
														_t51 = _t51 + 0xc;
														if(_t31 != 0) {
															goto L5;
														} else {
															return _t46;
														}
													}
												}
											} else {
												L6E025A9A();
												goto L4;
											}
										} else {
											_push(_t33);
											_push(_t45);
											 *((intOrPtr*)(_t46 + 0x2c)) = _t33;
											L6E025AC4();
											return 0;
										}
									}
								}
							}
						}
					} else {
						_push(0xffffe013);
						L6E025AB2();
						L4:
						_t51 = _t50 + 4;
						L5:
						_push(0);
						_push(_t45);
						L6E025AC4();
						return 0;
					}
				} else {
					_push(0xffffe013);
					L6E025AB2();
					return 0;
				}
			}

0x6e01d0c4
0x6e01d0c9
0x6e01d0ce
0x6e01d0d0
0x6e01d0d5
0x6e01d0eb
0x6e01d0ed
0x6e01d0ee
0x6e01d0f3
0x6e01d0f5
0x6e01d0fa
0x6e01d11f
0x6e01d123
0x6e01d126
0x6e01d126
0x6e01d129
0x6e01d12a
0x6e01d12b
0x6e01d12e
0x6e01d134
0x6e01d13b
0x6e01d140
0x6e01d145
0x00000000
0x6e01d147
0x6e01d147
0x6e01d14b
0x6e01d152
0x6e01d157
0x6e01d18c
0x00000000
0x6e01d15d
0x6e01d15d
0x6e01d15f
0x6e01d162
0x6e01d162
0x6e01d164
0x6e01d165
0x6e01d16b
0x6e01d16e
0x6e01d16f
0x6e01d170
0x6e01d175
0x6e01d178
0x6e01d17d
0x00000000
0x6e01d17f
0x6e01d182
0x6e01d187
0x6e01d193
0x6e01d193
0x6e01d199
0x6e01d208
0x00000000
0x6e01d1a0
0x6e01d1a1
0x6e01d1a6
0x6e01d1a8
0x6e01d1ad
0x6e01d1c3
0x6e01d1c5
0x6e01d1c6
0x6e01d1cb
0x6e01d1ce
0x6e01d1d1
0x6e01d1d4
0x6e01d1e0
0x6e01d1e1
0x6e01d1e9
0x6e01d1ec
0x6e01d1ee
0x6e01d1f4
0x6e01d1f6
0x6e01d1f6
0x6e01d1fd
0x6e01d1fe
0x6e01d203
0x6e01d20f
0x6e01d20f
0x6e01d211
0x6e01d212
0x6e01d217
0x6e01d219
0x6e01d21a
0x6e01d21d
0x6e01d222
0x6e01d225
0x6e01d228
0x6e01d22d
0x00000000
0x6e01d23b
0x6e01d23b
0x6e01d23f
0x6e01d240
0x6e01d241
0x6e01d246
0x6e01d24b
0x00000000
0x6e01d251
0x6e01d251
0x6e01d255
0x6e01d258
0x6e01d259
0x6e01d25e
0x6e01d263
0x00000000
0x6e01d26a
0x6e01d26f
0x6e01d26f
0x6e01d263
0x6e01d24b
0x6e01d1d6
0x6e01d1d6
0x00000000
0x6e01d1d6
0x6e01d1af
0x6e01d1af
0x6e01d1b0
0x6e01d1b1
0x6e01d1b4
0x6e01d1c2
0x6e01d1c2
0x6e01d1ad
0x6e01d199
0x6e01d17d
0x6e01d157
0x6e01d0fc
0x6e01d0fc
0x6e01d101
0x6e01d106
0x6e01d106
0x6e01d109
0x6e01d109
0x6e01d10b
0x6e01d10c
0x6e01d11a
0x6e01d11a
0x6e01d0d7
0x6e01d0d7
0x6e01d0dc
0x6e01d0ea
0x6e01d0ea

APIs

PORT_NewArena_Util.NSSUTIL3(00000800,00000000,00000000,?,00000000,6E01B94A,?,?,?,?,00000000,00000000), ref: 6E01D0C9
PORT_SetError_Util.NSSUTIL3(FFFFE013,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?), ref: 6E01D0DC
PORT_ArenaAlloc_Util.NSSUTIL3(00000000,00000034,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 6E01D0EE
PORT_SetError_Util.NSSUTIL3(FFFFE013,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6E01D101
PORT_FreeArena_Util.NSSUTIL3(00000000,00000000), ref: 6E01D10C

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Util$Arena_Error_$Alloc_ArenaFree
String ID:
API String ID: 2983971270-0
Opcode ID: e7bba2c85e0e5b643a45e2b01604af4afd2a21c77b6a7423cf59e86072d80e7d
Instruction ID: 86f6a0b6ec6cd2f9dec66dd264da43cd25ab0be268e70f19dfb08117b748f47c
Opcode Fuzzy Hash: e7bba2c85e0e5b643a45e2b01604af4afd2a21c77b6a7423cf59e86072d80e7d
Instruction Fuzzy Hash: D841F7B5A083016FE7119BE59C91BEBB7ECAF5135AF04093EE8458B640F776D0058B63

Uniqueness

Uniqueness Score: -1.00%

Function 6E0201F0 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 227
memoryCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E6E0201F0(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int* _a16, intOrPtr _a20, signed int _a24) {
				intOrPtr _v4;
				signed int _v8;
				void* _v12;
				intOrPtr _v16;
				signed int _v20;
				char* _v24;
				char _v28;
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t31;
				signed int _t32;
				void* _t33;
				void* _t36;
				signed int _t37;
				void* _t38;
				void* _t46;
				void* _t57;
				char _t60;
				intOrPtr _t61;
				void* _t62;
				signed int _t64;
				signed int _t65;
				signed int _t66;
				signed int* _t72;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;
				void* _t78;
				void* _t79;
				void* _t81;
				void* _t82;
				void* _t83;

				_t62 = __edx;
				_t74 =  &_v28;
				_t73 = _a4;
				_v28 = 1;
				if(_t73 == 0) {
					_push(0);
					_t32 = E6E011590(_t31, _a12, 0x302, 0x180, 1);
				} else {
					_t32 = E6E019810(_t73, _a8, "cert", 0x302,  &_v28);
				}
				_t72 = _a16;
				_t75 = _t74 + 0x14;
				 *_t72 = _t32;
				if(_t32 != 0) {
					_push(0x800);
					L6E025ABE();
					_t64 = _t32;
					_t76 = _t75 + 4;
					if(_t64 != 0) {
						_push(0x10);
						_push(_t64);
						L6E025ACA();
						_t55 = _t32;
						_t77 = _t76 + 8;
						if(_t55 != 0) {
							_push(0x800);
							 *(_t55 + 0xc) = _t64;
							 *_t55 = 0;
							 *((intOrPtr*)(_t55 + 4)) = 8;
							 *((intOrPtr*)(_t55 + 8)) = 0;
							L6E025ABE();
							_t65 = _t32;
							_t78 = _t77 + 4;
							if(_t65 == 0) {
								L13:
								_t66 = _t65 | 0xffffffff;
							} else {
								_push(3);
								_push(_t65);
								_v4 = 3;
								L6E025ACA();
								_t82 = _t78 + 8;
								_v8 = _t32;
								if(_t32 != 0) {
									_push(9);
									_push(_t65);
									_v16 = 9;
									L6E025ACA();
									_t83 = _t82 + 8;
									_v20 = _t32;
									if(_t32 == 0) {
										goto L12;
									} else {
										_t60 = "Version"; // 0x73726556
										 *((intOrPtr*)(_t32 + 1)) = _t60;
										_t61 =  *0x6e035424; // 0x6e6f69
										 *((intOrPtr*)(_t32 + 5)) = _t61;
										_t46 = E6E01E320(_t72, _t55,  &_v24,  &_v12);
										_t83 = _t83 + 0x10;
										if(_t46 != 0) {
											goto L12;
										} else {
											_push(_t46);
											_push(_t65);
											L6E025AC4();
											_t78 = _t83 + 8;
											_t66 = 0;
											goto L14;
										}
									}
									goto L35;
								} else {
									_push(0xffffe013);
									L6E025AB2();
									_t83 = _t82 + 4;
									L12:
									_push(0);
									_push(_t65);
									L6E025AC4();
									_t78 = _t83 + 8;
									goto L13;
								}
							}
							L14:
							_t33 = E6E01CAD0(_t55);
							_t79 = _t78 + 4;
							if(_t66 == 0) {
								if(_t73 == 0) {
									L21:
									_t55 = _a24;
									_t73 = _a20;
									_t36 = E6E0201B0(_a20, _a24, 7);
									_t81 = _t79 + 0xc;
									if(_t36 != 0) {
										goto L17;
									} else {
										_t38 = E6E0201B0(_t73, _t55, 6);
										_t81 = _t81 + 0xc;
										if(_t38 == 0) {
											_t39 = E6E0201B0(_t73, _t55, 5);
											_t81 = _t81 + 0xc;
											if(_t39 == 0) {
												_t57 = E6E0201B0(_t73, _t55, 4);
												_t79 = _t81 + 0xc;
												if(_t57 != 0) {
													_v24 = "Version";
													_v20 = 7;
													_t39 =  *((intOrPtr*)( *((intOrPtr*)(_t57 + 0xc))))(_t57,  &_v24,  &_v12, 0);
													_t81 = _t79 + 0x10;
													if(_t39 != 0 || _v8 != 1) {
														L31:
														_push(_t57);
														goto L32;
													} else {
														_t39 = _v12;
														if( *_v12 > 4) {
															goto L31;
														} else {
															_push(_t57);
															_push(_t72);
															_t37 = E6E01D8A0();
														}
													}
													goto L33;
												}
											} else {
												_push(_t39);
												L32:
												_push(_t72);
												_t37 = E6E01DAD0(_t39);
												goto L33;
											}
										} else {
											_push(_t38);
											_push(_t72);
											_t37 = E6E01DB40();
											goto L33;
										}
									}
								} else {
									_push(_t66);
									_t36 = E6E011590(_t33, _a12, _t66, 0x180, 1);
									_t79 = _t79 + 0x14;
									if(_t36 == 0) {
										goto L21;
									} else {
										L17:
										_t37 = E6E01DEA0(_t55, _t62, _t66, _t73, _t72, _t36);
										L33:
										_t66 = _t37;
										_t79 = _t81 + 8;
									}
								}
							}
							E6E019110( *_t72);
							return _t66;
						} else {
							_push(0xffffe013);
							L6E025AB2();
							_push(_t55);
							_push(_t64);
							L6E025AC4();
							E6E019110( *_t72);
							return _t64 | 0xffffffff;
						}
					} else {
						_push(0xffffe013);
						L6E025AB2();
						E6E019110( *_t72);
						return _t64 | 0xffffffff;
					}
				} else {
					return (_t32 & 0xffffff00 | _v28 != 0x00000002) + 0xfffffffe;
				}
				L35:
			}

0x6e0201f0
0x6e0201f0
0x6e0201f4
0x6e0201f8
0x6e020203
0x6e020220
0x6e020232
0x6e020205
0x6e020219
0x6e020219
0x6e020237
0x6e02023b
0x6e02023e
0x6e020242
0x6e020257
0x6e02025c
0x6e020261
0x6e020263
0x6e020268
0x6e02028e
0x6e020290
0x6e020291
0x6e020296
0x6e020298
0x6e02029d
0x6e0202ca
0x6e0202cf
0x6e0202d2
0x6e0202d8
0x6e0202df
0x6e0202e6
0x6e0202eb
0x6e0202ed
0x6e0202f2
0x6e020327
0x6e020327
0x6e0202f4
0x6e0202f4
0x6e0202f6
0x6e0202f7
0x6e0202ff
0x6e020304
0x6e020307
0x6e02030d
0x6e020364
0x6e020366
0x6e020367
0x6e02036f
0x6e020374
0x6e020377
0x6e02037d
0x00000000
0x6e02037f
0x6e02037f
0x6e020385
0x6e020388
0x6e02038e
0x6e02039d
0x6e0203a2
0x6e0203a7
0x00000000
0x6e0203ad
0x6e0203ad
0x6e0203ae
0x6e0203af
0x6e0203b4
0x6e0203b7
0x00000000
0x6e0203b7
0x6e0203a7
0x00000000
0x6e02030f
0x6e02030f
0x6e020314
0x6e020319
0x6e02031c
0x6e02031c
0x6e02031e
0x6e02031f
0x6e020324
0x00000000
0x6e020324
0x6e02030d
0x6e02032a
0x6e02032b
0x6e020330
0x6e020335
0x6e02033d
0x6e0203be
0x6e0203be
0x6e0203c2
0x6e0203ca
0x6e0203cf
0x6e0203d4
0x00000000
0x6e0203d6
0x6e0203da
0x6e0203df
0x6e0203e4
0x6e0203f3
0x6e0203f8
0x6e0203fd
0x6e02040b
0x6e02040d
0x6e020412
0x6e02041a
0x6e020427
0x6e020434
0x6e020436
0x6e02043b
0x6e020456
0x6e020456
0x00000000
0x6e020444
0x6e020444
0x6e02044b
0x00000000
0x6e02044d
0x6e02044d
0x6e02044e
0x6e02044f
0x6e02044f
0x6e02044b
0x00000000
0x6e02043b
0x6e0203ff
0x6e0203ff
0x6e020457
0x6e020457
0x6e020458
0x00000000
0x6e020458
0x6e0203e6
0x6e0203e6
0x6e0203e7
0x6e0203e8
0x00000000
0x6e0203e8
0x6e0203e4
0x6e02033f
0x6e02033f
0x6e02034c
0x6e020351
0x6e020356
0x00000000
0x6e020358
0x6e020358
0x6e02035a
0x6e02045d
0x6e02045d
0x6e02045f
0x6e02045f
0x6e020356
0x6e02033d
0x6e020464
0x6e020475
0x6e02029f
0x6e02029f
0x6e0202a4
0x6e0202a9
0x6e0202aa
0x6e0202ab
0x6e0202b8
0x6e0202c9
0x6e0202c9
0x6e02026a
0x6e02026a
0x6e02026f
0x6e02027c
0x6e02028d
0x6e02028d
0x6e020244
0x6e020254
0x6e020254
0x00000000

APIs

PORT_NewArena_Util.NSSUTIL3(00000800,?,?,?,?,?,?), ref: 6E02025C
PORT_SetError_Util.NSSUTIL3(FFFFE013,?,?,?,?,?), ref: 6E02026F
PORT_ArenaAlloc_Util.NSSUTIL3(00000000,00000010,?,?,?,?,?), ref: 6E020291
PORT_SetError_Util.NSSUTIL3(FFFFE013,?,?,?,?,?,?,?), ref: 6E0202A4
PORT_FreeArena_Util.NSSUTIL3(00000000,00000000,FFFFE013,?,?,?,?,?,?,?), ref: 6E0202AB

Strings

Version, xrefs: 6E02037F, 6E02041A
cert, xrefs: 6E02020F

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Util$Arena_Error_$Alloc_ArenaFree
String ID: Version$cert
API String ID: 2983971270-730412617
Opcode ID: 4845db7671ebddfc37e4391c80bcdad704b301d7d16f6ea28b46f9a16a2f00e4
Instruction ID: 54ff49d517b533801ba2bad5a32594c2065302d89568c7ece0ef71b4461f909a
Opcode Fuzzy Hash: 4845db7671ebddfc37e4391c80bcdad704b301d7d16f6ea28b46f9a16a2f00e4
Instruction Fuzzy Hash: 016114B590C3056FE3405AD49C52FAB76ECAF9039DF448839FE485B285F775CA0886A3

Uniqueness

Uniqueness Score: -1.00%

Function 6DFAE130 Relevance: 22.8, APIs: 15, Instructions: 273memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSSUTIL3(00000800), ref: 6DFAE150
PORT_SetError_Util.NSSUTIL3(FFFFE013), ref: 6DFAE163
PORT_ArenaZAlloc_Util.NSSUTIL3(00000000,00000034), ref: 6DFAE178
PORT_SetError_Util.NSSUTIL3(FFFFE013), ref: 6DFAE18B
PORT_FreeArena_Util.NSSUTIL3(00000000,00000001,FFFFE013), ref: 6DFAE193
PORT_SetError_Util.NSSUTIL3(FFFFE005), ref: 6DFAE445

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: Util$Error_$Arena_$Alloc_ArenaFree
String ID:
API String ID: 1144393034-0
Opcode ID: f8546611c45a7bea3c13987ebb4c34d210859a67645053b785301d01ed17d43e
Instruction ID: 1c0cce63230a91e6fa2b2780c1a14251c0ea4efa1a8328c2f39cfa559f36d1a0
Opcode Fuzzy Hash: f8546611c45a7bea3c13987ebb4c34d210859a67645053b785301d01ed17d43e
Instruction Fuzzy Hash: E181D7B2D08716ABD7118AACDC80A5B7BDCBF44324F090735EE14D7290E769E96887D3

Uniqueness

Uniqueness Score: -1.00%

Function 6DFB73F0 Relevance: 21.5, APIs: 14, Instructions: 458memoryCOMMON

Download Yara Rule

APIs

PORT_SetError_Util.NSSUTIL3(FFFFE03F,?,00000000,?,?,?,?,?), ref: 6DFB74CA
PORT_SetError_Util.NSSUTIL3(FFFFE03F), ref: 6DFB757A
SECITEM_AllocItem_Util.NSSUTIL3(?,?,00000000), ref: 6DFB75CF
PORT_SetError_Util.NSSUTIL3(FFFFE001,?,?,?,?,?,?), ref: 6DFB78D1
PORT_SetError_Util.NSSUTIL3(FFFFE013,?,?,?,?,?,?), ref: 6DFB78E8
PORT_SetError_Util.NSSUTIL3(FFFFE002,?,?,?,?,?,?), ref: 6DFB78FF
PORT_SetError_Util.NSSUTIL3(FFFFE005,?,?,?,?,?,?), ref: 6DFB7916

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: Util$Error_$AllocItem_
String ID:
API String ID: 4233208270-0
Opcode ID: 623878b0932209975c70907e6e143c6b3ca16e01f116bba131e2af95642cce8e
Instruction ID: 9dd95235e48f15655f99b1eb866ad6738076a0436feeab0f4f4c91a98edf68db
Opcode Fuzzy Hash: 623878b0932209975c70907e6e143c6b3ca16e01f116bba131e2af95642cce8e
Instruction Fuzzy Hash: 31E1B372E087025BE711CAAE9CC0A5BB3ECBF04358F144A39EE5582151EF76E919C753

Uniqueness

Uniqueness Score: -1.00%

Function 6E0208B0 Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 259
memoryCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E6E0208B0(signed int __eax, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr* _a20) {
				char _v8;
				char _v16;
				char _v24;
				char _v32;
				signed int _t68;
				void* _t72;
				intOrPtr* _t73;
				void* _t76;
				void* _t90;
				void* _t91;
				signed int _t92;
				signed int _t93;
				char _t97;
				intOrPtr _t100;
				void* _t104;
				signed int _t105;
				void* _t107;
				signed int _t108;
				intOrPtr _t109;
				void* _t110;
				char* _t111;
				signed int _t113;
				void* _t114;
				void* _t115;
				intOrPtr _t116;
				signed int _t117;
				signed int _t119;
				void* _t123;
				void* _t124;
				signed int _t125;
				void* _t126;
				signed int _t128;
				void* _t129;
				void* _t132;
				void* _t133;
				void* _t135;
				void* _t136;
				void* _t137;
				void* _t138;

				_push(0x28);
				_t105 = 0xa;
				L6E025A94();
				_t117 = __eax;
				_t132 =  &_v32 + 4;
				if(__eax != 0) {
					_t68 = E6E021680(__eax, _a4, _a8, _a12, 1, _a20);
					_t128 = _t68;
					_t133 = _t132 + 0x14;
					if(_t128 != 0) {
						_t68 =  *_a20(_t128,  &_v8,  &_v16, 3);
						_t133 = _t133 + 0x10;
						if(_t68 == 0) {
							_t8 = _t68 + 4; // 0x4
							_t126 = _t8;
							_t97 = 2;
							_v32 = 2;
							do {
								_v24 = 0;
								if(_t97 < _t105) {
									goto L8;
								} else {
									_t105 = _t105 + 0xa;
									_t68 = _t105 * 4;
									_push(_t68);
									_push(_t117);
									L6E025B24();
									_t133 = _t133 + 8;
									if(_t68 != 0) {
										_t117 = _t68;
										 *((intOrPtr*)(_t126 + _t68 + 4)) = 0;
										 *((intOrPtr*)(_t126 + _t68 + 8)) = 0;
										 *((intOrPtr*)(_t126 + _t68 + 0xc)) = 0;
										 *((intOrPtr*)(_t126 + _t68 + 0x10)) = 0;
										 *((intOrPtr*)(_t126 + _t68 + 0x14)) = 0;
										 *((intOrPtr*)(_t126 + _t68 + 0x18)) = 0;
										 *((intOrPtr*)(_t126 + _t68 + 0x1c)) = 0;
										 *((intOrPtr*)(_t126 + _t68 + 0x20)) = 0;
										 *((intOrPtr*)(_t126 + _t68 + 0x24)) = 0;
										 *((intOrPtr*)(_t126 + _t68 + 0x28)) = 0;
										goto L8;
									}
								}
								goto L12;
								L8:
								_push( &_v24);
								_push( &_v16);
								_push(_a16);
								_t100 = E6E020BD0( &_v16);
								_t138 = _t133 + 0xc;
								if(_v24 == 0) {
									_v32 = _v32 + 1;
									 *((intOrPtr*)(_t126 + _t117)) = _t100;
									_t126 = _t126 + 4;
								} else {
									 *_t117 = _t100;
								}
								_t104 =  *_a20(_t128,  &_v8,  &_v16, 7);
								_t133 = _t138 + 0x10;
								_t97 = _v32;
							} while (_t104 == 0);
						}
					}
					L12:
					if( *_t117 == 0) {
						_push(0x22);
						_push(_a16);
						L6E025B9C();
						_t125 = _t68;
						_t133 = _t133 + 8;
						if(_t125 != 0) {
							__imp__PR_smprintf("library= name=\"NSS Internal PKCS #11 Module\" parameters=%s NSS=\"Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={%s askpw=any timeout=30})\"", _t125, "slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512]");
							_push(_t125);
							 *_t117 = _t68;
							L6E025A9A();
							_t133 = _t133 + 0x10;
						}
					}
					if(_t128 == 0) {
						_t129 =  *_t117;
						if(_t129 != 0 && _a20 != 0) {
							if(_a4 == 0) {
								_t106 = _a12;
								_t123 = E6E021AF0(_a12, 2, 0x180, 1, 0);
								_t135 = _t133 + 0x14;
								if(_t123 != 0) {
									goto L37;
								} else {
									_t123 = E6E021AF0(_t106, 0x302, 0x180, 1, _t70);
									_t133 = _t135 + 0x14;
									if(_t123 != 0) {
										 *((intOrPtr*)( *((intOrPtr*)(_t123 + 0x18))))(_t123, 0);
										_t133 = _t133 + 8;
										goto L36;
									}
								}
							} else {
								_push(_a8);
								L6E025AAC();
								_t108 = _t68;
								_t137 = _t133 + 4;
								_t113 = _t108;
								_t48 = _t113 + 1; // 0x1
								_t90 = _t48;
								do {
									_t110 =  *_t113;
									_t113 = _t113 + 1;
								} while (_t110 != 0);
								_t114 = _t113 - _t90;
								if(_t114 >= 3) {
									_t124 = _t114 + _t108;
									_t111 = ".db";
									_t92 = _t124 - 3;
									while(1) {
										_t115 =  *_t92;
										if(_t115 !=  *_t111) {
											break;
										}
										if(_t115 == 0) {
											L28:
											_t93 = 0;
										} else {
											_t116 =  *((intOrPtr*)(_t92 + 1));
											if(_t116 != _t111[1]) {
												break;
											} else {
												_t92 = _t92 + 2;
												_t111 =  &(_t111[2]);
												if(_t116 != 0) {
													continue;
												} else {
													goto L28;
												}
											}
										}
										L30:
										if(_t93 == 0) {
											 *(_t124 - 3) = _t93;
										}
										goto L32;
									}
									asm("sbb eax, eax");
									_t93 = _t92 | 0x00000001;
									goto L30;
								}
								L32:
								_t91 = E6E019810(_a4, 0x6e035400, _t108, 2, 0);
								_push(_t108);
								_t123 = _t91;
								L6E025A9A();
								_t133 = _t137 + 0x18;
								L36:
								if(_t123 != 0) {
									L37:
									_t72 = E6E021630( &_v24,  &_v24, _t129);
									_t133 = _t135 + 8;
									if(_t72 == 0) {
										_push(_t129);
										_push( &_v32);
										_t76 = E6E021180();
										_t136 = _t133 + 8;
										if(_t76 == 0) {
											_t107 =  *((intOrPtr*)( *((intOrPtr*)(_t123 + 0x10))))(_t123,  &_v24,  &_v32, 0);
											E6E0215C0( &_v24);
											_t109 = _v32;
											_t133 = _t136 + 0x14;
											if(_t109 != 0) {
												_push(_t109);
												L6E025A9A();
												_t133 = _t133 + 4;
											}
											if(_t107 == 0) {
												 *((intOrPtr*)( *((intOrPtr*)(_t123 + 0x18))))(_t123, _t107);
												_t133 = _t133 + 8;
											}
										} else {
											E6E0215C0( &_v24);
											_t133 = _t136 + 4;
										}
									}
									_t73 =  *((intOrPtr*)(_t123 + 4));
									_push(_t123);
									goto L45;
								}
							}
						}
					} else {
						_t73 = _a4;
						_push(_t128);
						L45:
						 *_t73();
						_t133 = _t133 + 4;
					}
					_t119 =  *_t117;
					if(_t119 == 0) {
						_push(_t117);
						L6E025A9A();
					}
					asm("sbb esi, esi");
					return  ~_t119 & _t117;
				} else {
					return __eax;
				}
			}

0x6e0208b5
0x6e0208b7
0x6e0208bc
0x6e0208c1
0x6e0208c3
0x6e0208c8
0x6e0208e4
0x6e0208e9
0x6e0208eb
0x6e0208f0
0x6e020906
0x6e020908
0x6e02090d
0x6e020913
0x6e020913
0x6e020916
0x6e02091b
0x6e020920
0x6e020920
0x6e02092a
0x00000000
0x6e02092c
0x6e02092c
0x6e02092f
0x6e020936
0x6e020937
0x6e020938
0x6e02093d
0x6e020942
0x6e020946
0x6e020948
0x6e02094c
0x6e020950
0x6e020954
0x6e020958
0x6e02095c
0x6e020960
0x6e020964
0x6e020968
0x6e02096c
0x00000000
0x6e02096c
0x6e020942
0x00000000
0x6e020970
0x6e020974
0x6e020979
0x6e02097a
0x6e02097e
0x6e020983
0x6e02098b
0x6e020991
0x6e020995
0x6e020998
0x6e02098d
0x6e02098d
0x6e02098d
0x6e0209ab
0x6e0209ad
0x6e0209b2
0x6e0209b2
0x6e020920
0x6e02090d
0x6e0209bc
0x6e0209bf
0x6e0209c1
0x6e0209c3
0x6e0209c7
0x6e0209cc
0x6e0209ce
0x6e0209d3
0x6e0209e0
0x6e0209e6
0x6e0209e7
0x6e0209e9
0x6e0209ee
0x6e0209ee
0x6e0209d3
0x6e0209f3
0x6e0209fe
0x6e020a02
0x6e020a18
0x6e020a9c
0x6e020ab1
0x6e020ab3
0x6e020ab8
0x00000000
0x6e020aba
0x6e020acd
0x6e020acf
0x6e020ad4
0x6e020ae0
0x6e020ae2
0x00000000
0x6e020ae2
0x6e020ad4
0x6e020a1e
0x6e020a1e
0x6e020a22
0x6e020a27
0x6e020a29
0x6e020a2c
0x6e020a2e
0x6e020a2e
0x6e020a31
0x6e020a31
0x6e020a33
0x6e020a34
0x6e020a38
0x6e020a3d
0x6e020a3f
0x6e020a42
0x6e020a47
0x6e020a50
0x6e020a50
0x6e020a54
0x00000000
0x00000000
0x6e020a58
0x6e020a6c
0x6e020a6c
0x6e020a5a
0x6e020a5a
0x6e020a60
0x00000000
0x6e020a62
0x6e020a62
0x6e020a65
0x6e020a6a
0x00000000
0x00000000
0x00000000
0x00000000
0x6e020a6a
0x6e020a60
0x6e020a75
0x6e020a77
0x6e020a79
0x6e020a79
0x00000000
0x6e020a77
0x6e020a70
0x6e020a72
0x00000000
0x6e020a72
0x6e020a7c
0x6e020a8a
0x6e020a8f
0x6e020a90
0x6e020a92
0x6e020a97
0x6e020ae5
0x6e020ae7
0x6e020aed
0x6e020af3
0x6e020af8
0x6e020afd
0x6e020b03
0x6e020b04
0x6e020b05
0x6e020b0a
0x6e020b0f
0x6e020b32
0x6e020b39
0x6e020b3e
0x6e020b42
0x6e020b47
0x6e020b49
0x6e020b4a
0x6e020b4f
0x6e020b4f
0x6e020b54
0x6e020b5b
0x6e020b5d
0x6e020b5d
0x6e020b11
0x6e020b16
0x6e020b1b
0x6e020b1b
0x6e020b0f
0x6e020b60
0x6e020b63
0x00000000
0x6e020b63
0x6e020ae7
0x6e020a18
0x6e0209f5
0x6e0209f5
0x6e0209f8
0x6e020b64
0x6e020b64
0x6e020b66
0x6e020b66
0x6e020b69
0x6e020b6d
0x6e020b6f
0x6e020b70
0x6e020b75
0x6e020b7a
0x6e020b87
0x6e0208cf
0x6e0208cf
0x6e0208cf

APIs

PORT_ZAlloc_Util.NSSUTIL3(00000028), ref: 6E0208BC
PORT_Realloc_Util.NSSUTIL3(00000000,00000002), ref: 6E020938
NSSUTIL_Quote.NSSUTIL3(?,00000022), ref: 6E0209C7
PR_smprintf.NSPR4(library= name="NSS Internal PKCS #11 Module" parameters=%s NSS="Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={%s askpw=any timeout=30})",00000000,slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512]), ref: 6E0209E0
PORT_Free_Util.NSSUTIL3(00000000), ref: 6E0209E9

Strings

slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512], xrefs: 6E0209D5
library= name="NSS Internal PKCS #11 Module" parameters=%s NSS="Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={%s askpw=any timeout=30})", xrefs: 6E0209DB
.db, xrefs: 6E020A42

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Util$Alloc_Free_QuoteR_smprintfRealloc_
String ID: .db$library= name="NSS Internal PKCS #11 Module" parameters=%s NSS="Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={%s askpw=any timeout=30})"$slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512]
API String ID: 586391234-855918697
Opcode ID: b0e3b231d9f3763d0337390379b468b787379c72cf9aca50f6c42e1a12cb68dc
Instruction ID: 47f9c70f50967922acb77f8316dfb670c69307dfa0ca978dce984e30a5fb4992
Opcode Fuzzy Hash: b0e3b231d9f3763d0337390379b468b787379c72cf9aca50f6c42e1a12cb68dc
Instruction Fuzzy Hash: CB81F272908312AFD3218FE49CA1B9BB7ECAF45348F440939FD8587241F376E9088792

Uniqueness

Uniqueness Score: -1.00%

Function 6E017290 Relevance: 21.3, APIs: 14, Instructions: 257
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E6E017290(intOrPtr _a4, intOrPtr* _a12, intOrPtr _a16, intOrPtr _a20) {
				intOrPtr _v4;
				char* _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				char _v24;
				char _v28;
				char _v32;
				intOrPtr* _v36;
				void* __ebp;
				intOrPtr* _t74;
				intOrPtr _t75;
				void* _t79;
				intOrPtr _t81;
				void* _t84;
				void* _t86;
				char _t87;
				void* _t90;
				void* _t91;
				intOrPtr _t92;
				intOrPtr _t93;
				intOrPtr _t95;
				intOrPtr* _t101;
				intOrPtr* _t106;
				void* _t108;
				intOrPtr* _t110;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				void* _t117;
				void* _t118;
				void* _t120;
				void* _t121;

				_t114 = 0;
				_v20 = 0;
				_t115 = E6E019640(_a4);
				_t117 =  &_v36 + 4;
				if(_t71 != 0) {
					_t100 = _a20;
					_t110 = E6E019D10(3, _a16, _a20);
					_v36 = _t110;
					_t74 = E6E0199F0(0, 0x102, _a16, _t100,  &_v24);
					_t101 = _t74;
					_t118 = _t117 + 0x20;
					if(_t101 == 0) {
						if(_v16 != 0) {
							L24:
							_push(0x800);
							L6E025ABE();
							_t112 = _t74;
							_t120 = _t118 + 4;
							if(_t112 == 0) {
								L31:
								_push(0);
								_push(_t112);
								L6E025AC4();
								_t118 = _t120 + 8;
								_t114 = 0;
							} else {
								_push(0xb0);
								_push(_t112);
								L6E025AD0();
								_t114 = _t74;
								_t120 = _t120 + 8;
								if(_t114 == 0) {
									goto L31;
								} else {
									 *_t114 = _t112;
									 *((intOrPtr*)(_t114 + 4)) = 1;
									_push(_v16);
									_push(_t112);
									L6E025ACA();
									_t120 = _t120 + 8;
									 *((intOrPtr*)(_t114 + 0x1c)) = _t74;
									if(_t74 == 0) {
										goto L31;
									} else {
										 *((intOrPtr*)(_t114 + 0x20)) = _v16;
										E6E0267A0(_t74, _v20, _v16);
										_t37 = _t114 + 0x30; // 0x30
										 *((intOrPtr*)(_t114 + 0x2c)) = 1;
										 *((intOrPtr*)(_t114 + 0x28)) = 0x6e03d951;
										_t84 = E6E019B40(_t112, 0x11, _a16, _a20, _t37, _a4);
										_t120 = _t120 + 0x24;
										if(_t84 != 0) {
											goto L31;
										} else {
											 *((intOrPtr*)(_t114 + 0x44)) = 1;
											 *((intOrPtr*)(_t114 + 0x40)) = 0x6e03d951;
											 *((intOrPtr*)(_t114 + 0x50)) = 1;
											 *((intOrPtr*)(_t114 + 0x4c)) = 0x6e03d951;
											 *((intOrPtr*)(_t114 + 0x5c)) = 1;
											 *((intOrPtr*)(_t114 + 0x58)) = 0x6e03d951;
											 *((intOrPtr*)(_t114 + 0x68)) = 1;
											 *((intOrPtr*)(_t114 + 0x64)) = 0x6e03d951;
											_t86 = E6E019AD0(0x100, _a16, _a20,  &_v28);
											_t120 = _t120 + 0x10;
											if(_t86 != 0) {
												goto L31;
											} else {
												_t87 = _v28;
												_v32 = _t87;
												__imp__PR_htonl(_t87);
												_v32 = _t87;
												_v8 =  &_v32;
												_push( &_v12);
												_t59 = _t114 + 0x6c; // 0x6c
												_t90 = _t59;
												_v4 = 4;
												_push(_t90);
												_push(_t112);
												L6E025AD6();
												_t120 = _t120 + 0x10;
												if(_t90 != 0) {
													goto L31;
												} else {
													_push(_t90);
													_t61 = _t114 + 0xc; // 0xc
													_t91 = _t61;
													_push(_t91);
													_push( *_t114);
													L6E025B1E();
													_t118 = _t120 + 0xc;
													if(_t91 != 0) {
														goto L31;
													}
												}
											}
										}
									}
								}
							}
							_t110 = _v36;
							if(_t114 != 0) {
								_t79 = E6E012990(_t115, _t114,  &_v24, _t110, _a4);
								_t118 = _t118 + 0x14;
								if(_t79 == 0) {
									_push(0x18000000);
									_push( &_v24);
									_push(_a4);
									_t81 = E6E019DF0(_t115);
									_t118 = _t118 + 0xc;
									 *_a12 = _t81;
								} else {
									_t101 = 0x30;
								}
							} else {
								_t63 = _t114 + 2; // 0x2
								_t101 = _t63;
							}
						} else {
							_t92 = _v20;
							if(_t92 != 0) {
								_push(_t92);
								L6E025A9A();
								_t118 = _t118 + 4;
							}
							_v20 = 0;
							if(_t110 == 0) {
								L14:
								_push(0x12);
								L6E025A8E();
								_t118 = _t118 + 4;
								_v20 = _t92;
								if(_t92 != 0) {
									_t93 = 0x12;
									_t113 = 0;
									_v16 = 0x12;
									while(1) {
										_push(_t93);
										_push(_v20);
										_t74 = E6E021890();
										_t121 = _t118 + 8;
										if(_t74 != 0) {
											break;
										}
										_t74 = E6E012570(_t115,  &_v24);
										_t118 = _t121 + 8;
										if(_t74 == 0) {
											if(_t113 > 0xa) {
												break;
											}
										} else {
											_t113 = _t113 + 1;
											if(_t113 > 0xa) {
												break;
											} else {
												_t93 = _v16;
												continue;
											}
										}
										L23:
										if(_t101 != 0) {
											_t110 = _v36;
										} else {
											goto L24;
										}
										goto L38;
									}
									_push(_v20);
									_t101 = 0x30;
									L6E025A9A();
									_t118 = _t121 + 4;
									_v20 = _t114;
									_v16 = _t114;
									goto L23;
								} else {
									_t21 = _t92 + 2; // 0x2
									_t101 = _t21;
								}
							} else {
								_push(_t110);
								L6E025AAC();
								_t118 = _t118 + 4;
								_v20 = _t92;
								if(_t92 != 0) {
									_t106 = _t110;
									_t13 = _t106 + 1; // 0x1
									_t108 = _t13;
									do {
										_t95 =  *_t106;
										_t106 = _t106 + 1;
									} while (_t95 != 0);
									_t14 = _t106 - _t108 + 1; // 0x2
									_v16 = _t14;
									_t92 = E6E012570(_t115,  &_v24);
									_t118 = _t118 + 8;
									if(_t92 != 0) {
										_push(_v20);
										L6E025A9A();
										_t118 = _t118 + 4;
										_v20 = 0;
										_v16 = 0;
										goto L14;
									} else {
										_t101 = 0;
										goto L24;
									}
								} else {
									_t12 = _t92 + 2; // 0x2
									_t101 = _t12;
								}
							}
						}
					}
					L38:
					if(_t110 != 0) {
						_push(_t110);
						L6E025A9A();
						_t118 = _t118 + 4;
					}
					if(_t114 != 0) {
						E6E01B630(_t114);
						_t118 = _t118 + 4;
					}
					_t75 = _v20;
					if(_t75 != 0) {
						_push(_t75);
						L6E025A9A();
					}
					return _t101;
				} else {
					return 0xe2;
				}
			}

0x6e017299
0x6e01729b
0x6e0172a4
0x6e0172a6
0x6e0172ab
0x6e0172b9
0x6e0172ca
0x6e0172d6
0x6e0172e1
0x6e0172e6
0x6e0172e8
0x6e0172ed
0x6e0172f7
0x6e0173f5
0x6e0173f5
0x6e0173fa
0x6e0173ff
0x6e017401
0x6e017406
0x6e01752d
0x6e01752d
0x6e01752f
0x6e017530
0x6e017535
0x6e017538
0x6e01740c
0x6e01740c
0x6e017411
0x6e017412
0x6e017417
0x6e017419
0x6e01741e
0x00000000
0x6e017424
0x6e017424
0x6e017426
0x6e01742d
0x6e017431
0x6e017432
0x6e017437
0x6e01743a
0x6e01743f
0x00000000
0x6e017445
0x6e017449
0x6e017455
0x6e01745e
0x6e017461
0x6e01746d
0x6e01747b
0x6e017480
0x6e017485
0x00000000
0x6e01748b
0x6e01748f
0x6e01749b
0x6e0174a6
0x6e0174b2
0x6e0174b9
0x6e0174c0
0x6e0174c7
0x6e0174ce
0x6e0174d5
0x6e0174da
0x6e0174df
0x00000000
0x6e0174e1
0x6e0174e1
0x6e0174e6
0x6e0174ea
0x6e0174f0
0x6e0174f8
0x6e017500
0x6e017501
0x6e017501
0x6e017504
0x6e01750c
0x6e01750d
0x6e01750e
0x6e017513
0x6e017518
0x00000000
0x6e01751a
0x6e01751a
0x6e01751b
0x6e01751b
0x6e01751e
0x6e01751f
0x6e017521
0x6e017526
0x6e01752b
0x00000000
0x00000000
0x6e01752b
0x6e017518
0x6e0174df
0x6e017485
0x6e01743f
0x6e01741e
0x6e01753a
0x6e017540
0x6e017553
0x6e017558
0x6e01755d
0x6e017566
0x6e01756f
0x6e017570
0x6e017574
0x6e01757d
0x6e017580
0x6e01755f
0x6e01755f
0x6e01755f
0x6e017542
0x6e017542
0x6e017542
0x6e017542
0x6e0172fd
0x6e0172fd
0x6e017303
0x6e017305
0x6e017306
0x6e01730b
0x6e01730b
0x6e017310
0x6e017316
0x6e017373
0x6e017373
0x6e017375
0x6e01737a
0x6e01737d
0x6e017383
0x6e01738d
0x6e017392
0x6e017394
0x6e0173a0
0x6e0173a0
0x6e0173a1
0x6e0173a5
0x6e0173aa
0x6e0173af
0x00000000
0x00000000
0x6e0173b7
0x6e0173bc
0x6e0173c1
0x6e0173d2
0x00000000
0x00000000
0x6e0173c3
0x6e0173c3
0x6e0173c7
0x00000000
0x6e0173c9
0x6e0173c9
0x00000000
0x6e0173c9
0x6e0173c7
0x6e0173ed
0x6e0173ef
0x6e017584
0x00000000
0x00000000
0x00000000
0x00000000
0x6e0173ef
0x6e0173d4
0x6e0173d8
0x6e0173dd
0x6e0173e2
0x6e0173e5
0x6e0173e9
0x00000000
0x6e017385
0x6e017385
0x6e017385
0x6e017385
0x6e017318
0x6e017318
0x6e017319
0x6e01731e
0x6e017321
0x6e017327
0x6e017331
0x6e017333
0x6e017333
0x6e017336
0x6e017336
0x6e017338
0x6e017339
0x6e01733f
0x6e017342
0x6e01734c
0x6e017351
0x6e017356
0x6e01735f
0x6e017363
0x6e017368
0x6e01736b
0x6e01736f
0x00000000
0x6e017358
0x6e017358
0x00000000
0x6e017358
0x6e017329
0x6e017329
0x6e017329
0x6e017329
0x6e017327
0x6e017316
0x6e0172f7
0x6e017588
0x6e01758a
0x6e01758c
0x6e01758d
0x6e017592
0x6e017592
0x6e017597
0x6e01759a
0x6e01759f
0x6e01759f
0x6e0175a2
0x6e0175a8
0x6e0175aa
0x6e0175ab
0x6e0175b0
0x6e0175bc
0x6e0172ae
0x6e0172b7
0x6e0172b7

APIs

PORT_Free_Util.NSSUTIL3(?,?,?,?,?,?,?,?,?,?,?,?,?,6E0169AB,?,?), ref: 6E017306
PORT_Strdup_Util.NSSUTIL3(00000000,?,?,?,?,?,?,?,?,?,?,?,?,6E0169AB,?,?), ref: 6E017319
PORT_Free_Util.NSSUTIL3(00000000,?,?,?,?,?,?,?,?,?,?,?,?,6E0169AB,?,?), ref: 6E01758D
PORT_Free_Util.NSSUTIL3(?,?,?,?,?,?,?,?,?,?,?,?,?,6E0169AB,?,?), ref: 6E0175AB

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Util$Free_$Strdup_
String ID:
API String ID: 398476677-0
Opcode ID: 9d942959bb4f5de2ebde98021be8b057bfa0ff25469dd843cf9b698a30d329f1
Instruction ID: 33f27fd146ee915a9dac66e6dc7b69c8be4b1f90aa87ef62c156a4a4c99d8df9
Opcode Fuzzy Hash: 9d942959bb4f5de2ebde98021be8b057bfa0ff25469dd843cf9b698a30d329f1
Instruction Fuzzy Hash: 3691B1B190C3029FD7118FD5C881B9BB6E9AF8A348F44092DFD899B241E771E6548B93

Uniqueness

Uniqueness Score: -1.00%

Function 6E011360 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 107filememoryCOMMON

Download Yara Rule

APIs

PR_smprintf.NSPR4(%s/%s,?,?,?,?,?,?,?,6E0110EC,?,?), ref: 6E0113B7
PR_OpenFile.NSPR4(00000000,00000001,00000000,6E0110EC,?,?), ref: 6E0113CE
PR_smprintf_free.NSPR4(00000000), ref: 6E0113D7
PORT_Alloc_Util.NSSUTIL3(?), ref: 6E011407
PR_Read.NSPR4(00000000,00000000,?), ref: 6E01141A
PORT_Free_Util.NSSUTIL3(?), ref: 6E011430
PR_SetError.NSPR4(FFFFE012,00000000,?,?,?,?,?,6E0110EC,?,?), ref: 6E011446
PR_GetError.NSPR4(?,?), ref: 6E01144B
PR_Close.NSPR4(00000000), ref: 6E011458
PR_SetError.NSPR4(00000000,00000000), ref: 6E011464
PR_Close.NSPR4(00000000), ref: 6E011473

Strings

%s/%s, xrefs: 6E0113B2

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Error$CloseUtil$Alloc_FileFree_OpenR_smprintfR_smprintf_freeRead
String ID: %s/%s
API String ID: 1378822935-2758257063
Opcode ID: 243850fa3748a9dbf067dad948d0b1687d0411c3a374a39b0c715be443f246f6
Instruction ID: 5e795d3d5bcda7b1cedddd149e68e94be1e6d1bdc7cb05293f2c8e944df7d40c
Opcode Fuzzy Hash: 243850fa3748a9dbf067dad948d0b1687d0411c3a374a39b0c715be443f246f6
Instruction Fuzzy Hash: AB314B719092625FEB148FE88C94BAA7BD9EF42645F044539FC55CF242E771C90887A3

Uniqueness

Uniqueness Score: -1.00%

Function 6E01F200 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 100
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E6E01F200(intOrPtr __eax, intOrPtr _a4) {
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				void* _t14;
				char _t20;
				intOrPtr _t21;
				intOrPtr _t22;
				void* _t26;
				void* _t27;
				void* _t28;
				void* _t29;

				_push(0x800);
				L6E025ABE();
				_t19 = __eax;
				_t26 =  &_v24 + 4;
				if(__eax != 0) {
					_push(0x800);
					L6E025ABE();
					_t23 = __eax;
					_t27 = _t26 + 4;
					if(__eax != 0) {
						_push(0x10);
						_push(__eax);
						L6E025AD0();
						_t22 = __eax;
						_t28 = _t27 + 8;
						if(__eax != 0) {
							_push(9);
							_push(__eax);
							 *((intOrPtr*)(__eax + 0xc)) = __eax;
							 *((intOrPtr*)(__eax)) = 0;
							_v16 = 9;
							L6E025ACA();
							_t29 = _t28 + 8;
							_v20 = __eax;
							if(__eax == 0) {
								goto L6;
							} else {
								_t20 = "Version"; // 0x73726556
								 *((intOrPtr*)(__eax + 1)) = _t20;
								_t21 =  *0x6e035424; // 0x6e6f69
								 *((intOrPtr*)(__eax + 5)) = _t21;
								_t14 = E6E01D3D0(_a4, __eax,  &_v24,  &_v12, __eax);
								_t29 = _t29 + 0x14;
								if(_t14 != 0) {
									goto L6;
								} else {
									_push(_t14);
									L6E025AC4();
									E6E01CAD0(_t22);
									return  *((intOrPtr*)(_t22 + 4));
								}
							}
						} else {
							_push(0xffffe013);
							L6E025AB2();
							_t29 = _t28 + 4;
							L6:
							_push(0);
							L6E025AC4();
							_push(0);
							L6E025AC4();
							return 0;
						}
					} else {
						_push(0xffffe013);
						L6E025AB2();
						_push(__eax);
						_push(__eax);
						L6E025AC4();
						return 0;
					}
				} else {
					_push(0xffffe013);
					L6E025AB2();
					return 0;
				}
			}

0x6e01f206
0x6e01f20b
0x6e01f210
0x6e01f212
0x6e01f217
0x6e01f22f
0x6e01f234
0x6e01f239
0x6e01f23b
0x6e01f240
0x6e01f262
0x6e01f264
0x6e01f265
0x6e01f26a
0x6e01f26c
0x6e01f271
0x6e01f29f
0x6e01f2a1
0x6e01f2a2
0x6e01f2a5
0x6e01f2ab
0x6e01f2b3
0x6e01f2b8
0x6e01f2bb
0x6e01f2c1
0x00000000
0x6e01f2c3
0x6e01f2c3
0x6e01f2c9
0x6e01f2cc
0x6e01f2d2
0x6e01f2e5
0x6e01f2ea
0x6e01f2ef
0x00000000
0x6e01f2f1
0x6e01f2f1
0x6e01f2f3
0x6e01f2fc
0x6e01f30c
0x6e01f30c
0x6e01f2ef
0x6e01f273
0x6e01f273
0x6e01f278
0x6e01f27d
0x6e01f280
0x6e01f280
0x6e01f283
0x6e01f28b
0x6e01f28e
0x6e01f29e
0x6e01f29e
0x6e01f242
0x6e01f242
0x6e01f247
0x6e01f24f
0x6e01f250
0x6e01f251
0x6e01f261
0x6e01f261
0x6e01f219
0x6e01f219
0x6e01f21e
0x6e01f22e
0x6e01f22e

APIs

PORT_NewArena_Util.NSSUTIL3(00000800,?,?,?,?,?,?,?,6E01F569,?), ref: 6E01F20B
PORT_SetError_Util.NSSUTIL3(FFFFE013,?,?,?,?,?,6E01F569,?), ref: 6E01F21E
PORT_NewArena_Util.NSSUTIL3(00000800,?,?,?,?,?,6E01F569,?), ref: 6E01F234
PORT_SetError_Util.NSSUTIL3(FFFFE013,?,?,?,?,?,?,6E01F569,?), ref: 6E01F247
PORT_FreeArena_Util.NSSUTIL3(00000000,00000000,?,?,?,?,?,?,?,6E01F569,?), ref: 6E01F251

Strings

Version, xrefs: 6E01F2C3

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Util$Arena_$Error_$Free
String ID: Version
API String ID: 1635372823-1889659487
Opcode ID: a14ed811821406213959a5c596d8da94c4487a3379cd3296617ce579eff6a815
Instruction ID: d214bd5e32a98abdd3d3addb451c71972ee0dfcba0233baa81b8fead3237459c
Opcode Fuzzy Hash: a14ed811821406213959a5c596d8da94c4487a3379cd3296617ce579eff6a815
Instruction Fuzzy Hash: CF21F9BAA442112AE31066E46C82BCB76DCDFA026AF540836ED098B345F779D11946F7

Uniqueness

Uniqueness Score: -1.00%

Function 6E013800 Relevance: 19.7, APIs: 13, Instructions: 157
memoryCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E6E013800(intOrPtr __eax) {
				void* _t30;
				signed int _t32;
				signed int _t33;
				intOrPtr _t37;
				intOrPtr _t40;
				signed int _t41;
				signed int _t42;
				intOrPtr _t44;
				void* _t46;
				void* _t47;
				void* _t48;

				_push(0x800);
				_t42 = _t41 | 0xffffffff;
				 *((intOrPtr*)(_t46 + 0xc)) = 0;
				L6E025ABE();
				_t40 = __eax;
				_t47 = _t46 + 4;
				if(__eax == 0) {
					L22:
					return _t42;
				}
				_push(0x38);
				_push(__eax);
				L6E025AD0();
				_push(0xc);
				_push(__eax);
				_t44 = __eax;
				L6E025AD0();
				_t48 = _t47 + 0x10;
				 *((intOrPtr*)(_t48 + 0x10)) = __eax;
				if(__eax == 0 || __eax == 0) {
					L21:
					_push(1);
					_push(_t40);
					L6E025AC4();
					goto L22;
				} else {
					_push(0);
					_t3 = _t44 + 4; // 0x4
					_t30 = _t3;
					_push(_t30);
					_push(__eax);
					L6E025AFA();
					_t48 = _t48 + 0xc;
					if(_t30 == 0) {
						goto L21;
					}
					_t37 =  *((intOrPtr*)(_t48 + 0x20));
					_t32 =  *((intOrPtr*)(_t37 + 4)) - 1;
					if(_t32 > 4) {
						L16:
						_push(0x6e035938);
						_push(_t44);
						_push( *((intOrPtr*)(_t48 + 0x1c)));
						_push(_t40);
						L6E025AF4();
						_t48 = _t48 + 0x10;
						if(_t32 != 0) {
							_push(_t48 + 0x10);
							_push(_t32);
							_push( *((intOrPtr*)(_t48 + 0x2c)));
							_push(_t40);
							_t33 = E6E019FE0();
							_t42 = _t33;
							_t48 = _t48 + 0x10;
							if(_t42 == 0) {
								_push( *((intOrPtr*)(_t48 + 0x10)));
								_push( *((intOrPtr*)(_t48 + 0x2c)));
								_push( *((intOrPtr*)(_t48 + 0x24)));
								L6E025AD6();
								_t48 = _t48 + 0xc;
								_t42 = _t33;
							}
							L20:
							goto L21;
						}
						L17:
						_t42 = _t42 | 0xffffffff;
						goto L20;
					}
					switch( *((intOrPtr*)(_t32 * 4 +  &M6E0139D8))) {
						case 0:
							E6E01B750(_t37);
							_push(0x6e0356d8);
							_push(_t37);
							_t8 = _t44 + 0x28; // 0x28
							_t35 = _t8;
							_push(_t35);
							_push(_t40);
							L6E025AF4();
							_t48 = _t48 + 0x14;
							if(_t35 == 0) {
								goto L17;
							}
							_push(0);
							_push(0x10);
							goto L15;
						case 1:
							__eax = E6E01B6A0(__ebx);
							_push(0x6e035838);
							_push(__ebx);
							_t9 = __ebp + 0x28; // 0x28
							__eax = _t9;
							_push(__eax);
							_push(__edi);
							L6E025AF4();
							__esp = __esp + 0x14;
							if(__eax == 0) {
								goto L17;
							}
							__esi = __ebx + 8;
							__eax = E6E01B730(__esi);
							_push(0x6e035688);
							_push(__esi);
							_push(0);
							_push(__edi);
							L6E025AF4();
							__esp = __esp + 0x14;
							if(__eax == 0) {
								goto L17;
							}
							_push(__eax);
							_push(0x7c);
							goto L15;
						case 2:
							goto L16;
						case 3:
							__eax = E6E01B670(__ebx);
							_push(0x6e035878);
							_push(__ebx);
							_t11 = __ebp + 0x28; // 0x28
							__eax = _t11;
							_push(__eax);
							_push(__edi);
							L6E025AF4();
							__esp = __esp + 0x14;
							if(__eax == 0) {
								goto L17;
							}
							_push(__eax);
							_push(0xae);
							goto L15;
						case 4:
							__eax = E6E01B6D0(__ebx);
							__esi =  *((intOrPtr*)(__ebx + 0x88));
							_t13 = __ebp + 0x28; // 0x28
							__eax = _t13;
							 *(__ebx + 0x94) =  *(__ebx + 0x94) << 3;
							_push(0x6e0358d8);
							_push(__ebx);
							_push(__eax);
							_push(__edi);
							 *((intOrPtr*)(__ebx + 0x88)) = 0;
							L6E025AF4();
							 *(__ebx + 0x94) =  *(__ebx + 0x94) >> 3;
							__esp = __esp + 0x14;
							if(__eax == 0) {
								goto L17;
							}
							__eax = __ebx + 0x70;
							_push(__ebx + 0x70);
							_push(0xc8);
							L15:
							_t21 = _t44 + 0x10; // 0x10
							_t32 = _t21;
							_push(_t32);
							_push(_t40);
							L6E025B0C();
							_t42 = _t32;
							_t48 = _t48 + 0x10;
							if(_t42 == 0xffffffff) {
								goto L20;
							}
							goto L16;
					}
				}
			}

0x6e013805
0x6e01380a
0x6e01380d
0x6e013815
0x6e01381a
0x6e01381c
0x6e013821
0x6e0139cf
0x6e0139d5
0x6e0139d5
0x6e013828
0x6e01382a
0x6e01382b
0x6e013830
0x6e013832
0x6e013833
0x6e013835
0x6e01383a
0x6e01383d
0x6e013843
0x6e0139c2
0x6e0139c2
0x6e0139c4
0x6e0139c5
0x00000000
0x6e013851
0x6e013851
0x6e013853
0x6e013853
0x6e013856
0x6e013857
0x6e013858
0x6e01385d
0x6e013862
0x00000000
0x00000000
0x6e013869
0x6e013870
0x6e013874
0x6e013976
0x6e013976
0x6e01397b
0x6e01397c
0x6e013980
0x6e013981
0x6e013986
0x6e01398b
0x6e013996
0x6e013997
0x6e013998
0x6e01399c
0x6e01399d
0x6e0139a2
0x6e0139a4
0x6e0139a9
0x6e0139ab
0x6e0139af
0x6e0139b3
0x6e0139b7
0x6e0139bc
0x6e0139bf
0x6e0139bf
0x6e0139c1
0x00000000
0x6e0139c1
0x6e01398d
0x6e01398d
0x00000000
0x6e01398d
0x6e01387a
0x00000000
0x6e013882
0x6e013887
0x6e01388c
0x6e01388d
0x6e01388d
0x6e013890
0x6e013891
0x6e013892
0x6e013897
0x6e01389c
0x00000000
0x00000000
0x6e0138a2
0x6e0138a4
0x00000000
0x00000000
0x6e0138ac
0x6e0138b1
0x6e0138b6
0x6e0138b7
0x6e0138b7
0x6e0138ba
0x6e0138bb
0x6e0138bc
0x6e0138c1
0x6e0138c6
0x00000000
0x00000000
0x6e0138cc
0x6e0138d0
0x6e0138d5
0x6e0138da
0x6e0138db
0x6e0138dd
0x6e0138de
0x6e0138e3
0x6e0138e8
0x00000000
0x00000000
0x6e0138ee
0x6e0138ef
0x00000000
0x00000000
0x00000000
0x00000000
0x6e0138f4
0x6e0138f9
0x6e0138fe
0x6e0138ff
0x6e0138ff
0x6e013902
0x6e013903
0x6e013904
0x6e013909
0x6e01390e
0x00000000
0x00000000
0x6e013910
0x6e013911
0x00000000
0x00000000
0x6e013919
0x6e01391e
0x6e013924
0x6e013924
0x6e013927
0x6e01392e
0x6e013933
0x6e013934
0x6e013935
0x6e013936
0x6e013940
0x6e013945
0x6e01394c
0x6e013957
0x00000000
0x00000000
0x6e013959
0x6e01395c
0x6e01395d
0x6e013962
0x6e013962
0x6e013962
0x6e013965
0x6e013966
0x6e013967
0x6e01396c
0x6e01396e
0x6e013974
0x00000000
0x00000000
0x00000000
0x00000000
0x6e01387a

APIs

PORT_NewArena_Util.NSSUTIL3 ref: 6E013815
PORT_ArenaZAlloc_Util.NSSUTIL3(00000000,00000038,?,?,?,00000018), ref: 6E01382B
PORT_ArenaZAlloc_Util.NSSUTIL3(00000000,0000000C,00000000,00000038,?,?,?,00000018), ref: 6E013835
SEC_ASN1EncodeInteger_Util.NSSUTIL3(00000000,00000004,00000000,?,?,?,?,?,?,00000018), ref: 6E013858
SEC_ASN1EncodeItem_Util.NSSUTIL3(00000000,00000028,?,6E0356D8,?,00000000,?,?,?,?,?,?,?,?,?,00000018), ref: 6E013892
SEC_ASN1EncodeItem_Util.NSSUTIL3(00000000,00000028,?,6E035838,?), ref: 6E0138BC
SEC_ASN1EncodeItem_Util.NSSUTIL3(00000000,00000000,?,6E035688,?), ref: 6E0138DE
SEC_ASN1EncodeItem_Util.NSSUTIL3(00000000,00000028,?,6E035878,?), ref: 6E013904
SEC_ASN1EncodeItem_Util.NSSUTIL3(00000000,00000028,?,6E0358D8,?,000000AE,00000000), ref: 6E013940
SECOID_SetAlgorithmID_Util.NSSUTIL3(00000000,00000010,00000010,00000000,?,?,?,?,00000000), ref: 6E013967
SEC_ASN1EncodeItem_Util.NSSUTIL3(00000000,?,00000000,6E035938,00000000,?,?,?,?,?,?,?,?,?,00000018), ref: 6E013981
SECITEM_CopyItem_Util.NSSUTIL3(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6E0139B7
PORT_FreeArena_Util.NSSUTIL3(00000000,00000001,?,?,?,?,?,?,00000018), ref: 6E0139C5

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Util$EncodeItem_$Alloc_ArenaArena_$AlgorithmCopyFreeInteger_
String ID:
API String ID: 1424342863-0
Opcode ID: be7ff2e0ce1f499175bd39b4604ccb8f76574c37bf98b2a93e073e20b74ff359
Instruction ID: a8efe84609e01e3ca2b101cc9c5e1957d9e30715c567b49b3542a3bcbd1048ae
Opcode Fuzzy Hash: be7ff2e0ce1f499175bd39b4604ccb8f76574c37bf98b2a93e073e20b74ff359
Instruction Fuzzy Hash: 574127B15082057FE7009AE48C82FFF32ECAB59698F450978FD18AF185E779C50487B6

Uniqueness

Uniqueness Score: -1.00%

Function 6E030BD2 Relevance: 19.6, APIs: 13, Instructions: 114
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E6E030BD2(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x6e03d838) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E6E02C4BF(_t46);
							E6E030F0D( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E6E02C4BF(_t47);
							E6E03100B( *((intOrPtr*)(_t74 + 0x88)));
						}
						E6E02C4BF( *((intOrPtr*)(_t74 + 0x7c)));
						E6E02C4BF( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E6E02C4BF( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E6E02C4BF( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E6E02C4BF( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E6E02C4BF( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E6E030D45( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x6e03d2d0) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E6E02C4BF(_t31);
							E6E02C4BF( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E6E02C4BF(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E6E02C4BF(_t74);
			}

0x6e030bda
0x6e030bde
0x6e030be6
0x6e030bef
0x6e030bf4
0x6e030bfb
0x6e030c03
0x6e030c0b
0x6e030c16
0x6e030c1c
0x6e030c1d
0x6e030c25
0x6e030c2d
0x6e030c38
0x6e030c3e
0x6e030c42
0x6e030c4d
0x6e030c53
0x6e030bf4
0x6e030c54
0x6e030c5c
0x6e030c6f
0x6e030c82
0x6e030c90
0x6e030c9b
0x6e030ca0
0x6e030ca9
0x6e030cb1
0x6e030cb2
0x6e030cb8
0x6e030cbb
0x6e030cbe
0x6e030cc5
0x6e030cc7
0x6e030ccb
0x6e030cd3
0x6e030cda
0x6e030ce0
0x6e030ce1
0x6e030ce1
0x6e030ce8
0x6e030cea
0x6e030cef
0x6e030cf7
0x6e030cfc
0x6e030cfd
0x6e030cfd
0x6e030d00
0x6e030d03
0x6e030d06
0x6e030d09
0x6e030d09
0x6e030d1b

APIs

___free_lconv_mon.LIBCMT ref: 6E030C16

Part of subcall function 6E030F0D: _free.LIBCMT ref: 6E030F2A
Part of subcall function 6E030F0D: _free.LIBCMT ref: 6E030F3C
Part of subcall function 6E030F0D: _free.LIBCMT ref: 6E030F4E
Part of subcall function 6E030F0D: _free.LIBCMT ref: 6E030F60
Part of subcall function 6E030F0D: _free.LIBCMT ref: 6E030F72
Part of subcall function 6E030F0D: _free.LIBCMT ref: 6E030F84
Part of subcall function 6E030F0D: _free.LIBCMT ref: 6E030F96
Part of subcall function 6E030F0D: _free.LIBCMT ref: 6E030FA8
Part of subcall function 6E030F0D: _free.LIBCMT ref: 6E030FBA
Part of subcall function 6E030F0D: _free.LIBCMT ref: 6E030FCC
Part of subcall function 6E030F0D: _free.LIBCMT ref: 6E030FDE
Part of subcall function 6E030F0D: _free.LIBCMT ref: 6E030FF0
Part of subcall function 6E030F0D: _free.LIBCMT ref: 6E031002

_free.LIBCMT ref: 6E030C0B

Part of subcall function 6E02C4BF: HeapFree.KERNEL32(00000000,00000000,?,6E03109E,?,00000000,?,00000000,?,6E0310C5,?,00000007,?,?,6E030D6A,?), ref: 6E02C4D5
Part of subcall function 6E02C4BF: GetLastError.KERNEL32(?,?,6E03109E,?,00000000,?,00000000,?,6E0310C5,?,00000007,?,?,6E030D6A,?,?), ref: 6E02C4E7

_free.LIBCMT ref: 6E030C2D
_free.LIBCMT ref: 6E030C42
_free.LIBCMT ref: 6E030C4D
_free.LIBCMT ref: 6E030C6F
_free.LIBCMT ref: 6E030C82
_free.LIBCMT ref: 6E030C90
_free.LIBCMT ref: 6E030C9B
_free.LIBCMT ref: 6E030CD3
_free.LIBCMT ref: 6E030CDA
_free.LIBCMT ref: 6E030CF7
_free.LIBCMT ref: 6E030D0F

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 1fe454ee1498bd9431e5c63f1a0c07f5863d2e110dfb486f07ed56169b257f23
Instruction ID: a4eb4e4f069673cf95bb814e5b89fb5e8f7b5c45ceb71bf210c3e6a0dc73d788
Opcode Fuzzy Hash: 1fe454ee1498bd9431e5c63f1a0c07f5863d2e110dfb486f07ed56169b257f23
Instruction Fuzzy Hash: 71316435A197169FEB509BB9D840B9B73E9EF00358F20492AE958DB150EF35E840CB10

Uniqueness

Uniqueness Score: -1.00%

Function 6DFDE646 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 6DFDE68A

Part of subcall function 6DFDEA5E: _free.LIBCMT ref: 6DFDEA7B
Part of subcall function 6DFDEA5E: _free.LIBCMT ref: 6DFDEA8D
Part of subcall function 6DFDEA5E: _free.LIBCMT ref: 6DFDEA9F
Part of subcall function 6DFDEA5E: _free.LIBCMT ref: 6DFDEAB1
Part of subcall function 6DFDEA5E: _free.LIBCMT ref: 6DFDEAC3
Part of subcall function 6DFDEA5E: _free.LIBCMT ref: 6DFDEAD5
Part of subcall function 6DFDEA5E: _free.LIBCMT ref: 6DFDEAE7
Part of subcall function 6DFDEA5E: _free.LIBCMT ref: 6DFDEAF9
Part of subcall function 6DFDEA5E: _free.LIBCMT ref: 6DFDEB0B
Part of subcall function 6DFDEA5E: _free.LIBCMT ref: 6DFDEB1D
Part of subcall function 6DFDEA5E: _free.LIBCMT ref: 6DFDEB2F
Part of subcall function 6DFDEA5E: _free.LIBCMT ref: 6DFDEB41
Part of subcall function 6DFDEA5E: _free.LIBCMT ref: 6DFDEB53

_free.LIBCMT ref: 6DFDE67F

Part of subcall function 6DFDB7C7: HeapFree.KERNEL32(00000000,00000000,?,6DFDEBEF,?,00000000,?,00000000,?,6DFDEC16,?,00000007,?,?,6DFDE7DE,?), ref: 6DFDB7DD
Part of subcall function 6DFDB7C7: GetLastError.KERNEL32(?,?,6DFDEBEF,?,00000000,?,00000000,?,6DFDEC16,?,00000007,?,?,6DFDE7DE,?,?), ref: 6DFDB7EF

_free.LIBCMT ref: 6DFDE6A1
_free.LIBCMT ref: 6DFDE6B6
_free.LIBCMT ref: 6DFDE6C1
_free.LIBCMT ref: 6DFDE6E3
_free.LIBCMT ref: 6DFDE6F6
_free.LIBCMT ref: 6DFDE704
_free.LIBCMT ref: 6DFDE70F
_free.LIBCMT ref: 6DFDE747
_free.LIBCMT ref: 6DFDE74E
_free.LIBCMT ref: 6DFDE76B
_free.LIBCMT ref: 6DFDE783

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 64f0c53631862bf5a7180a26cf96fbacfae172f601e4c537ceed61625bc3de2e
Instruction ID: e58d8e0a196d14369a3613208c91ad38eb9a69726230bc24655b5dc5a0efcc27
Opcode Fuzzy Hash: 64f0c53631862bf5a7180a26cf96fbacfae172f601e4c537ceed61625bc3de2e
Instruction Fuzzy Hash: A0313F316087029FEBA19E3DEC84B6AB7F8AF01714F194859E5A8D71A0DF31BC50CB20

Uniqueness

Uniqueness Score: -1.00%

Function 6E019140 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 200
memoryCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E6E019140() {
				signed char _t41;
				signed char _t50;
				signed char _t51;
				signed char _t53;
				signed char _t58;
				signed int _t59;
				signed char _t62;
				signed char _t64;
				signed char _t67;
				signed char _t68;
				signed char _t72;
				signed char _t76;
				signed char _t79;
				signed char _t80;
				signed char _t84;
				signed char _t86;
				signed char _t88;
				void* _t89;
				void* _t91;
				void* _t92;

				_t67 =  *(_t89 + 0x2c);
				 *((char*)(_t89 + 3)) = 0x56;
				_t41 = _t67 & 0x00000007;
				_t76 = 0;
				 *(_t89 + 0x14) = 0 | _t41 == 0x00000001;
				if((_t67 & 0x00000010) == 0) {
					L3:
					L6E025B36();
					__eflags = _t41;
					if(_t41 != 0) {
						goto L2;
					} else {
						E6E01F310();
						_t64 =  *(_t89 + 0x44);
						__eflags = _t64;
						if(_t64 != 0) {
							 *_t64 = _t76;
						}
						_t72 =  *(_t89 + 0x40);
						_t68 =  *(_t89 + 0x28);
						__eflags = _t72;
						if(_t72 == 0) {
							L30:
							__eflags = _t64;
							if(_t64 == 0) {
								goto L21;
							} else {
								_t79 =  *(_t89 + 0x30);
								 *(_t89 + 0x1c) = 0;
								__eflags = _t79;
								if(__eflags == 0) {
									_t79 = 0x6e035400;
								}
								_t50 = E6E019530(__eflags, _t68, _t89 + 0x1c);
								__imp__PR_smprintf("%s/%s", _t50, _t79);
								_t89 = _t89 + 0x14;
								 *(_t89 + 0x18) = _t50;
								__eflags = _t50;
								if(_t50 != 0) {
									_t80 =  *(_t89 + 0x28);
									_t51 = E6E012630( *(_t89 + 0x30), _t80, _t79, E6E0197A0, _t50);
									_t84 = _t51;
									__imp__PR_smprintf_free( *(_t89 + 0x2c));
									_t89 = _t89 + 0x18;
									__eflags = _t80;
									if(_t80 != 0) {
										_push(_t80);
										L6E025A9A();
										_t89 = _t89 + 4;
									}
									__eflags = _t84;
									if(_t84 != 0) {
										_t76 = E6E019650(_t51, _t64,  *(_t89 + 0x44), 0, _t84);
										_t91 = _t89 + 0x10;
										__eflags = _t76;
										if(_t76 == 0) {
											__eflags = _t72;
											if(_t72 == 0) {
												goto L28;
											} else {
												_t53 =  *_t72;
												__eflags = _t53;
												if(_t53 == 0) {
													goto L28;
												} else {
													 *( *_t53 + 4) = _t84;
													return _t76;
												}
											}
										} else {
											E6E011F50(_t84);
											goto L20;
										}
									} else {
										_t76 = 0xce534352;
										goto L22;
									}
								} else {
									_t34 = _t50 + 2; // 0x2
									_t76 = _t34;
									goto L22;
								}
							}
						} else {
							_t86 =  *(_t89 + 0x2c);
							 *_t72 = _t76;
							 *(_t89 + 0x1c) = _t76;
							_t76 = 0xce534351;
							 *(_t89 + 0x14) = 0;
							__eflags = _t86;
							if(__eflags == 0) {
								 *(_t89 + 0x2c) = 0x6e035400;
								_t86 =  *(_t89 + 0x2c);
							}
							_t58 = E6E019530(__eflags, _t68, _t89 + 0x14);
							__imp__PR_smprintf("%s/%s", _t58, _t86);
							_t89 = _t89 + 0x14;
							 *(_t89 + 0x18) = _t58;
							__eflags = _t58;
							_t59 =  *(_t89 + 0x14);
							if(_t58 != 0) {
								_push(0x10);
								L6E025A94();
								_t88 = _t59;
								_t92 = _t89 + 4;
								__eflags = _t88;
								if(_t88 != 0) {
									_push(0);
									 *((intOrPtr*)(_t88 + 0xc)) = 1;
									_t62 = E6E01F3F0(_t59, _t88,  *((intOrPtr*)(_t92 + 0x34)),  *((intOrPtr*)(_t92 + 0x24)),  *((intOrPtr*)(_t92 + 0x38)), E6E0195B0,  *(_t92 + 0x1c));
									_t92 = _t92 + 0x1c;
									__eflags = _t62;
									if(_t62 != 0) {
										__imp__PR_Free(_t88);
										_t92 = _t92 + 4;
									} else {
										_t76 = 0;
										 *(_t92 + 0x1c) = _t88;
									}
								}
								__imp__PR_smprintf_free( *(_t92 + 0x18));
								_t59 =  *(_t92 + 0x18);
								_t89 = _t92 + 4;
							}
							__eflags = _t59;
							if(_t59 != 0) {
								_push(_t59);
								L6E025A9A();
								_t89 = _t89 + 4;
							}
							__eflags = _t76;
							if(_t76 != 0) {
								L22:
								__eflags = _t64;
								if(_t64 != 0) {
									_t47 =  *_t64;
									__eflags =  *_t64;
									if(__eflags != 0) {
										E6E019440(__eflags, _t47);
										_t89 = _t89 + 4;
										 *_t64 = 0;
									}
								}
								__eflags = _t72;
								if(_t72 != 0) {
									_t45 =  *_t72;
									__eflags =  *_t72;
									if(__eflags != 0) {
										E6E019440(__eflags, _t45);
										 *_t72 = 0;
									}
								}
								goto L28;
							} else {
								_t87 =  *(_t89 + 0x1c);
								_t76 = E6E019650(_t59, _t72,  *(_t89 + 0x44),  *(_t89 + 0x1c), _t76);
								_t89 = _t89 + 0x10;
								__eflags = _t76;
								if(_t76 == 0) {
									_t68 =  *(_t89 + 0x28);
									goto L30;
								} else {
									E6E01E790(_t87);
									L20:
									_t89 = _t91 + 4;
									L21:
									__eflags = _t76;
									if(_t76 != 0) {
										goto L22;
									}
									L28:
									return _t76;
								}
							}
						}
					}
				} else {
					_t41 = E6E019050();
					if(_t41 != 0) {
						goto L3;
					} else {
						L2:
						return 0x30;
					}
				}
			}

0x6e019143
0x6e01914b
0x6e019150
0x6e019153
0x6e01915a
0x6e019161
0x6e019176
0x6e019176
0x6e01917b
0x6e01917d
0x00000000
0x6e01917f
0x6e019182
0x6e019187
0x6e01918b
0x6e01918d
0x6e01918f
0x6e01918f
0x6e019191
0x6e019195
0x6e019199
0x6e01919b
0x6e0192c4
0x6e0192c4
0x6e0192c6
0x00000000
0x6e0192c8
0x6e0192c8
0x6e0192cc
0x6e0192d4
0x6e0192d6
0x6e0192d8
0x6e0192d8
0x6e0192e3
0x6e0192ef
0x6e0192f5
0x6e0192f8
0x6e0192fc
0x6e0192fe
0x6e01930f
0x6e019318
0x6e019321
0x6e019323
0x6e019329
0x6e01932c
0x6e01932e
0x6e019330
0x6e019331
0x6e019336
0x6e019336
0x6e019339
0x6e01933b
0x6e019354
0x6e019356
0x6e019359
0x6e01935b
0x6e019368
0x6e01936a
0x00000000
0x6e019370
0x6e019370
0x6e019372
0x6e019374
0x00000000
0x6e01937a
0x6e01937d
0x6e019388
0x6e019388
0x6e019374
0x6e01935d
0x6e01935e
0x00000000
0x6e01935e
0x6e01933d
0x6e01933d
0x00000000
0x6e01933d
0x6e019300
0x6e019300
0x6e019300
0x00000000
0x6e019300
0x6e0192fe
0x6e0191a1
0x6e0191a1
0x6e0191a5
0x6e0191a7
0x6e0191ab
0x6e0191b0
0x6e0191b8
0x6e0191ba
0x6e0191bc
0x6e0191c4
0x6e0191c4
0x6e0191ce
0x6e0191da
0x6e0191e0
0x6e0191e3
0x6e0191e7
0x6e0191e9
0x6e0191ed
0x6e0191ef
0x6e0191f1
0x6e0191f6
0x6e0191f8
0x6e0191fb
0x6e0191fd
0x6e0191ff
0x6e019205
0x6e01921e
0x6e019223
0x6e019226
0x6e019228
0x6e019233
0x6e019239
0x6e01922a
0x6e01922a
0x6e01922c
0x6e01922c
0x6e019228
0x6e019240
0x6e019246
0x6e01924a
0x6e01924a
0x6e01924d
0x6e01924f
0x6e019251
0x6e019252
0x6e019257
0x6e019257
0x6e01925a
0x6e01925c
0x6e019284
0x6e019284
0x6e019286
0x6e019288
0x6e01928a
0x6e01928c
0x6e01928f
0x6e019294
0x6e019297
0x6e019297
0x6e01928c
0x6e01929d
0x6e01929f
0x6e0192a1
0x6e0192a3
0x6e0192a5
0x6e0192a8
0x6e0192b0
0x6e0192b0
0x6e0192a5
0x00000000
0x6e01925e
0x6e01925e
0x6e01926e
0x6e019270
0x6e019273
0x6e019275
0x6e0192c0
0x00000000
0x6e019277
0x6e019278
0x6e01927d
0x6e01927d
0x6e019280
0x6e019280
0x6e019282
0x00000000
0x00000000
0x6e0192b6
0x6e0192bf
0x6e0192bf
0x6e019275
0x6e01925c
0x6e01919b
0x6e019163
0x6e019163
0x6e01916a
0x00000000
0x6e01916c
0x6e01916c
0x6e019175
0x6e019175
0x6e01916a

APIs

SECOID_Init.NSSUTIL3 ref: 6E019176
PR_smprintf.NSPR4(%s/%s,00000000,?,?,00000000), ref: 6E0191DA
PORT_ZAlloc_Util.NSSUTIL3(00000010), ref: 6E0191F1
PR_Free.NSPR4(00000000), ref: 6E019233
PR_smprintf_free.NSPR4(?), ref: 6E019240
PORT_Free_Util.NSSUTIL3(?), ref: 6E019252

Strings

V, xrefs: 6E01914B
%s/%s, xrefs: 6E0191D5, 6E0192EA

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Util$Alloc_FreeFree_InitR_smprintfR_smprintf_free
String ID: %s/%s$V
API String ID: 1650368121-2088080029
Opcode ID: 734376ceaee1c1e60e834e32f27218c768609d165e06e9e94826aaad588f88ef
Instruction ID: 23f468278a501c1bade94e371f500a53b3df1958c1bf14ca248ff4cad40f584f
Opcode Fuzzy Hash: 734376ceaee1c1e60e834e32f27218c768609d165e06e9e94826aaad588f88ef
Instruction Fuzzy Hash: 0E51BE7190C3125BE7509FE98840BDBB7E8AF95688F800828FD59AF211E735D914CB93

Uniqueness

Uniqueness Score: -1.00%

Function 6DFAED80 Relevance: 18.5, APIs: 12, Instructions: 491memoryCOMMON

Download Yara Rule

APIs

PORT_SetError_Util.NSSUTIL3(FFFFE003,?,?,00000000,?), ref: 6DFAEE30
PORT_Free_Util.NSSUTIL3(00000000,?,?,?,?,?,?,?,?), ref: 6DFAEE91
PORT_ZFree_Util.NSSUTIL3(00000000,?,?,?,?,?,?,?,?,?), ref: 6DFAEEA2
PORT_SetError_Util.NSSUTIL3(FFFFE001,?,?,?,?,?,?,?,?), ref: 6DFAEED2
PORT_Alloc_Util.NSSUTIL3(00000000,?), ref: 6DFAF091
PORT_SetError_Util.NSSUTIL3(FFFFE03F), ref: 6DFAF12C
PORT_Alloc_Util.NSSUTIL3(?), ref: 6DFAF19C
PORT_SetError_Util.NSSUTIL3(FFFFE03F), ref: 6DFAF1C6
PORT_SetError_Util.NSSUTIL3(FFFFE03F), ref: 6DFAF2E6
PORT_SetError_Util.NSSUTIL3(FFFFE013,?,?,?,?,?,?,?,?), ref: 6DFAF365
PORT_SetError_Util.NSSUTIL3(FFFFE002,?,?,?,?,?,?,?,?), ref: 6DFAF380
PORT_SetError_Util.NSSUTIL3(FFFFE005,?,?,?,?,?,?,?,?), ref: 6DFAF39B

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: Util$Error_$Alloc_Free_
String ID:
API String ID: 3186423673-0
Opcode ID: e938ce7b0093fb63fe3c1d421c294a26b2a4738de13d8445804aad713989b659
Instruction ID: 5a51742b6bafdf9e501cbc5916d8608fefb6c6f8672548b8e6c8010b2a0b296b
Opcode Fuzzy Hash: e938ce7b0093fb63fe3c1d421c294a26b2a4738de13d8445804aad713989b659
Instruction Fuzzy Hash: 50F193B39087069BC710CBA8DC80E8B73EDAF94254F1A092AFE58C3240FB75D9598753

Uniqueness

Uniqueness Score: -1.00%

Function 6DFB4920 Relevance: 18.2, APIs: 12, Instructions: 238memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSSUTIL3(00000800), ref: 6DFB4957
PORT_SetError_Util.NSSUTIL3(FFFFE013,?,?,?,?,?,?,?,?,?,?,?,6DFB412C,?,?,?), ref: 6DFB496A
PORT_ArenaZAlloc_Util.NSSUTIL3(00000000,00000040,?,?,?,?,?,?,?,?,?,?,?,?,6DFB412C,?), ref: 6DFB497F
PORT_SetError_Util.NSSUTIL3(FFFFE013,?,?,?,?,?,?,?,?,?,?,?,?,?,6DFB412C,?), ref: 6DFB4992
PORT_FreeArena_Util.NSSUTIL3(00000000,00000001,FFFFE013,?,?), ref: 6DFB499A
PORT_SetError_Util.NSSUTIL3(FFFFE005,?,?,?,?,?,?,?,?,?,?,?,6DFB412C,?,?,?), ref: 6DFB4BC9

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: Util$Error_$Arena_$Alloc_ArenaFree
String ID:
API String ID: 1144393034-0
Opcode ID: 326b92214838279f06b5cec79b9edfe3be8f60fc9c05fb9bb977d48f2c249081
Instruction ID: a1c35ed90cd4417fa926aadf699e8ac2471dd2b5cad64f5852bf18df04eaaf76
Opcode Fuzzy Hash: 326b92214838279f06b5cec79b9edfe3be8f60fc9c05fb9bb977d48f2c249081
Instruction Fuzzy Hash: 4771F7B2C082156BC701CAA9DD40F9B77DCAF44368F054625FF5897240E779DE288BD2

Uniqueness

Uniqueness Score: -1.00%

Function 6DFA3D00 Relevance: 17.9, APIs: 4, Strings: 6, Instructions: 405COMMON

Download Yara Rule

APIs

PORT_SetError_Util.NSSUTIL3(FFFFE001), ref: 6DFA417C
PORT_FreeArena_Util.NSSUTIL3(?,00000001,?,?,?,Random DSA Signature), ref: 6DFA424F
PORT_SetError_Util.NSSUTIL3(FFFFE001), ref: 6DFA4260

Strings

(, xrefs: 6DFA41DC
The test message for the MD2, MD5, and SHA-1 hashing algorithms., xrefs: 6DFA3D29, 6DFA3D6B, 6DFA3DAB, 6DFA3DEB, 6DFA3E2B, 6DFA3F0B, 6DFA3F59, 6DFA3F9F, 6DFA3FE9, 6DFA402F
Firefox and ThunderBird are awesome!, xrefs: 6DFA3F16, 6DFA3F64, 6DFA3FAA, 6DFA3FF4, 6DFA403A
Mozilla Rules World!, xrefs: 6DFA413A
Random DSA Signature, xrefs: 6DFA41D2
(, xrefs: 6DFA4202

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: Util$Error_$Arena_Free
String ID: ($($Firefox and ThunderBird are awesome!$Mozilla Rules World!$Random DSA Signature$The test message for the MD2, MD5, and SHA-1 hashing algorithms.
API String ID: 3466411518-1629320347
Opcode ID: 1348c0e7ccc90b77b6030bb0737b94a036d587ba779432d29df858bd1e22bac0
Instruction ID: dacb8e1679922a9ce9e4a2a99f59bb2c320559f82217db26f00353c3046e6042
Opcode Fuzzy Hash: 1348c0e7ccc90b77b6030bb0737b94a036d587ba779432d29df858bd1e22bac0
Instruction Fuzzy Hash: 44E1CC76909205EBE300CA6CDD44F6A77F8BB59318F894428EE19A7385FB31F9048A43

Uniqueness

Uniqueness Score: -1.00%

Function 6E01D8A0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 188
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E6E01D8A0() {
				void* __esi;
				intOrPtr _t46;
				signed int _t48;
				intOrPtr _t51;
				void* _t53;
				intOrPtr* _t57;
				signed int _t59;
				intOrPtr _t61;
				void* _t63;
				void* _t65;
				signed int _t69;
				signed int _t70;
				intOrPtr _t71;
				signed char* _t77;
				signed int* _t79;
				intOrPtr _t81;
				intOrPtr* _t86;
				signed int _t89;
				intOrPtr _t90;
				intOrPtr _t91;
				intOrPtr* _t93;
				intOrPtr* _t97;
				signed int _t102;
				void* _t104;
				void* _t105;
				void* _t107;
				void* _t108;
				void* _t109;
				void* _t110;

				_t46 =  *((intOrPtr*)(_t104 + 0x28));
				_t48 =  *((intOrPtr*)( *((intOrPtr*)(_t46 + 0x14))))(_t46, _t104 + 0x14, _t104 + 4, 3);
				_t105 = _t104 + 0x10;
				if(_t48 == 0) {
					do {
						_t81 =  *((intOrPtr*)(_t105 + 0x18));
						if(_t81 != 1) {
							_t77 =  *(_t105 + 0x14);
							if(_t81 >= 7) {
								_t102 = (_t77[3] & 0x000000ff) << 0x00000008 | _t77[4] & 0x000000ff;
								_t89 = (_t77[5] & 0x000000ff) << 0x00000008 | _t77[6] & 0x000000ff;
								 *(_t105 + 0x10) = _t89;
								_t57 = _t102 + 7 + _t89;
								if(_t57 == _t81) {
									_push(0x800);
									L6E025ABE();
									_t93 = _t57;
									_t107 = _t105 + 4;
									if(_t93 != 0) {
										_push(0x8f8);
										_push(_t93);
										L6E025ACA();
										_t97 = _t57;
										_t108 = _t107 + 8;
										if(_t97 == 0) {
											L28:
											_push(0);
											_push(_t93);
											L6E025AC4();
											_push(0xffffe013);
											L6E025AB2();
											_t105 = _t108 + 0xc;
										} else {
											 *((intOrPtr*)(_t97 + 0xc)) = _t93;
											 *((intOrPtr*)(_t97 + 4)) = 8;
											 *_t97 = 1;
											 *((intOrPtr*)(_t97 + 8)) = 0;
											 *(_t97 + 0x14) =  *_t77 & 0x000000ff;
											 *(_t97 + 0x18) = _t77[1] & 0x000000ff;
											_t59 = _t77[2] & 0x000000ff;
											_push(_t102);
											_push(_t93);
											 *(_t97 + 0x1c) = _t59;
											L6E025ACA();
											_t108 = _t108 + 8;
											 *(_t97 + 0x24) = _t59;
											if(_t59 == 0) {
												goto L28;
											} else {
												 *(_t97 + 0x28) = _t102;
												E6E0267A0(_t59,  &(_t77[7]), _t102);
												_t61 =  *((intOrPtr*)(_t108 + 0x1c));
												_t109 = _t108 + 0xc;
												if(_t61 == 0) {
													 *((intOrPtr*)(_t97 + 0x2c)) = 0;
													_t33 = _t97 + 0x14; // 0x14
													_t79 = _t33;
													goto L24;
												} else {
													_push(_t61);
													_push(_t93);
													L6E025ACA();
													_t108 = _t109 + 8;
													 *((intOrPtr*)(_t97 + 0x2c)) = _t61;
													if(_t61 == 0) {
														goto L28;
													} else {
														E6E0267A0(_t61,  &(( &(_t77[7]))[_t102]),  *((intOrPtr*)(_t108 + 0x10)));
														_t86 =  *((intOrPtr*)(_t97 + 0x2c));
														_t109 = _t108 + 0xc;
														_t69 = "Server-Cert";
														while(1) {
															_t90 =  *_t86;
															if(_t90 !=  *_t69) {
																break;
															}
															if(_t90 == 0) {
																L19:
																_t70 = 0;
															} else {
																_t91 =  *((intOrPtr*)(_t86 + 1));
																if(_t91 !=  *((intOrPtr*)(_t69 + 1))) {
																	break;
																} else {
																	_t86 = _t86 + 2;
																	_t69 = _t69 + 2;
																	if(_t91 != 0) {
																		continue;
																	} else {
																		goto L19;
																	}
																}
															}
															L21:
															_t31 = _t97 + 0x14; // 0x14
															_t79 = _t31;
															if(_t70 == 0) {
																 *_t79 =  *_t79 | 0x00000040;
															}
															L24:
															_push( *((intOrPtr*)(_t97 + 0x2c)));
															_t35 = _t97 + 0x20; // 0x20
															_t63 = E6E01A000();
															_t95 = _t63;
															_t110 = _t109 + 8;
															if(_t63 != 0) {
																_t65 = E6E01B790( *((intOrPtr*)(_t110 + 0x34)), _t95,  *((intOrPtr*)(_t97 + 0x2c)), _t79);
																_t80 = _t65;
																E6E01C990(_t97, _t95, 1);
																_t110 = _t110 + 0x18;
																if(_t65 != 0) {
																	E6E01CAD0(_t80);
																	_t110 = _t110 + 4;
																}
															}
															E6E01CAD0(_t97);
															_t105 = _t110 + 4;
															goto L29;
														}
														asm("sbb eax, eax");
														_t70 = _t69 | 0x00000001;
														goto L21;
													}
												}
											}
										}
									} else {
										_push(0xffffe013);
										L6E025AB2();
										_t105 = _t107 + 4;
									}
								} else {
									_push(0xffffe012);
									L6E025AB2();
									_t105 = _t105 + 4;
								}
							} else {
								_push(0xffffe012);
								L6E025AB2();
								_t105 = _t105 + 4;
							}
						}
						L29:
						_t51 =  *((intOrPtr*)(_t105 + 0x38));
						_t53 =  *((intOrPtr*)( *((intOrPtr*)(_t51 + 0x14))))(_t51, _t105 + 0x24, _t105 + 0x18, 7);
						_t105 = _t105 + 0x10;
					} while (_t53 == 0);
					_t71 =  *((intOrPtr*)(_t105 + 0x2c));
					 *((intOrPtr*)( *((intOrPtr*)(_t71 + 4))))(_t71);
					return 0;
				} else {
					return _t48 | 0xffffffff;
				}
			}

0x6e01d8af
0x6e01d8b7
0x6e01d8b9
0x6e01d8be
0x6e01d8d0
0x6e01d8d0
0x6e01d8d7
0x6e01d8dd
0x6e01d8e4
0x6e01d907
0x6e01d910
0x6e01d912
0x6e01d919
0x6e01d91d
0x6e01d931
0x6e01d936
0x6e01d93b
0x6e01d93d
0x6e01d942
0x6e01d956
0x6e01d95b
0x6e01d95c
0x6e01d961
0x6e01d963
0x6e01d968
0x6e01da7a
0x6e01da7a
0x6e01da7c
0x6e01da7d
0x6e01da82
0x6e01da87
0x6e01da8c
0x6e01d96e
0x6e01d96e
0x6e01d971
0x6e01d978
0x6e01d97e
0x6e01d988
0x6e01d98f
0x6e01d992
0x6e01d996
0x6e01d997
0x6e01d998
0x6e01d99b
0x6e01d9a0
0x6e01d9a3
0x6e01d9a8
0x00000000
0x6e01d9ae
0x6e01d9b2
0x6e01d9b7
0x6e01d9bc
0x6e01d9c0
0x6e01d9c5
0x6e01da28
0x6e01da2f
0x6e01da2f
0x00000000
0x6e01d9c7
0x6e01d9c7
0x6e01d9c8
0x6e01d9c9
0x6e01d9ce
0x6e01d9d1
0x6e01d9d6
0x00000000
0x6e01d9dc
0x6e01d9e7
0x6e01d9ec
0x6e01d9ef
0x6e01d9f2
0x6e01d9f7
0x6e01d9f7
0x6e01d9fb
0x00000000
0x00000000
0x6e01d9ff
0x6e01da13
0x6e01da13
0x6e01da01
0x6e01da01
0x6e01da07
0x00000000
0x6e01da09
0x6e01da09
0x6e01da0c
0x6e01da11
0x00000000
0x00000000
0x00000000
0x00000000
0x6e01da11
0x6e01da07
0x6e01da1c
0x6e01da1c
0x6e01da1c
0x6e01da21
0x6e01da23
0x6e01da23
0x6e01da32
0x6e01da32
0x6e01da35
0x6e01da39
0x6e01da3e
0x6e01da40
0x6e01da45
0x6e01da50
0x6e01da58
0x6e01da5a
0x6e01da5f
0x6e01da64
0x6e01da67
0x6e01da6c
0x6e01da6c
0x6e01da64
0x6e01da70
0x6e01da75
0x00000000
0x6e01da75
0x6e01da17
0x6e01da19
0x00000000
0x6e01da19
0x6e01d9d6
0x6e01d9c5
0x6e01d9a8
0x6e01d944
0x6e01d944
0x6e01d949
0x6e01d94e
0x6e01d94e
0x6e01d91f
0x6e01d91f
0x6e01d924
0x6e01d929
0x6e01d929
0x6e01d8e6
0x6e01d8e6
0x6e01d8eb
0x6e01d8f0
0x6e01d8f0
0x6e01d8e4
0x6e01da8f
0x6e01da9b
0x6e01daa3
0x6e01daa5
0x6e01daa8
0x6e01dab0
0x6e01dab8
0x6e01dac6
0x6e01d8c0
0x6e01d8c6
0x6e01d8c6

APIs

PORT_SetError_Util.NSSUTIL3(FFFFE012,00000000,?,?,00000000), ref: 6E01D8EB

Strings

Server-Cert, xrefs: 6E01D9F2

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Error_Util
String ID: Server-Cert
API String ID: 1971245937-580305613
Opcode ID: 0049b30c8fa694535842c6d06e0525ecbc18d98756ada5df707bc4b30c0db518
Instruction ID: f965890433e856198e3a555f443baaf56a6b6dc3ab5837f804d19486ad932c81
Opcode Fuzzy Hash: 0049b30c8fa694535842c6d06e0525ecbc18d98756ada5df707bc4b30c0db518
Instruction Fuzzy Hash: C25104B140C2016FD710CFE48C91BE77BEDAF41246F840939E89ACF245E736D5098BA2

Uniqueness

Uniqueness Score: -1.00%

Function 6E0121D0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 163
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E6E0121D0(signed int __eax, void* __esi) {
				void* __edi;
				intOrPtr _t65;
				intOrPtr _t74;
				intOrPtr _t75;
				intOrPtr _t79;
				void* _t84;
				intOrPtr _t85;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				signed int _t90;
				intOrPtr _t91;
				void* _t99;
				void* _t100;
				void* _t102;
				intOrPtr _t103;
				intOrPtr _t105;
				intOrPtr* _t107;
				void* _t108;
				void* _t109;
				void* _t111;

				_t102 = __esi;
				_t106 =  *((intOrPtr*)(_t108 + 0x74));
				_t88 = _t87 | 0xffffffff;
				 *(_t108 + 0x1c) = 0;
				 *(_t108 + 0x20) = 0;
				 *(_t108 + 0x24) = 0;
				 *(_t108 + 8) = _t88;
				if( *((intOrPtr*)(_t108 + 0x74)) != 0) {
					_push(_t99);
					_t100 = E6E0116E0(_t99, __esi, _t106);
					_t109 = _t108 + 4;
					if(_t100 == 0) {
						_t100 = _t109 + 0x20;
					}
					_t61 =  *((intOrPtr*)(_t100 + 8));
					if( *((intOrPtr*)(_t100 + 8)) <= 0x80) {
						_t89 =  *(_t109 + 0x7c);
						_push(_t102);
						_t103 = _t89 + 0x18;
						E6E0267A0(_t103,  *((intOrPtr*)(_t100 + 4)), _t61);
						 *((intOrPtr*)(_t89 + 4)) = _t103;
						_t65 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)(_t89 + 8)) = _t65;
						 *(_t109 + 0x28) = "password-check";
						 *((intOrPtr*)(_t89 + 0x10)) = _t65 + 0x18 + _t89;
						 *(_t109 + 0x34) = 0xe;
						_t107 = E6E0119C0(_t106, _t109 + 0x28);
						_t109 = _t109 + 0x14;
						if(_t107 == 0) {
							_t88 = _t89 | 0xffffffff;
						} else {
							_t90 =  *( *(_t107 + 0x1c)) & 0x000000ff;
							 *(_t109 + 0x38) = _t90;
							 *(_t109 + 0x34) =  &(( *(_t107 + 0x1c))[1]);
							if( *((intOrPtr*)(_t107 + 0x20)) >= _t90 + 0xf) {
								_t75 = _t109 + 0x30;
								_push(_t75);
								L6E025B00();
								_t105 = 0;
								_t91 =  *((intOrPtr*)(_t109 + 0x3c));
								 *((intOrPtr*)(_t109 + 0x1c)) = _t75;
								 *((intOrPtr*)(_t109 + 0x40)) =  *((intOrPtr*)(_t107 + 0xc));
								 *((intOrPtr*)(_t109 + 0x44)) =  *((intOrPtr*)(_t107 + 0x10));
								 *((intOrPtr*)(_t109 + 0x48)) =  *((intOrPtr*)(_t107 + 0x14));
								_t79 = _t109 + 0x80;
								_push(0x800);
								 *((char*)(_t109 + 0x84)) = 1;
								 *((intOrPtr*)(_t109 + 0x50)) = 0;
								 *((intOrPtr*)(_t109 + 0x54)) = _t79;
								 *((intOrPtr*)(_t109 + 0x58)) = 1;
								 *((intOrPtr*)(_t109 + 0x74)) = 0;
								 *((intOrPtr*)(_t109 + 0x78)) = _t91 + 1 +  *(_t107 + 0x1c);
								 *(_t109 + 0x7c) =  *((intOrPtr*)(_t107 + 0x20)) - _t91 - 1;
								L6E025ABE();
								_t109 = _t109 + 8;
								 *((intOrPtr*)(_t109 + 0x14)) = _t79;
								if(_t79 != 0) {
									_push(0x6e035340);
									_push(_t109 + 0x40);
									_push(0);
									_push(_t79);
									L6E025AF4();
									_t111 = _t109 + 0x10;
									if(_t79 != 0) {
										_push(_t79);
										_push( *((intOrPtr*)(_t111 + 0x1c)));
										_t84 = _t111 + 0x5c;
										_push(_t84);
										_push( *((intOrPtr*)(_t111 + 0x20)));
										L6E025B0C();
										_t111 = _t111 + 0x10;
										if(_t84 == 0) {
											_push(0x6e035380);
											_t85 = _t111 + 0x58;
											_push(_t85);
											_push(0);
											_push(0);
											L6E025AF4();
											_t111 = _t111 + 0x10;
											_t105 = _t85;
										}
									}
									_push(0);
									_push( *((intOrPtr*)(_t111 + 0x18)));
									L6E025AC4();
									_t109 = _t111 + 8;
									if(_t105 != 0) {
										_t95 =  *((intOrPtr*)(_t105 + 8));
										if( *((intOrPtr*)(_t89 + 8)) +  *((intOrPtr*)(_t105 + 8)) <= 0x80) {
											E6E0267A0( *((intOrPtr*)(_t89 + 0x10)),  *((intOrPtr*)(_t105 + 4)), _t95);
											_t109 = _t109 + 0xc;
											 *((intOrPtr*)(_t89 + 0x14)) =  *((intOrPtr*)(_t105 + 8));
											 *(_t109 + 0x10) = 0;
										}
										_push(1);
										_push(_t105);
										L6E025AE2();
										_t109 = _t109 + 8;
									}
								}
							}
							_t74 =  *_t107;
							if(_t74 != 0) {
								_push(0);
								_push(_t74);
								L6E025AC4();
								_t109 = _t109 + 8;
							}
							_t88 =  *(_t109 + 0x10);
						}
					}
					if(_t100 != _t109 + 0x20) {
						_push(1);
						_push(_t100);
						L6E025AE2();
					}
					return _t88;
				} else {
					return __eax | _t88;
				}
			}

0x6e0121d0
0x6e0121d5
0x6e0121d9
0x6e0121dc
0x6e0121e4
0x6e0121ec
0x6e0121f4
0x6e0121fa
0x6e012204
0x6e01220b
0x6e01220d
0x6e012212
0x6e012214
0x6e012214
0x6e012218
0x6e012220
0x6e012226
0x6e01222a
0x6e01222f
0x6e012233
0x6e012238
0x6e01223b
0x6e01223e
0x6e012246
0x6e01224e
0x6e012257
0x6e012264
0x6e012266
0x6e01226b
0x6e0123ca
0x6e012271
0x6e012274
0x6e012277
0x6e01227f
0x6e012289
0x6e01228f
0x6e012293
0x6e012294
0x6e01229c
0x6e01229e
0x6e0122a4
0x6e0122b0
0x6e0122b7
0x6e0122be
0x6e0122c2
0x6e0122c9
0x6e0122ce
0x6e0122d6
0x6e0122da
0x6e0122de
0x6e0122e6
0x6e0122ea
0x6e0122ee
0x6e0122f2
0x6e0122f7
0x6e0122fa
0x6e012300
0x6e012306
0x6e01230f
0x6e012310
0x6e012311
0x6e012312
0x6e012317
0x6e01231c
0x6e01231e
0x6e01231f
0x6e012323
0x6e012327
0x6e012328
0x6e01232c
0x6e012331
0x6e012336
0x6e012338
0x6e01233d
0x6e012341
0x6e012342
0x6e012343
0x6e012344
0x6e012349
0x6e01234c
0x6e01234c
0x6e012336
0x6e01234e
0x6e012350
0x6e012354
0x6e012359
0x6e01235e
0x6e012363
0x6e01236d
0x6e012376
0x6e01237e
0x6e012381
0x6e012384
0x6e012384
0x6e01238c
0x6e01238e
0x6e01238f
0x6e012394
0x6e012394
0x6e01235e
0x6e012300
0x6e012397
0x6e01239c
0x6e01239e
0x6e0123a0
0x6e0123a1
0x6e0123a6
0x6e0123a6
0x6e0123a9
0x6e0123a9
0x6e0123ad
0x6e0123b4
0x6e0123b6
0x6e0123b8
0x6e0123b9
0x6e0123be
0x6e0123c9
0x6e0121fd
0x6e012203
0x6e012203

APIs

SECOID_FindOIDTag_Util.NSSUTIL3(?,?,?,?,?,00000000,?), ref: 6E012294
PORT_NewArena_Util.NSSUTIL3 ref: 6E0122F2
SEC_ASN1EncodeItem_Util.NSSUTIL3(00000000,00000000,?,6E035340,00000800,?,?,?,?,?,00000000,?), ref: 6E012312
SECOID_SetAlgorithmID_Util.NSSUTIL3(?,?,?,00000000,?,?,?,?,00000800,?,?,?,?,?,00000000,?), ref: 6E01232C
SEC_ASN1EncodeItem_Util.NSSUTIL3(00000000,00000000,?,6E035380,?,?,?,?,?,?,?,?,00000800,?,?,?), ref: 6E012344

Strings

password-check, xrefs: 6E012246, 6E012255

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Util$EncodeItem_$AlgorithmArena_FindTag_
String ID: password-check
API String ID: 2402920102-2616774086
Opcode ID: 992e3ea70e2945868c1d80c4fe801baa9f4e179b9326ed2845bbfd673fba1ca1
Instruction ID: 204fe6587f12362ad0de883040352dda2f7eea5b63976b3d7639409a740a7eef
Opcode Fuzzy Hash: 992e3ea70e2945868c1d80c4fe801baa9f4e179b9326ed2845bbfd673fba1ca1
Instruction Fuzzy Hash: 0E518AB15083459FD700CFA8C881B9BBBE8FF85348F40492DF9989B250E775E914CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6DFA1B70 Relevance: 16.7, APIs: 11, Instructions: 211memoryCOMMON

Download Yara Rule

APIs

PORT_Alloc_Util.NSSUTIL3(00000020,00000000,6DFF9B70), ref: 6DFA1B82
PORT_SetError_Util.NSSUTIL3(FFFFE013,6DFF9B70), ref: 6DFA1B95
PORT_GetError_Util.NSSUTIL3(?,?,?,?,?,?,?,?,6DFF9B70), ref: 6DFA1B9D
PORT_Alloc_Util.NSSUTIL3(00000050,?,?,?,?,?,?,?,?,6DFF9B70), ref: 6DFA1BAF
PORT_ZFree_Util.NSSUTIL3(00000000,00000020,6DFFC6A0,00000000,00000020,00000000,6DFE50D8,00000020,6DFF9B70), ref: 6DFA1BE6
PORT_ZFree_Util.NSSUTIL3(00000000,00000050,6DFFC6A0,00000000,00000050,00000000,6DFE50D8,00000050), ref: 6DFA1C21
PORT_SetError_Util.NSSUTIL3(FFFFE001), ref: 6DFA1D1B
PORT_SetError_Util.NSSUTIL3(FFFFE001,?,?,?,?,?,?,?,?,6DFF9B70), ref: 6DFA1E10

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: Util$Error_$Alloc_Free_
String ID:
API String ID: 3186423673-0
Opcode ID: 2f02bb9a9a703fb095b6d93d34ecc7e857e70967bbc68c44c49d1f9039c803da
Instruction ID: 77bc8d1177b73b9f113ccd81794409ab7df26d111b81630c23f6d6799c62c50d
Opcode Fuzzy Hash: 2f02bb9a9a703fb095b6d93d34ecc7e857e70967bbc68c44c49d1f9039c803da
Instruction Fuzzy Hash: 5A617D76948202E6E720973C9C81B7B3375AF41368F8F0624FA569B2C1F721FD42C292

Uniqueness

Uniqueness Score: -1.00%

Function 6E01FA50 Relevance: 16.7, APIs: 11, Instructions: 190
memoryCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E6E01FA50() {
				void* _t46;
				signed int _t47;
				signed int _t50;
				intOrPtr _t55;
				void* _t64;
				void* _t67;
				void* _t74;
				intOrPtr _t75;
				void* _t79;
				intOrPtr* _t80;
				unsigned int _t81;
				signed int _t82;
				intOrPtr* _t84;
				void* _t86;
				void* _t87;
				signed int _t88;
				signed int _t89;
				signed int _t92;
				intOrPtr _t93;
				intOrPtr _t94;
				void* _t95;
				void* _t96;
				void* _t98;
				void* _t99;
				void* _t101;
				void* _t102;
				void* _t103;

				_t79 = (0 |  *((intOrPtr*)(_t95 + 0x30)) != 0x00000000) + 4;
				_t47 = E6E01C6E0(_t46,  *((intOrPtr*)(_t95 + 0x34)),  *((intOrPtr*)(_t95 + 0x38)), _t79);
				_push(0x800);
				L6E025ABE();
				_t88 = _t47;
				_t96 = _t95 + 0x10;
				if(_t88 == 0) {
					L24:
					_push(0xffffe013);
					L6E025AB2();
					return _t47 | 0xffffffff;
				} else {
					_push(0x20);
					_push(_t88);
					L6E025AD0();
					_t92 = _t47;
					_t98 = _t96 + 8;
					if(_t92 == 0) {
						L23:
						_push(0);
						_push(_t88);
						L6E025AC4();
						_t96 = _t98 + 8;
						goto L24;
					} else {
						_t93 =  *((intOrPtr*)(_t98 + 0x30));
						 *(_t92 + 0xc) = _t88;
						 *_t92 = _t79;
						 *((intOrPtr*)(_t92 + 4)) = 8;
						 *(_t92 + 8) = 0;
						_push( *(_t93 + 8));
						_push(_t88);
						L6E025ACA();
						_t98 = _t98 + 8;
						 *(_t92 + 0x14) = _t47;
						if(_t47 == 0) {
							goto L23;
						} else {
							_t80 =  *((intOrPtr*)(_t98 + 0x38));
							if(_t80 == 0) {
								 *(_t92 + 0x1c) = 0;
								goto L9;
							} else {
								_t84 = _t80;
								_t87 = _t84 + 1;
								do {
									_t75 =  *_t84;
									_t84 = _t84 + 1;
								} while (_t75 != 0);
								_t47 = _t84 - _t87 + 1;
								_push(_t47);
								_push(_t88);
								 *(_t98 + 0x44) = _t47;
								L6E025ACA();
								_t98 = _t98 + 8;
								 *(_t92 + 0x1c) = _t47;
								if(_t47 == 0) {
									goto L23;
								} else {
									E6E0267A0(_t47, _t80,  *((intOrPtr*)(_t98 + 0x3c)));
									_t98 = _t98 + 0xc;
									L9:
									 *(_t92 + 0x18) =  *(_t93 + 8);
									_t50 = E6E0267A0( *(_t92 + 0x14),  *((intOrPtr*)(_t93 + 4)),  *(_t93 + 8));
									_push(0x800);
									L6E025ABE();
									_t89 = _t50;
									_t99 = _t98 + 0x10;
									if(_t89 == 0) {
										L17:
										E6E01CAD0(_t92);
										return _t89 | 0xffffffff;
									} else {
										_t82 =  *(_t92 + 0x1c);
										_t81 = 0;
										if(_t82 != 0) {
											_t86 = _t82 + 1;
											do {
												_t74 =  *_t82;
												_t82 = _t82 + 1;
											} while (_t74 != 0);
											_t81 = _t82 - _t86 + 1;
										}
										_t55 =  *(_t92 + 0x18) + 7 + _t81;
										_push(_t55);
										_push(_t89);
										 *((intOrPtr*)(_t99 + 0x20)) = _t55;
										L6E025ACA();
										_t94 = _t55;
										_t101 = _t99 + 8;
										 *((intOrPtr*)(_t101 + 0x14)) = _t94;
										if(_t94 != 0) {
											 *((char*)(_t94 + 3)) =  *(_t92 + 0x18) >> 8;
											 *((char*)(_t94 + 4)) =  *(_t92 + 0x18);
											 *((char*)(_t94 + 5)) = _t81 >> 8;
											_t35 = _t94 + 7; // 0x7
											 *(_t94 + 6) = _t81;
											E6E0267A0(_t35,  *(_t92 + 0x14),  *(_t92 + 0x18));
											_t102 = _t101 + 0xc;
											if(_t81 != 0) {
												E6E0267A0( *(_t92 + 0x18) + 7 + _t94,  *(_t92 + 0x1c), _t81);
												_t102 = _t102 + 0xc;
											}
											_t64 = E6E01CC10(_t102 + 0x20,  *((intOrPtr*)(_t102 + 0x40)), _t89, _t102 + 0x20,  *_t92);
											_t103 = _t102 + 0x10;
											if(_t64 == 0xffffffff) {
												goto L16;
											} else {
												_t67 = E6E01E320( *((intOrPtr*)(_t103 + 0x38)), _t92, _t103 + 0x20, _t103 + 0x10);
												_t103 = _t103 + 0x10;
												if(_t67 != 0) {
													goto L16;
												} else {
													_push(_t67);
													_push(_t89);
													L6E025AC4();
													E6E01CAD0(_t92);
													return 0;
												}
											}
										} else {
											_push(0xffffe013);
											L6E025AB2();
											_t103 = _t101 + 4;
											L16:
											_push(0);
											_push(_t89);
											L6E025AC4();
											_t99 = _t103 + 8;
											goto L17;
										}
									}
								}
							}
						}
					}
				}
			}

0x6e01fa60
0x6e01fa6c
0x6e01fa71
0x6e01fa76
0x6e01fa7b
0x6e01fa7d
0x6e01fa82
0x6e01fc48
0x6e01fc48
0x6e01fc4d
0x6e01fc5f
0x6e01fa88
0x6e01fa88
0x6e01fa8a
0x6e01fa8b
0x6e01fa90
0x6e01fa92
0x6e01fa97
0x6e01fc3d
0x6e01fc3d
0x6e01fc3f
0x6e01fc40
0x6e01fc45
0x00000000
0x6e01fa9d
0x6e01fa9d
0x6e01faa1
0x6e01faa4
0x6e01faa6
0x6e01faad
0x6e01fab4
0x6e01fab7
0x6e01fab8
0x6e01fabd
0x6e01fac0
0x6e01fac5
0x00000000
0x6e01facb
0x6e01facb
0x6e01fad1
0x6e01fb0d
0x00000000
0x6e01fad3
0x6e01fad3
0x6e01fad5
0x6e01fad8
0x6e01fad8
0x6e01fada
0x6e01fadb
0x6e01fae1
0x6e01fae4
0x6e01fae5
0x6e01fae6
0x6e01faea
0x6e01faef
0x6e01faf2
0x6e01faf7
0x00000000
0x6e01fafd
0x6e01fb03
0x6e01fb08
0x6e01fb14
0x6e01fb17
0x6e01fb23
0x6e01fb28
0x6e01fb2d
0x6e01fb32
0x6e01fb34
0x6e01fb39
0x6e01fb8b
0x6e01fb8f
0x6e01fba0
0x6e01fb3b
0x6e01fb3b
0x6e01fb3e
0x6e01fb42
0x6e01fb44
0x6e01fb47
0x6e01fb47
0x6e01fb49
0x6e01fb4a
0x6e01fb50
0x6e01fb50
0x6e01fb59
0x6e01fb5b
0x6e01fb5c
0x6e01fb5d
0x6e01fb61
0x6e01fb66
0x6e01fb68
0x6e01fb6b
0x6e01fb71
0x6e01fba7
0x6e01fbad
0x6e01fbb5
0x6e01fbb8
0x6e01fbbb
0x6e01fbc5
0x6e01fbca
0x6e01fbcf
0x6e01fbde
0x6e01fbe3
0x6e01fbe3
0x6e01fbf2
0x6e01fbf7
0x6e01fbfd
0x00000000
0x6e01fbff
0x6e01fc0e
0x6e01fc13
0x6e01fc18
0x00000000
0x6e01fc1e
0x6e01fc1e
0x6e01fc1f
0x6e01fc20
0x6e01fc2b
0x6e01fc3c
0x6e01fc3c
0x6e01fc18
0x6e01fb73
0x6e01fb73
0x6e01fb78
0x6e01fb7d
0x6e01fb80
0x6e01fb80
0x6e01fb82
0x6e01fb83
0x6e01fb88
0x00000000
0x6e01fb88
0x6e01fb71
0x6e01fb39
0x6e01faf7
0x6e01fad1
0x6e01fac5
0x6e01fa97

APIs

Part of subcall function 6E01C6E0: PORT_NewArena_Util.NSSUTIL3(00000800,?,?,00000000,?,6E01DFB2,?,?,?,?,00000000,?,?,00000000), ref: 6E01C6E9
Part of subcall function 6E01C6E0: PORT_FreeArena_Util.NSSUTIL3(00000000,00000000,?,?,?,?,?,?,?,?,?,00000000,?,6E01DFB2,?,?), ref: 6E01C72E

PORT_NewArena_Util.NSSUTIL3(00000800,?,?,-00000004,00000000,?,00000000,?,6E01DFB2,?,?,?,?,00000000), ref: 6E01FA76
PORT_ArenaZAlloc_Util.NSSUTIL3(00000000,00000020,00000000,?,00000000,?,6E01DFB2,?,?,?,?,00000000,?,?,00000000), ref: 6E01FA8B
PORT_ArenaAlloc_Util.NSSUTIL3(00000000,00000000,?,?,00000000,?,00000000,?,6E01DFB2,?,?,?,?,00000000), ref: 6E01FAB8
PORT_ArenaAlloc_Util.NSSUTIL3(00000000,?,?,?,?,?,00000000,?,00000000,?,6E01DFB2,?,?,?,?,00000000), ref: 6E01FAEA
PORT_NewArena_Util.NSSUTIL3(00000800,?,00000008,00000000,?,?,?,?,00000000,?,00000000,?,6E01DFB2,?,?,?), ref: 6E01FB2D
PORT_ArenaAlloc_Util.NSSUTIL3(00000000,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6E01DFB2,?), ref: 6E01FB61
PORT_SetError_Util.NSSUTIL3(FFFFE013,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6E01DFB2), ref: 6E01FB78
PORT_FreeArena_Util.NSSUTIL3(00000000,00000000), ref: 6E01FB83
PORT_FreeArena_Util.NSSUTIL3(00000000,00000000), ref: 6E01FC20
PORT_FreeArena_Util.NSSUTIL3(00000000,00000000,?,?,00000000,?,00000000,?,6E01DFB2,?,?,?,?,00000000), ref: 6E01FC40
PORT_SetError_Util.NSSUTIL3(FFFFE013,00000000,?,00000000,?,6E01DFB2,?,?,?,?,00000000,?,?,00000000), ref: 6E01FC4D

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Util$Arena_$Alloc_ArenaFree$Error_
String ID:
API String ID: 4196567886-0
Opcode ID: e7191b64a7669774f659b91ebfd859e344299764d026fec676acb1c67b4b2324
Instruction ID: ca4c338661c21d01358faf9eb472e05e1d8dde9058b2ed7f515dfc7b3bbaa133
Opcode Fuzzy Hash: e7191b64a7669774f659b91ebfd859e344299764d026fec676acb1c67b4b2324
Instruction Fuzzy Hash: C05147765083046FDB109EE49C81BEB7BECEF91258F584A3DFC858B201E736D51987A2

Uniqueness

Uniqueness Score: -1.00%

Function 6E01A800 Relevance: 16.7, APIs: 11, Instructions: 185
memoryCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E6E01A800(char* __eax, intOrPtr _a4) {
				intOrPtr _v4;
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				char _v40;
				char _v52;
				unsigned int _v56;
				intOrPtr _v60;
				char _v64;
				char* _t48;
				char* _t50;
				char* _t56;
				char* _t57;
				char* _t58;
				char* _t62;
				char* _t64;
				char* _t67;
				char* _t69;
				char* _t71;
				void* _t90;
				void* _t91;
				void* _t93;

				_push(0x800);
				L6E025ABE();
				_t80 = __eax;
				_t90 =  &_v64 + 4;
				if(__eax != 0) {
					_push(0x98);
					_push(__eax);
					L6E025AD0();
					_t82 = __eax;
					_t91 = _t90 + 8;
					__eflags = __eax;
					if(__eax == 0) {
						L5:
						_push(0);
						L6E025AC4();
						__eflags = 0;
						return 0;
					} else {
						 *((intOrPtr*)(__eax)) = __eax;
						_v40 = 0;
						_v36 = 0;
						_v32 = 0;
						_v28 = 0;
						_v24 = 0;
						_v20 = 0;
						_v16 = 0;
						_v12 = 0;
						_v8 = 0;
						_v4 = 0;
						_push(_a4 + 0x44);
						_t48 =  &_v52;
						_push(_t48);
						_push(__eax);
						L6E025AD6();
						_t91 = _t91 + 0xc;
						__eflags = _t48;
						if(_t48 != 0) {
							goto L5;
						} else {
							_push( &_v52);
							_push(0x6e035568);
							_t50 =  &_v40;
							_push(_t50);
							_push(__eax);
							L6E025AEE();
							_t91 = _t91 + 0x10;
							__eflags = _t50;
							if(_t50 == 0) {
								_v64 = _v12;
								_v60 = _v8;
								_v56 = _v4 + 7 >> 3;
								_t56 =  &_v36;
								_push(_t56);
								L6E025B12();
								_t93 = _t91 + 4;
								__eflags = _t56 - 0xae;
								if(__eflags > 0) {
									_t57 = _t56 - 0xc8;
									__eflags = _t57;
									if(_t57 == 0) {
										_t58 =  &_v24;
										 *((intOrPtr*)(__eax + 4)) = 5;
										_push(_t58);
										_t39 = _t82 + 0x70; // 0x70
										_t74 = _t39;
										_push(_t39);
										_push(__eax);
										L6E025AD6();
										_t93 = _t93 + 0xc;
										__eflags = _t58;
										if(_t58 != 0) {
											goto L23;
										} else {
											_t40 = _t82 + 8; // 0x8
											_t62 = E6E01B380(__eax, _t74, _t40);
											_t93 = _t93 + 0xc;
											__eflags = _t62;
											if(_t62 != 0) {
												goto L23;
											} else {
												_push( &_v64);
												_t42 = _t82 + 0x8c; // 0x8c
												_t64 = _t42;
												_push(_t64);
												L6E025AD6();
												_t93 = _t93 + 0xc;
												__eflags = _t64;
												if(_t64 != 0) {
													goto L23;
												} else {
													return _t82;
												}
											}
										}
									} else {
										__eflags = _t57 != 0x6b;
										if(_t57 != 0x6b) {
											goto L23;
										} else {
											goto L17;
										}
									}
								} else {
									if(__eflags == 0) {
										_t69 =  &_v64;
										 *((intOrPtr*)(__eax + 4)) = 4;
										_push(_t69);
										_push(0x6e035608);
										_push(__eax);
										_push(__eax);
										 *((intOrPtr*)(__eax + 0xc)) = 0xa;
										 *((intOrPtr*)(__eax + 0x18)) = 0xa;
										 *((intOrPtr*)(__eax + 0x24)) = 0xa;
										L6E025AEE();
										_t93 = _t93 + 0x10;
										__eflags = _t69;
										if(_t69 != 0) {
											goto L23;
										} else {
											return __eax;
										}
									} else {
										__eflags = _t56 - 0x10;
										if(_t56 == 0x10) {
											L17:
											_t67 =  &_v64;
											 *((intOrPtr*)(_t82 + 4)) = 1;
											_push(_t67);
											_push(0x6e0355a8);
											_push(_t82);
											 *((intOrPtr*)(_t82 + 0xc)) = 0xa;
											 *((intOrPtr*)(_t82 + 0x18)) = 0xa;
											L6E025AEE();
											_t93 = _t93 + 0x10;
											__eflags = _t67;
											if(_t67 != 0) {
												goto L23;
											} else {
												return _t82;
											}
										} else {
											__eflags = _t56 - 0x61;
											if(_t56 == 0x61) {
												goto L17;
											} else {
												__eflags = _t56 - 0x7c;
												if(_t56 != 0x7c) {
													L23:
													E6E01B650(_t82);
													__eflags = 0;
													return 0;
												} else {
													_t71 =  &_v64;
													 *((intOrPtr*)(__eax + 4)) = 2;
													_push(_t71);
													_push(0x6e0355e8);
													_push(__eax);
													_push(__eax);
													 *((intOrPtr*)(__eax + 0x30)) = 0xa;
													 *((intOrPtr*)(__eax + 0xc)) = 0xa;
													 *((intOrPtr*)(__eax + 0x18)) = 0xa;
													 *((intOrPtr*)(__eax + 0x24)) = 0xa;
													L6E025AEE();
													_t93 = _t93 + 0x10;
													__eflags = _t71;
													if(_t71 != 0) {
														goto L23;
													} else {
														return __eax;
													}
												}
											}
										}
									}
								}
							} else {
								goto L5;
							}
						}
					}
				} else {
					return __eax;
				}
			}

0x6e01a804
0x6e01a809
0x6e01a80e
0x6e01a810
0x6e01a815
0x6e01a81d
0x6e01a822
0x6e01a823
0x6e01a828
0x6e01a82a
0x6e01a82d
0x6e01a82f
0x6e01a893
0x6e01a893
0x6e01a896
0x6e01a89e
0x6e01a8a5
0x6e01a831
0x6e01a833
0x6e01a835
0x6e01a839
0x6e01a83d
0x6e01a841
0x6e01a845
0x6e01a849
0x6e01a84d
0x6e01a851
0x6e01a855
0x6e01a859
0x6e01a864
0x6e01a865
0x6e01a869
0x6e01a86a
0x6e01a86b
0x6e01a870
0x6e01a873
0x6e01a875
0x00000000
0x6e01a877
0x6e01a87b
0x6e01a87c
0x6e01a881
0x6e01a885
0x6e01a886
0x6e01a887
0x6e01a88c
0x6e01a88f
0x6e01a891
0x6e01a8aa
0x6e01a8b2
0x6e01a8c0
0x6e01a8c4
0x6e01a8c9
0x6e01a8ca
0x6e01a8cf
0x6e01a8d2
0x6e01a8d7
0x6e01a983
0x6e01a983
0x6e01a988
0x6e01a9c9
0x6e01a9cd
0x6e01a9d4
0x6e01a9d5
0x6e01a9d5
0x6e01a9d8
0x6e01a9d9
0x6e01a9da
0x6e01a9df
0x6e01a9e2
0x6e01a9e4
0x00000000
0x6e01a9e6
0x6e01a9e6
0x6e01a9ec
0x6e01a9f1
0x6e01a9f4
0x6e01a9f6
0x00000000
0x6e01a9f8
0x6e01a9fc
0x6e01a9fd
0x6e01a9fd
0x6e01aa03
0x6e01aa05
0x6e01aa0a
0x6e01aa0d
0x6e01aa0f
0x00000000
0x6e01aa11
0x6e01aa19
0x6e01aa19
0x6e01aa0f
0x6e01a9f6
0x6e01a98a
0x6e01a98a
0x6e01a98d
0x00000000
0x00000000
0x00000000
0x00000000
0x6e01a98d
0x6e01a8dd
0x6e01a8dd
0x6e01a942
0x6e01a946
0x6e01a94d
0x6e01a94e
0x6e01a953
0x6e01a954
0x6e01a955
0x6e01a95c
0x6e01a963
0x6e01a96a
0x6e01a96f
0x6e01a972
0x6e01a974
0x00000000
0x6e01a97a
0x6e01a982
0x6e01a982
0x6e01a8df
0x6e01a8df
0x6e01a8e2
0x6e01a993
0x6e01a993
0x6e01a997
0x6e01a99e
0x6e01a99f
0x6e01a9a4
0x6e01a9a6
0x6e01a9ad
0x6e01a9b4
0x6e01a9b9
0x6e01a9bc
0x6e01a9be
0x00000000
0x6e01a9c0
0x6e01a9c8
0x6e01a9c8
0x6e01a8e8
0x6e01a8e8
0x6e01a8eb
0x00000000
0x6e01a8f1
0x6e01a8f1
0x6e01a8f4
0x6e01aa1a
0x6e01aa1b
0x6e01aa23
0x6e01aa2b
0x6e01a8fa
0x6e01a8fa
0x6e01a8fe
0x6e01a905
0x6e01a906
0x6e01a90b
0x6e01a90c
0x6e01a90d
0x6e01a914
0x6e01a91b
0x6e01a922
0x6e01a929
0x6e01a92e
0x6e01a931
0x6e01a933
0x00000000
0x6e01a939
0x6e01a941
0x6e01a941
0x6e01a933
0x6e01a8f4
0x6e01a8eb
0x6e01a8e2
0x6e01a8dd
0x00000000
0x00000000
0x00000000
0x6e01a891
0x6e01a875
0x6e01a81b
0x6e01a81b
0x6e01a81b

APIs

PORT_NewArena_Util.NSSUTIL3(00000800,?,?,?,?,?,?,?,?,?,?,?,?,?,6E0123EE,?), ref: 6E01A809
PORT_ArenaZAlloc_Util.NSSUTIL3(00000000,00000098), ref: 6E01A823
SECITEM_CopyItem_Util.NSSUTIL3(00000000,?,?), ref: 6E01A86B
SEC_QuickDERDecodeItem_Util.NSSUTIL3(00000000,?,6E035568,?), ref: 6E01A887
PORT_FreeArena_Util.NSSUTIL3(00000000,00000000), ref: 6E01A896

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Util$Arena_Item_$Alloc_ArenaCopyDecodeFreeQuick
String ID:
API String ID: 171508100-0
Opcode ID: e66b6af8ce68724e200af99a7370e0b71182260c67532d1e7ff93880e7f633e4
Instruction ID: 6e9aa78f343ad9cb92c89ca0efe3d890ae68bfdc1e4f0e813d834dbc2fc79f08
Opcode Fuzzy Hash: e66b6af8ce68724e200af99a7370e0b71182260c67532d1e7ff93880e7f633e4
Instruction Fuzzy Hash: 585161B66083006FE350CF99C981B9BB7F8EB85798F54483EE999C7204E335D5098B53

Uniqueness

Uniqueness Score: -1.00%

Function 6E01EE00 Relevance: 16.6, APIs: 11, Instructions: 109
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E6E01EE00(intOrPtr __eax, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v12;
				char _v24;
				intOrPtr* _t17;
				void* _t19;
				void* _t22;
				void* _t24;
				intOrPtr _t27;
				intOrPtr* _t30;
				intOrPtr* _t32;
				intOrPtr* _t34;
				void* _t37;
				void* _t38;
				void* _t40;
				void* _t41;
				void* _t42;
				void* _t43;
				void* _t44;

				_t32 = 0;
				_push(0x800);
				_t27 = (0 | _a12 != 0x00000000) + 4;
				L6E025ABE();
				_t37 =  &_v24 + 4;
				_a12 = __eax;
				if(__eax != 0) {
					_t17 = E6E01CC10(__eax, _a8, __eax,  &_v12, _t27);
					_t38 = _t37 + 0x10;
					if(_t17 == 0) {
						_push(0x800);
						L6E025ABE();
						_t34 = _t17;
						_t40 = _t38 + 4;
						if(_t34 != 0) {
							_push(0x800);
							L6E025ABE();
							_t30 = _t17;
							_t41 = _t40 + 4;
							if(_t30 != 0) {
								_push(0x20);
								_push(_t34);
								L6E025ACA();
								_t32 = _t17;
								_t42 = _t41 + 8;
								if(_t32 != 0) {
									 *((intOrPtr*)(_t32 + 0xc)) = _t34;
									 *_t32 = _t27;
									_t19 = E6E01CC10( &_v24, _a8, _t30,  &_v24, _t27);
									_t43 = _t42 + 0x10;
									if(_t19 != 0) {
										goto L8;
									} else {
										_t22 = E6E01D3D0(_a4, _t32,  &_v24,  &_v12, _t19);
										_t43 = _t43 + 0x14;
										if(_t22 == 0xffffffff) {
											goto L8;
										} else {
											_t24 = E6E01BF30( &_v12, _t32,  &_v12);
											_t43 = _t43 + 8;
											if(_t24 != 0) {
												goto L8;
											} else {
												_push(_t24);
												_push(_t30);
												L6E025AC4();
												_t38 = _t43 + 8;
												goto L11;
											}
										}
									}
									goto L13;
								} else {
									_push(0xffffe013);
									L6E025AB2();
									_t43 = _t42 + 4;
									L8:
									_push(0);
									_push(_t30);
									L6E025AC4();
									_t44 = _t43 + 8;
									goto L9;
								}
							} else {
								_push(0xffffe013);
								L6E025AB2();
								_t44 = _t41 + 4;
								L9:
								_push(0);
								_push(_t34);
								L6E025AC4();
								_t38 = _t44 + 8;
								goto L10;
							}
						} else {
							_push(0xffffe013);
							L6E025AB2();
							_t38 = _t40 + 4;
							L10:
							_t32 = 0;
						}
						L11:
					}
					_push(0);
					_push(_a12);
					L6E025AC4();
				}
				L13:
				return _t32;
			}

0x6e01ee07
0x6e01ee0d
0x6e01ee15
0x6e01ee18
0x6e01ee1d
0x6e01ee20
0x6e01ee26
0x6e01ee37
0x6e01ee3c
0x6e01ee41
0x6e01ee45
0x6e01ee4a
0x6e01ee4f
0x6e01ee51
0x6e01ee56
0x6e01ee67
0x6e01ee6c
0x6e01ee71
0x6e01ee73
0x6e01ee78
0x6e01ee89
0x6e01ee8b
0x6e01ee8c
0x6e01ee91
0x6e01ee93
0x6e01ee98
0x6e01eedc
0x6e01eee5
0x6e01eee7
0x6e01eeec
0x6e01eef1
0x00000000
0x6e01eef3
0x6e01ef03
0x6e01ef08
0x6e01ef0e
0x00000000
0x6e01ef10
0x6e01ef16
0x6e01ef1b
0x6e01ef20
0x00000000
0x6e01ef22
0x6e01ef22
0x6e01ef23
0x6e01ef24
0x6e01ef29
0x00000000
0x6e01ef29
0x6e01ef20
0x6e01ef0e
0x00000000
0x6e01ee9a
0x6e01ee9a
0x6e01ee9f
0x6e01eea4
0x6e01eea7
0x6e01eea7
0x6e01eea9
0x6e01eeaa
0x6e01eeaf
0x00000000
0x6e01eeaf
0x6e01ee7a
0x6e01ee7a
0x6e01ee7f
0x6e01ee84
0x6e01eeb2
0x6e01eeb2
0x6e01eeb4
0x6e01eeb5
0x6e01eeba
0x00000000
0x6e01eeba
0x6e01ee58
0x6e01ee58
0x6e01ee5d
0x6e01ee62
0x6e01eebd
0x6e01eebd
0x6e01eebd
0x6e01eebf
0x6e01eec0
0x6e01eec1
0x6e01eec3
0x6e01eec7
0x6e01eecc
0x6e01eecf
0x6e01eed6

APIs

PORT_NewArena_Util.NSSUTIL3(00000800,?,00000000,?,?,6E014099,00000000,?,00000000), ref: 6E01EE18

Part of subcall function 6E01CC10: PORT_ArenaAlloc_Util.NSSUTIL3(-00000004,00000001,00000000,00000000,-00000004,6E01C70A,?,00000000,?,?,?,?,00000000,?,6E01DFB2,?), ref: 6E01CC2D

PORT_NewArena_Util.NSSUTIL3(00000800,?,?,?,?,?,?,00000000,?,?,6E014099,00000000,?,00000000), ref: 6E01EE4A
PORT_SetError_Util.NSSUTIL3(FFFFE013,?,?,?,?,?,00000000,?,?,6E014099,00000000,?,00000000), ref: 6E01EE5D
PORT_NewArena_Util.NSSUTIL3(00000800,?,?,?,?,?,00000000,?,?,6E014099,00000000,?,00000000), ref: 6E01EE6C
PORT_SetError_Util.NSSUTIL3(FFFFE013,?,?,?,?,?,?,00000000,?,?,6E014099,00000000,?,00000000), ref: 6E01EE7F
PORT_FreeArena_Util.NSSUTIL3(00000000,00000000), ref: 6E01EEB5
PORT_FreeArena_Util.NSSUTIL3(?,00000000,?,?,?,?,00000000,?,?,6E014099,00000000,?,00000000), ref: 6E01EEC7
PORT_FreeArena_Util.NSSUTIL3(00000000,00000000), ref: 6E01EF24

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Util$Arena_$Free$Error_$Alloc_Arena
String ID:
API String ID: 3665703524-0
Opcode ID: bfd1abc1ed311b7de39aec175753f7be665da8d8046b02b538a8a3cfb83b53d7
Instruction ID: f1be6a397b14c8d7038f9847d8c4e730454036efcf92466bb8123db32967c5a8
Opcode Fuzzy Hash: bfd1abc1ed311b7de39aec175753f7be665da8d8046b02b538a8a3cfb83b53d7
Instruction Fuzzy Hash: B73105B694C2012FE3105AE09C82FEF71EC9FA0299F080939FD459A289F635D51647E7

Uniqueness

Uniqueness Score: -1.00%

Function 6E019810 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 106COMMON

Download Yara Rule

APIs

PR_LoadLibrary.NSPR4(rdb.dll,?,?,6E0130D1,?,?,key,00000302,?,6E01931B,00000000,00000000,?,6E012712,?,?), ref: 6E019880
PR_FindSymbol.NSPR4(00000000,rdbstatus,?,?,?,?,?,?,?,6E0197A0,00000000), ref: 6E01989F
PR_FindSymbol.NSPR4(00000000,rdbopen,?,?,?,?,?,?,?,6E0197A0,00000000), ref: 6E0198AC
PR_GetEnvSecure.NSPR4(NSS_DISABLE_UNLOAD,?,?,?,?,?,?,?,?,?,?,?,6E0197A0,00000000), ref: 6E019939
PR_UnloadLibrary.NSPR4(00000000,?,?,?,?,?,?,?,?,?,?,?,?,6E0197A0,00000000), ref: 6E019947

Strings

rdb.dll, xrefs: 6E01987B
NSS_DISABLE_UNLOAD, xrefs: 6E019934
rdbstatus, xrefs: 6E019899
rdbopen, xrefs: 6E0198A1

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: FindLibrarySymbol$LoadSecureUnload
String ID: NSS_DISABLE_UNLOAD$rdb.dll$rdbopen$rdbstatus
API String ID: 2946965717-590385284
Opcode ID: 4f84f06e66d9893219516a4602be3ebcbf7f6db60f1ab6cbcaa9fbc70c453881
Instruction ID: d2dadcb2aff6b2d5589c9002a133b48877332ce44acfb38d89efea05d10087ab
Opcode Fuzzy Hash: 4f84f06e66d9893219516a4602be3ebcbf7f6db60f1ab6cbcaa9fbc70c453881
Instruction Fuzzy Hash: 0A31A13250C103AFEB069EED8C14BAF7EF2EF95380F81442CF5559A172D621C856CB82

Uniqueness

Uniqueness Score: -1.00%

Function 6E01DB40 Relevance: 15.3, APIs: 10, Instructions: 305
memoryCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E6E01DB40() {
				intOrPtr _t79;
				signed int _t81;
				intOrPtr _t82;
				intOrPtr _t85;
				void* _t87;
				signed int _t89;
				intOrPtr _t93;
				intOrPtr _t97;
				void* _t99;
				char* _t100;
				signed int _t101;
				intOrPtr _t106;
				intOrPtr _t107;
				intOrPtr _t109;
				void* _t113;
				intOrPtr _t118;
				intOrPtr _t119;
				char* _t127;
				char* _t138;
				char* _t143;
				signed int _t151;
				char* _t157;
				intOrPtr _t158;
				intOrPtr _t167;
				signed int _t168;
				intOrPtr _t169;
				void* _t170;
				void* _t171;
				void* _t172;
				void* _t173;
				void* _t174;
				void* _t175;

				_t143 = 0;
				 *((intOrPtr*)(_t171 + 0xc)) = 0;
				_t170 = 0;
				_t169 = 0;
				_t79 =  *((intOrPtr*)(_t171 + 0x34));
				_t81 =  *((intOrPtr*)( *((intOrPtr*)(_t79 + 0x14))))(_t79, _t171 + 0x20, _t171 + 0x14, 3);
				_t172 = _t171 + 0x10;
				if(_t81 == 0) {
					do {
						_t82 =  *((intOrPtr*)(_t172 + 0x18));
						_t157 =  *((intOrPtr*)(_t172 + 0x14));
						if(_t82 < 3 ||  *_t157 != 6) {
							goto L15;
						} else {
							_t151 =  *(_t157 + 1) & 0x000000ff;
							if(_t151 != 3) {
								if(_t151 == 1) {
									_t127 = _t82 + 3;
									_push(_t127);
									L6E025A8E();
									_t143 = _t127;
									_t172 = _t172 + 4;
									if(_t143 != 0) {
										 *_t143 =  *_t157;
										 *((char*)(_t143 + 2)) =  *(_t157 + 2) & 0x000000ff;
										 *((char*)(_t143 + 3)) = 0;
										 *((char*)(_t143 + 4)) =  *(_t157 + 3) & 0x000000ff;
										 *((char*)(_t143 + 5)) = 0;
										 *((char*)(_t143 + 6)) =  *(_t157 + 4) & 0x000000ff;
										 *((char*)(_t143 + 7)) = 0;
										 *((char*)(_t143 + 8)) =  *(_t157 + 5) & 0x000000ff;
										_t30 = _t143 + 9; // 0x9
										E6E0267A0(_t30, _t157 + 6,  *((intOrPtr*)(_t172 + 0x18)) + 0xfffffffa);
										_t172 = _t172 + 0xc;
										 *((intOrPtr*)(_t172 + 0x18)) =  *((intOrPtr*)(_t172 + 0x18)) + 3;
										goto L11;
									}
								}
							} else {
								_t138 = _t82 + 4;
								_push(_t138);
								L6E025A8E();
								_t143 = _t138;
								_t172 = _t172 + 4;
								if(_t143 != 0) {
									 *_t143 =  *_t157;
									 *((char*)(_t143 + 4)) =  *(_t157 + 4);
									 *((intOrPtr*)(_t143 + 5)) = _t169;
									_t14 = _t143 + 9; // 0x9
									E6E0267A0(_t14, _t157 + 5,  *((intOrPtr*)(_t172 + 0x18)) + 0xfffffffb);
									_t172 = _t172 + 0xc;
									 *((intOrPtr*)(_t172 + 0x18)) =  *((intOrPtr*)(_t172 + 0x18)) + 4;
									L11:
									_t157 = _t143;
									 *((intOrPtr*)(_t172 + 0x14)) = _t143;
								}
							}
							 *_t157 = 8;
							_t167 =  *((intOrPtr*)( *((intOrPtr*)(_t172 + 0x28))));
							__imp__PR_Lock( *0x6e03d984);
							_t89 =  *((intOrPtr*)( *((intOrPtr*)(_t167 + 0x10))))(_t167, _t172 + 0x28, _t172 + 0x1c, 0);
							_t168 = _t89;
							__imp__PR_Unlock( *0x6e03d984);
							_t172 = _t172 + 0x18;
							if(_t143 != 0) {
								_push(_t143);
								L6E025A9A();
								_t172 = _t172 + 4;
							}
							_t143 = 0;
							if(_t168 != 0) {
								L40:
								return _t89 | 0xffffffff;
							} else {
								goto L15;
							}
						}
						goto L42;
						L15:
						_t85 =  *((intOrPtr*)(_t172 + 0x38));
						_t87 =  *((intOrPtr*)( *((intOrPtr*)(_t85 + 0x14))))(_t85, _t172 + 0x24, _t172 + 0x18, 7);
						_t172 = _t172 + 0x10;
					} while (_t87 == 0);
					_t144 =  *((intOrPtr*)(_t172 + 0x28));
					_t158 =  *( *((intOrPtr*)(_t172 + 0x28)));
					__imp__PR_Lock( *0x6e03d984);
					_t89 =  *((intOrPtr*)( *((intOrPtr*)(_t158 + 0x18))))(_t158, 0);
					__imp__PR_Unlock( *0x6e03d984);
					_t173 = _t172 + 0x10;
					if(_t89 != 0) {
						goto L40;
					} else {
						_t93 =  *((intOrPtr*)(_t173 + 0x38));
						_t89 =  *((intOrPtr*)( *((intOrPtr*)(_t93 + 0x14))))(_t93, _t173 + 0x24, _t173 + 0x18, 3);
						_t174 = _t173 + 0x10;
						if(_t89 != 0) {
							goto L40;
						} else {
							do {
								if( *((intOrPtr*)(_t174 + 0x18)) >= 3) {
									_t100 =  *((intOrPtr*)(_t174 + 0x14));
									if( *_t100 == 8) {
										_t101 =  *(_t100 + 1) & 0x000000ff;
										if(_t101 != 2) {
											if(_t101 != 6) {
												goto L32;
											} else {
												_t164 =  *((intOrPtr*)(_t174 + 0x1c)) + 1;
												_t106 = E6E01F5D0(_t101, _t144,  *((intOrPtr*)(_t174 + 0x1c)) + 1);
												_t174 = _t174 + 8;
												 *((intOrPtr*)(_t174 + 0x10)) = _t106;
												if(_t106 == 0) {
													goto L32;
												} else {
													_t59 = _t106 + 0x14; // 0x14
													_t107 = E6E01D610(_t106, _t144, _t59);
													_t169 = _t107;
													_t174 = _t174 + 8;
													if(_t169 != 0) {
														_push(4);
														_push( *((intOrPtr*)(_t169 + 0xc)));
														L6E025ACA();
														_t174 = _t174 + 8;
														 *((intOrPtr*)(_t169 + 0x2c)) = _t107;
														if(_t107 != 0) {
															_t109 =  *((intOrPtr*)(_t174 + 0x20)) - 1;
															_push(_t109);
															_push( *((intOrPtr*)(_t169 + 0xc)));
															L6E025ACA();
															_t174 = _t174 + 8;
															 *((intOrPtr*)( *((intOrPtr*)(_t169 + 0x2c)))) = _t109;
															_t150 =  *((intOrPtr*)( *((intOrPtr*)(_t169 + 0x2c))));
															if( *((intOrPtr*)( *((intOrPtr*)(_t169 + 0x2c)))) != 0) {
																_t113 = E6E0267A0(_t150, _t164,  *((intOrPtr*)(_t174 + 0x20)) - 1);
																 *((intOrPtr*)(_t169 + 0x30)) = 1;
																goto L31;
															}
														}
														goto L32;
													}
												}
											}
										} else {
											_t166 =  *((intOrPtr*)(_t174 + 0x1c)) + 1;
											_t170 = E6E01D4F0(_t101, _t144,  *((intOrPtr*)(_t174 + 0x1c)) + 1);
											_t174 = _t174 + 8;
											if(_t170 == 0) {
												L32:
												if(_t169 != 0) {
													E6E01CAD0(_t169);
													_t174 = _t174 + 4;
												}
											} else {
												_t52 = _t170 + 0x14; // 0x14
												_t169 = E6E01D610(_t115, _t144, _t52);
												_t174 = _t174 + 8;
												if(_t169 != 0) {
													_t118 =  *((intOrPtr*)(_t174 + 0x20)) - 1;
													_push(_t118);
													_push( *((intOrPtr*)(_t169 + 0xc)));
													L6E025ACA();
													_t174 = _t174 + 8;
													 *((intOrPtr*)(_t169 + 0x20)) = _t118;
													if(_t118 != 0) {
														_t113 = E6E0267A0(_t118, _t166,  *((intOrPtr*)(_t174 + 0x20)) - 1);
														L31:
														E6E01E4A0(_t113, _t144, _t169);
														_t174 = _t174 + 0x14;
													}
													goto L32;
												}
											}
										}
										_t169 = 0;
										if(_t170 != 0) {
											E6E01CAD0(_t170);
											_t174 = _t174 + 4;
										}
										_t162 =  *((intOrPtr*)(_t174 + 0x10));
										_t170 = 0;
										if( *((intOrPtr*)(_t174 + 0x10)) != 0) {
											E6E01CAD0(_t162);
											_t174 = _t174 + 4;
											 *((intOrPtr*)(_t174 + 0x10)) = 0;
										}
									}
								}
								_t97 =  *((intOrPtr*)(_t174 + 0x38));
								_t99 =  *((intOrPtr*)( *((intOrPtr*)(_t97 + 0x14))))(_t97, _t174 + 0x24, _t174 + 0x18, 7);
								_t174 = _t174 + 0x10;
							} while (_t99 == 0);
							_t89 = E6E01E530( *_t144, 0);
							_t175 = _t174 + 8;
							if(_t89 == 0) {
								_t119 =  *((intOrPtr*)(_t175 + 0x2c));
								 *((intOrPtr*)( *((intOrPtr*)(_t119 + 4))))(_t119);
								return 0;
							} else {
								goto L40;
							}
						}
					}
				} else {
					return _t81 | 0xffffffff;
				}
				L42:
			}

0x6e01db47
0x6e01db4a
0x6e01db4e
0x6e01db56
0x6e01db5e
0x6e01db66
0x6e01db68
0x6e01db6d
0x6e01db80
0x6e01db80
0x6e01db84
0x6e01db8b
0x00000000
0x6e01db9a
0x6e01db9a
0x6e01dba1
0x6e01dbe8
0x6e01dbea
0x6e01dbed
0x6e01dbee
0x6e01dbf3
0x6e01dbf5
0x6e01dbfa
0x6e01dbff
0x6e01dc06
0x6e01dc09
0x6e01dc11
0x6e01dc14
0x6e01dc1c
0x6e01dc1f
0x6e01dc27
0x6e01dc36
0x6e01dc3a
0x6e01dc3f
0x6e01dc42
0x00000000
0x6e01dc42
0x6e01dbfa
0x6e01dba3
0x6e01dba3
0x6e01dba6
0x6e01dba7
0x6e01dbac
0x6e01dbae
0x6e01dbb3
0x6e01dbbe
0x6e01dbc3
0x6e01dbc6
0x6e01dbd2
0x6e01dbd6
0x6e01dbdb
0x6e01dbde
0x6e01dc47
0x6e01dc47
0x6e01dc49
0x6e01dc49
0x6e01dbb3
0x6e01dc57
0x6e01dc5a
0x6e01dc5c
0x6e01dc72
0x6e01dc7a
0x6e01dc7c
0x6e01dc82
0x6e01dc87
0x6e01dc89
0x6e01dc8a
0x6e01dc8f
0x6e01dc8f
0x6e01dc92
0x6e01dc96
0x6e01de73
0x6e01de7d
0x00000000
0x00000000
0x00000000
0x6e01dc96
0x00000000
0x6e01dc9c
0x6e01dca8
0x6e01dcb0
0x6e01dcb2
0x6e01dcb5
0x6e01dcbd
0x6e01dcc7
0x6e01dcc9
0x6e01dcd5
0x6e01dcdf
0x6e01dce5
0x6e01dcea
0x00000000
0x6e01dcf0
0x6e01dcfc
0x6e01dd04
0x6e01dd06
0x6e01dd0b
0x00000000
0x6e01dd11
0x6e01dd11
0x6e01dd16
0x6e01dd1c
0x6e01dd23
0x6e01dd29
0x6e01dd30
0x6e01dd90
0x00000000
0x6e01dd92
0x6e01dd96
0x6e01dd99
0x6e01dd9e
0x6e01dda1
0x6e01dda7
0x00000000
0x6e01dda9
0x6e01dda9
0x6e01ddae
0x6e01ddb3
0x6e01ddb5
0x6e01ddba
0x6e01ddbc
0x6e01ddbe
0x6e01ddc1
0x6e01ddc6
0x6e01ddc9
0x6e01ddce
0x6e01ddd4
0x6e01ddd5
0x6e01ddd6
0x6e01ddd9
0x6e01dde1
0x6e01dde4
0x6e01dde9
0x6e01dded
0x6e01ddf7
0x6e01ddfc
0x00000000
0x6e01ddfc
0x6e01dded
0x00000000
0x6e01ddce
0x6e01ddba
0x6e01dda7
0x6e01dd32
0x6e01dd36
0x6e01dd3e
0x6e01dd40
0x6e01dd45
0x6e01de0d
0x6e01de0f
0x6e01de12
0x6e01de17
0x6e01de17
0x6e01dd4b
0x6e01dd4b
0x6e01dd55
0x6e01dd57
0x6e01dd5c
0x6e01dd66
0x6e01dd67
0x6e01dd68
0x6e01dd6b
0x6e01dd70
0x6e01dd73
0x6e01dd78
0x6e01dd86
0x6e01de03
0x6e01de05
0x6e01de0a
0x6e01de0a
0x00000000
0x6e01dd78
0x6e01dd5c
0x6e01dd45
0x6e01de1a
0x6e01de1e
0x6e01de21
0x6e01de26
0x6e01de26
0x6e01de29
0x6e01de2d
0x6e01de31
0x6e01de34
0x6e01de39
0x6e01de3e
0x6e01de3e
0x6e01de31
0x6e01dd23
0x6e01de4e
0x6e01de56
0x6e01de58
0x6e01de5b
0x6e01de67
0x6e01de6c
0x6e01de71
0x6e01de7e
0x6e01de86
0x6e01de94
0x00000000
0x00000000
0x00000000
0x6e01de71
0x6e01dd0b
0x6e01db71
0x6e01db78
0x6e01db78
0x00000000

APIs

PORT_Alloc_Util.NSSUTIL3(?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 6E01DBA7
PR_Lock.NSPR4(00000000,?,?,?,?,?,?,?,?,00000000), ref: 6E01DC5C
PR_Unlock.NSPR4(?,?,?,?,?,?,?,?,00000000), ref: 6E01DC7C
PORT_Free_Util.NSSUTIL3(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6E01DC8A
PR_Lock.NSPR4(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6E01DCC9
PR_Unlock.NSPR4(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6E01DCDF

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: LockUnlockUtil$Alloc_Free_
String ID:
API String ID: 2339651464-0
Opcode ID: 986cc144dae8a5f363ff864386f87767582e87dc3845294735a1e56eb6f7fe85
Instruction ID: 1e9e73c3ef149e4f0781c6231ebfb924c4677c39cc3a800c2a43847cd3c080a9
Opcode Fuzzy Hash: 986cc144dae8a5f363ff864386f87767582e87dc3845294735a1e56eb6f7fe85
Instruction Fuzzy Hash: 7DA1C2715083029FD700DFE4DC80BABBBE8EF95255F040969F959CB245E774E904CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6E0183F0 Relevance: 15.3, APIs: 10, Instructions: 287
memoryCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E6E0183F0(void* __edx, char _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, signed int _a28, signed int* _a32, intOrPtr _a36, intOrPtr _a40) {
				char _v4;
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v36;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t93;
				signed int _t95;
				signed int _t98;
				signed int _t99;
				void* _t102;
				signed int _t104;
				signed int _t105;
				signed int _t107;
				signed int _t108;
				signed int _t110;
				signed int _t111;
				signed int _t113;
				signed int _t114;
				signed int _t118;
				signed int _t132;
				signed int _t135;
				signed int _t139;
				signed int _t142;
				void* _t146;
				signed int _t147;
				intOrPtr _t150;
				signed int _t152;
				signed int _t153;
				signed int _t155;
				signed int* _t162;
				intOrPtr _t165;
				intOrPtr _t166;
				intOrPtr _t167;
				intOrPtr _t169;
				void* _t170;
				signed int _t171;
				signed int _t172;
				char _t173;
				signed int _t174;
				signed int _t175;
				signed int* _t178;
				signed int* _t180;
				signed int* _t181;
				signed int* _t182;
				signed int* _t183;

				_t158 = __edx;
				_t173 = _a4;
				_t93 = E6E019630(_t173);
				_t146 = _t93;
				_t178 =  &(( &_v40)[1]);
				if(_t146 == 0) {
					return _t93;
				}
				_v16 = _a36;
				_t149 = _a8;
				_v12 = _a40;
				_t95 = _a28;
				_t162 = _a32;
				_v32 = _t173;
				_v24 = 0;
				_v20 = 0;
				_v28 = 0;
				_v8 = _t95;
				_v4 = 0;
				if( *((intOrPtr*)(_a8 + 4)) == 0) {
					_t150 = _a12;
					__eflags =  *(_t150 + 4);
					if( *(_t150 + 4) == 0) {
						_t165 = _a16;
						__eflags =  *(_t165 + 4);
						if(__eflags == 0) {
							_t166 = _a20;
							__eflags =  *(_t166 + 4);
							if( *(_t166 + 4) == 0) {
								L19:
								_t167 = _a24;
								__eflags =  *(_t167 + 4);
								if( *(_t167 + 4) == 0) {
									_push(0x28);
									_v4 = 1;
									_v24 = 0xa;
									L6E025A8E();
									_v20 = _t95;
									E6E01F800(_t146, E6E0180C0,  &_v32);
									goto L25;
								}
								_t98 =  *((intOrPtr*)(_t167 + 8)) + 1;
								_push(_t98);
								L6E025A8E();
								_t175 = _t98;
								_t180 =  &(_t178[1]);
								__eflags = _t175;
								if(_t175 == 0) {
									goto L43;
								}
								E6E0267A0(_t175,  *(_t167 + 4),  *((intOrPtr*)(_t167 + 8)));
								 *((char*)( *((intOrPtr*)(_t167 + 8)) + _t175)) = 0;
								_t118 = E6E01F5D0( *((intOrPtr*)(_t167 + 8)), _t146, _t175);
								_t181 =  &(_t180[5]);
								_v40 = _t118;
								__eflags = _t118;
								if(__eflags != 0) {
									_t50 = _t118 + 0x14; // 0x14
									_t170 = _t50;
									E6E017E60( &_v32, E6E01F3C0(__eflags, _t146, _t170));
									_push( &_v32);
									_push(E6E018010);
									_push(_t170);
									_push(_t146);
									E6E01F970(_t158, __eflags);
									L6E01E9E0(_v40);
									_t181 =  &(_t181[9]);
								}
								_push(_t175);
								L6E025A9A();
								_t178 =  &(_t181[1]);
								goto L26;
							}
							__eflags =  *(_t166 + 0x10);
							if( *(_t166 + 0x10) == 0) {
								goto L19;
							}
							__eflags = _t95 & 0x00000001;
							if((_t95 & 0x00000001) != 0) {
								_push(_t166);
								_push(_t146);
								E6E018760(_t158,  &_v32, E6E01EC80());
								_t95 = _a28;
								_t178 =  &(_t178[4]);
							}
							__eflags = _t95 & 0x00000002;
							if((_t95 & 0x00000002) == 0) {
								goto L27;
							} else {
								_push(_t166);
								_push(_t146);
								_t171 = E6E01EF30(_t146);
								_t178 =  &(_t178[2]);
								__eflags = _t171;
								if(_t171 != 0) {
									_push(0x20000000);
									_t41 = _t171 + 8; // 0x8
									_push(_t173);
									E6E017FD0(_t162, E6E019DF0(_t173));
									E6E01EB60(_t162, _t171);
									_t178 =  &(_t178[6]);
								}
								goto L26;
							}
						}
						_t132 = E6E01F3C0(__eflags, _t146, _t165);
						_t178 =  &(_t178[2]);
						_v24 = _t132;
						__eflags = _t132;
						if(__eflags > 0) {
							_t135 = _t132 << 2;
							__eflags = _t135;
							_push(_t135);
							L6E025A8E();
							_t178 =  &(_t178[1]);
							_v20 = _t135;
						}
						_push( &_v32);
						_push(E6E018010);
						_push(_t165);
						_push(_t146);
						E6E01F970(_t158, __eflags);
						goto L25;
					}
					_t98 = _a8 + 1;
					_push(_t98);
					L6E025A8E();
					_t172 = _t98;
					_t182 =  &(_t178[1]);
					__eflags = _t172;
					if(_t172 == 0) {
						goto L43;
					}
					E6E0267A0(_t172, _a4, _a8);
					 *((char*)(_t172 + _a8)) = 0;
					_t139 = E6E01F360(_t146, _t172);
					_t183 =  &(_t182[5]);
					_v24 = _t139;
					__eflags = _t139;
					if(_t139 > 0) {
						_t142 = _t139 << 2;
						__eflags = _t142;
						_push(_t142);
						L6E025A8E();
						_t183 =  &(_t183[1]);
						_v20 = _t142;
					}
					_push( &_v32);
					_push(E6E018010);
					_push(_t172);
					_push(_t146);
					E6E01F830(_t158);
					_push(_t172);
					L6E025A9A();
					_t178 =  &(_t183[5]);
					goto L26;
				} else {
					E6E018760(__edx,  &_v32, E6E01EC20(_t95, _t146, __edx, _t173, _t146, _t149));
					L25:
					_t178 =  &(_t178[4]);
					L26:
					_t95 = _a28;
					L27:
					_t147 = 0;
					if(_v28 <= 0) {
						L41:
						_t98 = _v20;
						if(_t98 != 0) {
							_push(_t98);
							L6E025A9A();
						}
						L43:
						return _t98;
					}
					_t152 = _t95 & 0x00000001;
					_t99 = _t95 & 0x00000002;
					_v36 = _t152;
					_t174 = _t99;
					_a28 = _t99;
					do {
						_t169 =  *((intOrPtr*)(_v20 + _t147 * 4));
						if(_t152 == 0) {
							L34:
							if(_t174 == 0) {
								goto L40;
							}
							_t102 = E6E020180( *((intOrPtr*)(_t169 + 0x90)));
							_t178 =  &(_t178[1]);
							if(_t102 == 0) {
								goto L40;
							}
							_push(0x20000000);
							_push(_t169 + 0x54);
							_push(_a4);
							_t104 = E6E019DF0(_t174);
							_t153 =  *_t162;
							_t178 =  &(_t178[3]);
							_v40 = _t104;
							if(_t153 == 0) {
								goto L40;
							}
							_t105 = _t162[3];
							if(_t162[1] < _t105) {
								L39:
								 *( *_t162 + _t162[1] * 4) = _v40;
								_t162[1] = _t162[1] + 1;
								goto L40;
							}
							_t107 = _t105 + 0xa;
							_t162[3] = _t107;
							_t108 = _t107 << 2;
							_push(_t108);
							_push(_t153);
							L6E025B24();
							_t178 =  &(_t178[2]);
							 *_t162 = _t108;
							if(_t108 == 0) {
								goto L40;
							}
							goto L39;
						}
						_push(0x38000000);
						_push(_t169 + 0x54);
						_push(_a4);
						_t110 = E6E019DF0(_t174);
						_t155 =  *_t162;
						_t178 =  &(_t178[3]);
						_v40 = _t110;
						if(_t155 == 0) {
							goto L34;
						}
						_t111 = _t162[3];
						if(_t162[1] < _t111) {
							L33:
							 *( *_t162 + _t162[1] * 4) = _v40;
							_t162[1] = _t162[1] + 1;
							goto L34;
						}
						_t113 = _t111 + 0xa;
						_t162[3] = _t113;
						_t114 = _t113 << 2;
						_push(_t114);
						_push(_t155);
						L6E025B24();
						_t178 =  &(_t178[2]);
						 *_t162 = _t114;
						if(_t114 == 0) {
							goto L34;
						}
						goto L33;
						L40:
						E6E01E9D0(_t169);
						_t152 = _v36;
						_t147 = _t147 + 1;
						_t178 =  &(_t178[1]);
					} while (_t147 < _v28);
					goto L41;
				}
			}

0x6e0183f0
0x6e0183f5
0x6e0183fa
0x6e0183ff
0x6e018401
0x6e018406
0x6e01875f
0x6e01875f
0x6e018414
0x6e018418
0x6e01841d
0x6e018421
0x6e01842a
0x6e01842e
0x6e018432
0x6e01843a
0x6e018442
0x6e01844a
0x6e01844e
0x6e018456
0x6e01846f
0x6e018473
0x6e018477
0x6e0184e6
0x6e0184ea
0x6e0184ee
0x6e018528
0x6e01852c
0x6e018530
0x6e018595
0x6e018595
0x6e018599
0x6e01859d
0x6e018618
0x6e01861a
0x6e018622
0x6e01862a
0x6e01862f
0x6e01863e
0x00000000
0x6e01863e
0x6e0185a2
0x6e0185a3
0x6e0185a4
0x6e0185a9
0x6e0185ab
0x6e0185ae
0x6e0185b0
0x00000000
0x00000000
0x6e0185bd
0x6e0185c7
0x6e0185cb
0x6e0185d0
0x6e0185d3
0x6e0185d7
0x6e0185d9
0x6e0185db
0x6e0185db
0x6e0185eb
0x6e0185f4
0x6e0185f5
0x6e0185fa
0x6e0185fb
0x6e0185fc
0x6e018605
0x6e01860a
0x6e01860a
0x6e01860d
0x6e01860e
0x6e018613
0x00000000
0x6e018613
0x6e018532
0x6e018536
0x00000000
0x00000000
0x6e018538
0x6e01853a
0x6e01853c
0x6e01853d
0x6e018549
0x6e01854e
0x6e018552
0x6e018552
0x6e018555
0x6e018557
0x00000000
0x6e01855d
0x6e01855d
0x6e01855e
0x6e018564
0x6e018566
0x6e018569
0x6e01856b
0x6e018571
0x6e018576
0x6e01857a
0x6e018582
0x6e018588
0x6e01858d
0x6e01858d
0x00000000
0x6e01856b
0x6e018557
0x6e0184f2
0x6e0184f7
0x6e0184fa
0x6e0184fe
0x6e018500
0x6e018502
0x6e018502
0x6e018505
0x6e018506
0x6e01850b
0x6e01850e
0x6e01850e
0x6e018516
0x6e018517
0x6e01851c
0x6e01851d
0x6e01851e
0x00000000
0x6e01851e
0x6e01847e
0x6e01847f
0x6e018480
0x6e018485
0x6e018487
0x6e01848a
0x6e01848c
0x00000000
0x00000000
0x6e018499
0x6e0184a3
0x6e0184a7
0x6e0184ac
0x6e0184af
0x6e0184b3
0x6e0184b5
0x6e0184b7
0x6e0184b7
0x6e0184ba
0x6e0184bb
0x6e0184c0
0x6e0184c3
0x6e0184c3
0x6e0184cb
0x6e0184cc
0x6e0184d1
0x6e0184d2
0x6e0184d3
0x6e0184d8
0x6e0184d9
0x6e0184de
0x00000000
0x6e018458
0x6e018465
0x6e018643
0x6e018643
0x6e018646
0x6e018646
0x6e01864a
0x6e01864a
0x6e018650
0x6e018747
0x6e018747
0x6e01874d
0x6e01874f
0x6e018750
0x6e018755
0x6e018758
0x00000000
0x6e018759
0x6e018658
0x6e01865b
0x6e01865e
0x6e018662
0x6e018664
0x6e018670
0x6e018674
0x6e018679
0x6e0186ca
0x6e0186cc
0x00000000
0x00000000
0x6e0186d4
0x6e0186d9
0x6e0186de
0x00000000
0x00000000
0x6e0186e0
0x6e0186e8
0x6e0186e9
0x6e0186ed
0x6e0186f2
0x6e0186f4
0x6e0186f7
0x6e0186fd
0x00000000
0x00000000
0x6e0186ff
0x6e018705
0x6e018720
0x6e018729
0x6e01872c
0x00000000
0x6e01872c
0x6e018707
0x6e01870a
0x6e01870d
0x6e018710
0x6e018711
0x6e018712
0x6e018717
0x6e01871a
0x6e01871e
0x00000000
0x00000000
0x00000000
0x6e01871e
0x6e01867b
0x6e018683
0x6e018684
0x6e018688
0x6e01868d
0x6e01868f
0x6e018692
0x6e018698
0x00000000
0x00000000
0x6e01869a
0x6e0186a0
0x6e0186bb
0x6e0186c4
0x6e0186c7
0x00000000
0x6e0186c7
0x6e0186a2
0x6e0186a5
0x6e0186a8
0x6e0186ab
0x6e0186ac
0x6e0186ad
0x6e0186b2
0x6e0186b5
0x6e0186b9
0x00000000
0x00000000
0x00000000
0x6e01872f
0x6e018730
0x6e018735
0x6e018739
0x6e01873a
0x6e01873d
0x00000000
0x6e018670

APIs

PORT_Alloc_Util.NSSUTIL3(00000001), ref: 6E018480
PORT_Alloc_Util.NSSUTIL3(00000000,?,?,?,?,?,?,-00000050,?,?,?,?,?,?,-00000050,?), ref: 6E0184BB
PORT_Free_Util.NSSUTIL3(00000000,00000000,00000000,6E018010,?,?,?,?,?,?,?,-00000050,?,?,?,?), ref: 6E0184D9
PORT_Realloc_Util.NSSUTIL3(?,00000000,?,?,?,?,?,00000000,?,-00000050,?,?,?,?,?,?), ref: 6E0186AD

Part of subcall function 6E01EC20: PORT_NewArena_Util.NSSUTIL3(00000800,00000000,?,00000003,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6E01EC2C

Part of subcall function 6E018760: PORT_Alloc_Util.NSSUTIL3(00000004,?,?,6E01854E,?,00000000,00000000,?), ref: 6E018793

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Util$Alloc_$Arena_Free_Realloc_
String ID:
API String ID: 4004297867-0
Opcode ID: b919893deac84de5ed4ba6e95a8a06d61adeea73645b6e302cf401fcfd1b2597
Instruction ID: 6b0c545a24e4e7dcc7ce2b8db5cf75f702c28efa98459fe14f8c7fdca702ad27
Opcode Fuzzy Hash: b919893deac84de5ed4ba6e95a8a06d61adeea73645b6e302cf401fcfd1b2597
Instruction Fuzzy Hash: A3A16DB1408302AFD3109FE4D991BDBB7ECEF45388F404929F9599B211E735EA15CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6E013270 Relevance: 15.1, APIs: 10, Instructions: 137
memoryCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E6E013270() {
				signed int _t34;
				intOrPtr* _t36;
				intOrPtr* _t51;
				intOrPtr _t56;
				signed int _t57;
				intOrPtr _t58;
				intOrPtr* _t62;
				void* _t64;
				signed int _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				intOrPtr* _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				_t73 =  *((intOrPtr*)(_t74 + 0x14));
				_push(8);
				_t34 =  *((intOrPtr*)(_t73 + 0xc));
				 *(_t74 + 0x20) = _t34;
				L6E025A94();
				_t57 = _t34;
				_t75 = _t74 + 4;
				if(_t57 == 0) {
					L18:
					return _t34 | 0xffffffff;
				} else {
					_t68 =  *((intOrPtr*)(_t75 + 0x24));
					_t36 =  *((intOrPtr*)(_t68 + 8));
					 *((intOrPtr*)(_t75 + 0x14)) = _t36;
					if(_t36 == 0) {
						 *((intOrPtr*)(_t75 + 0x14)) = 0x6e035400;
						_t58 = 1;
					} else {
						_t62 = _t36;
						_t64 = _t62 + 1;
						do {
							_t56 =  *_t62;
							_t62 = _t62 + 1;
						} while (_t56 != 0);
						_t58 = _t62 - _t64 + 1;
					}
					 *((intOrPtr*)(_t75 + 0x10)) = _t58;
					_t34 =  *(_t68 + 0x14) + 3 +  *((intOrPtr*)(_t68 + 0x20)) + _t58;
					_push(_t34);
					 *(_t57 + 4) = _t34;
					L6E025A94();
					_t65 = _t34;
					_t76 = _t75 + 4;
					 *_t57 = _t65;
					if(_t65 != 0) {
						 *_t65 =  *((intOrPtr*)(_t76 + 0x1c));
						 *((char*)(_t65 + 1)) =  *(_t68 + 0x14) & 0x000000ff;
						_t42 =  *((intOrPtr*)(_t76 + 0x10));
						 *((char*)(_t65 + 2)) =  *((intOrPtr*)(_t76 + 0x10));
						_t59 =  *(_t68 + 0x14);
						if( *(_t68 + 0x14) != 0) {
							_t20 = _t65 + 3; // 0x3
							E6E0267A0(_t20,  *((intOrPtr*)(_t68 + 0x10)), _t59);
							_t42 =  *((intOrPtr*)(_t76 + 0x1c));
							_t76 = _t76 + 0xc;
						}
						E6E0267A0( *(_t68 + 0x14) + 3 + _t65,  *((intOrPtr*)(_t76 + 0x18)), _t42);
						E6E0267A0( *(_t68 + 0x14) + _t65 +  *((intOrPtr*)(_t76 + 0x20)) + 3,  *((intOrPtr*)(_t68 + 0x1c)),  *((intOrPtr*)(_t68 + 0x20)));
						_t66 =  *((intOrPtr*)(_t73 + 0x1c));
						_t77 = _t76 + 0x18;
						_t69 =  *_t73;
						__imp__PR_Lock(_t66);
						_t51 =  *((intOrPtr*)(_t69 + 0x10));
						if( *((intOrPtr*)(_t77 + 0x2c)) == 0) {
							_push(8);
						} else {
							_push(0);
						}
						_t34 =  *_t51(_t69,  *((intOrPtr*)(_t77 + 0x2c)), _t57);
						__imp__PR_Unlock(_t66);
						_t76 = _t77 + 0x18;
						if(_t34 != 0) {
							L16:
							_push( *_t57);
							goto L17;
						} else {
							_t67 =  *((intOrPtr*)(_t73 + 0x1c));
							_t71 =  *_t73;
							__imp__PR_Lock(_t67);
							_t34 =  *((intOrPtr*)( *((intOrPtr*)(_t71 + 0x18))))(_t71, 0);
							__imp__PR_Unlock(_t67);
							_t76 = _t76 + 0x10;
							if(_t34 != 0) {
								goto L16;
							} else {
								_push( *_t57);
								L6E025A9A();
								_push(_t57);
								L6E025A9A();
								return 0;
							}
						}
					} else {
						_push(_t34);
						L17:
						L6E025A9A();
						_push(_t57);
						L6E025A9A();
						goto L18;
					}
				}
			}

0x6e013275
0x6e01327b
0x6e01327d
0x6e013280
0x6e013284
0x6e013289
0x6e01328b
0x6e013290
0x6e0133d8
0x6e0133df
0x6e013296
0x6e013296
0x6e01329a
0x6e01329d
0x6e0132a3
0x6e0132bc
0x6e0132c4
0x6e0132a5
0x6e0132a5
0x6e0132a7
0x6e0132b0
0x6e0132b0
0x6e0132b2
0x6e0132b3
0x6e0132b9
0x6e0132b9
0x6e0132cf
0x6e0132d6
0x6e0132d8
0x6e0132d9
0x6e0132dc
0x6e0132e1
0x6e0132e3
0x6e0132e6
0x6e0132ea
0x6e0132f6
0x6e0132fc
0x6e0132ff
0x6e013303
0x6e013306
0x6e01330b
0x6e013311
0x6e013315
0x6e01331a
0x6e01331e
0x6e01331e
0x6e01332f
0x6e013349
0x6e01334e
0x6e013351
0x6e013354
0x6e013358
0x6e013363
0x6e013366
0x6e01336c
0x6e013368
0x6e013368
0x6e013368
0x6e013374
0x6e013379
0x6e01337f
0x6e013384
0x6e0133c5
0x6e0133c5
0x00000000
0x6e013386
0x6e013386
0x6e013389
0x6e01338d
0x6e013399
0x6e01339e
0x6e0133a4
0x6e0133a9
0x00000000
0x6e0133ab
0x6e0133ab
0x6e0133ad
0x6e0133b2
0x6e0133b3
0x6e0133c4
0x6e0133c4
0x6e0133a9
0x6e0132ec
0x6e0132ec
0x6e0133c7
0x6e0133c7
0x6e0133cc
0x6e0133cd
0x00000000
0x6e0133d2
0x6e0132ea

APIs

PORT_ZAlloc_Util.NSSUTIL3(00000008,?,?,00000000,?,00000000,00000001), ref: 6E013284
PORT_ZAlloc_Util.NSSUTIL3(?), ref: 6E0132DC
PR_Lock.NSPR4(00000000,?,?,?,?,?,?,?,?,00000000,00000001), ref: 6E013358
PR_Unlock.NSPR4(00000000), ref: 6E013379
PR_Lock.NSPR4(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6E01338D
PR_Unlock.NSPR4(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6E01339E
PORT_Free_Util.NSSUTIL3(00000000), ref: 6E0133AD
PORT_Free_Util.NSSUTIL3(00000000,00000000), ref: 6E0133B3
PORT_Free_Util.NSSUTIL3(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6E0133C7
PORT_Free_Util.NSSUTIL3(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6E0133CD

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Util$Free_$Alloc_LockUnlock
String ID:
API String ID: 1806254683-0
Opcode ID: 37241fc8cfca165886d48d652ce8e42dd7d7b25636c4d6810f33ad2814a7d582
Instruction ID: 9fb9063f164e28112675014b41a04e272ed6f966fa792c62ec57778e5bcd4a64
Opcode Fuzzy Hash: 37241fc8cfca165886d48d652ce8e42dd7d7b25636c4d6810f33ad2814a7d582
Instruction Fuzzy Hash: BC4123755083429FCB108FE8DC45B9BBBF9FF89214F080929EC959B301D734E9198BA2

Uniqueness

Uniqueness Score: -1.00%

Function 6E01D4F0 Relevance: 15.1, APIs: 10, Instructions: 105
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E6E01D4F0(intOrPtr __eax, intOrPtr _a4, intOrPtr _a8) {
				char _v12;
				intOrPtr _v16;
				char _v24;
				void* _t12;
				void* _t16;
				void* _t18;
				intOrPtr _t24;
				void* _t26;
				void* _t27;
				void* _t28;
				void* _t29;

				_push(0x800);
				L6E025ABE();
				_t22 = __eax;
				_t26 =  &_v24 + 4;
				if(__eax != 0) {
					_push(0x800);
					L6E025ABE();
					_t23 = __eax;
					_t27 = _t26 + 4;
					if(__eax != 0) {
						_push(0x20);
						_push(__eax);
						L6E025ACA();
						_t24 = __eax;
						_t28 = _t27 + 8;
						if(__eax != 0) {
							 *((intOrPtr*)(__eax + 0xc)) = __eax;
							 *((intOrPtr*)(__eax)) = 2;
							_t12 = E6E01CC90(_a8, __eax,  &_v12);
							_t29 = _t28 + 0xc;
							if(_t12 != 0) {
								goto L7;
							} else {
								_t16 = E6E01D3D0(_a4, _t24,  &_v12,  &_v24, _t23);
								_t29 = _t29 + 0x14;
								if(_t16 == 0xffffffff) {
									goto L7;
								} else {
									if(_v16 >= 2) {
										_t18 = E6E01C010( &_v24, _t24,  &_v24, _a8);
										_t29 = _t29 + 0xc;
										if(_t18 != 0) {
											goto L7;
										} else {
											_push(_t18);
											_push(_t23);
											L6E025AC4();
											return _t24;
										}
									} else {
										_push(0xffffe012);
										goto L6;
									}
								}
							}
						} else {
							_push(0xffffe013);
							L6:
							L6E025AB2();
							_t29 = _t29 + 4;
							L7:
							_push(0);
							_push(_t23);
							L6E025AC4();
							_push(0);
							L6E025AC4();
							return 0;
						}
					} else {
						_push(0xffffe013);
						L6E025AB2();
						_push(__eax);
						_push(__eax);
						L6E025AC4();
						return 0;
					}
				} else {
					_push(0xffffe013);
					L6E025AB2();
					return 0;
				}
			}

0x6e01d4f6
0x6e01d4fb
0x6e01d500
0x6e01d502
0x6e01d507
0x6e01d51f
0x6e01d524
0x6e01d529
0x6e01d52b
0x6e01d530
0x6e01d552
0x6e01d554
0x6e01d555
0x6e01d55a
0x6e01d55c
0x6e01d561
0x6e01d593
0x6e01d59c
0x6e01d5a2
0x6e01d5a7
0x6e01d5ac
0x00000000
0x6e01d5ae
0x6e01d5be
0x6e01d5c3
0x6e01d5c9
0x00000000
0x6e01d5cb
0x6e01d5d0
0x6e01d5e3
0x6e01d5e8
0x6e01d5ed
0x00000000
0x6e01d5ef
0x6e01d5ef
0x6e01d5f0
0x6e01d5f1
0x6e01d601
0x6e01d601
0x6e01d5d2
0x6e01d5d2
0x00000000
0x6e01d5d2
0x6e01d5d0
0x6e01d5c9
0x6e01d563
0x6e01d563
0x6e01d568
0x6e01d568
0x6e01d56d
0x6e01d570
0x6e01d570
0x6e01d572
0x6e01d573
0x6e01d57b
0x6e01d57e
0x6e01d58e
0x6e01d58e
0x6e01d532
0x6e01d532
0x6e01d537
0x6e01d53f
0x6e01d540
0x6e01d541
0x6e01d551
0x6e01d551
0x6e01d509
0x6e01d509
0x6e01d50e
0x6e01d51e
0x6e01d51e

APIs

PORT_NewArena_Util.NSSUTIL3(00000800,?,?,?,?,6E01E039,?,00000000,?,?,?,?,?,00000000), ref: 6E01D4FB
PORT_SetError_Util.NSSUTIL3(FFFFE013,?,?,6E01E039,?,00000000,?,?,?,?,?,00000000), ref: 6E01D50E
PORT_NewArena_Util.NSSUTIL3(00000800,?,?,6E01E039,?,00000000,?,?,?,?,?,00000000), ref: 6E01D524
PORT_SetError_Util.NSSUTIL3(FFFFE013,?,?,?,6E01E039,?,00000000,?,?,?,?,?,00000000), ref: 6E01D537
PORT_FreeArena_Util.NSSUTIL3(00000000,00000000,?,?,?,?,6E01E039,?,00000000,?,?,?,?,?,00000000), ref: 6E01D541

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Util$Arena_$Error_$Free
String ID:
API String ID: 1635372823-0
Opcode ID: c5170f68dbcfe0a35d985cd0b86dba9b0ce29788379144870b0a4c0198d50f1e
Instruction ID: c6dbb34a66264dcf2c6f4e84dc87fc273583bf8f117d4813d3353cd4ac66f217
Opcode Fuzzy Hash: c5170f68dbcfe0a35d985cd0b86dba9b0ce29788379144870b0a4c0198d50f1e
Instruction Fuzzy Hash: B5212EB69082102AE31065E85C82FDB72ECDB9027FF540939FD059A245F629D21946F7

Uniqueness

Uniqueness Score: -1.00%

Function 6E01F5D0 Relevance: 15.1, APIs: 10, Instructions: 105
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E6E01F5D0(intOrPtr __eax, intOrPtr _a4, intOrPtr _a8) {
				char _v12;
				intOrPtr _v16;
				char _v24;
				void* _t12;
				void* _t16;
				void* _t18;
				intOrPtr _t24;
				void* _t26;
				void* _t27;
				void* _t28;
				void* _t29;

				_push(0x800);
				L6E025ABE();
				_t22 = __eax;
				_t26 =  &_v24 + 4;
				if(__eax != 0) {
					_push(0x800);
					L6E025ABE();
					_t23 = __eax;
					_t27 = _t26 + 4;
					if(__eax != 0) {
						_push(0x38);
						_push(__eax);
						L6E025ACA();
						_t24 = __eax;
						_t28 = _t27 + 8;
						if(__eax != 0) {
							 *((intOrPtr*)(__eax + 0xc)) = __eax;
							 *((intOrPtr*)(__eax)) = 6;
							_t12 = E6E01CCF0(_a8, __eax,  &_v12);
							_t29 = _t28 + 0xc;
							if(_t12 != 0) {
								goto L7;
							} else {
								_t16 = E6E01D3D0(_a4, _t24,  &_v12,  &_v24, _t23);
								_t29 = _t29 + 0x14;
								if(_t16 == 0xffffffff) {
									goto L7;
								} else {
									if(_v16 >= 6) {
										_t18 = E6E01C0F0(_t24,  &_v24, _a8);
										_t29 = _t29 + 0xc;
										if(_t18 != 0) {
											goto L7;
										} else {
											_push(_t18);
											_push(_t23);
											L6E025AC4();
											return _t24;
										}
									} else {
										_push(0xffffe012);
										goto L6;
									}
								}
							}
						} else {
							_push(0xffffe013);
							L6:
							L6E025AB2();
							_t29 = _t29 + 4;
							L7:
							_push(0);
							_push(_t23);
							L6E025AC4();
							_push(0);
							L6E025AC4();
							return 0;
						}
					} else {
						_push(0xffffe013);
						L6E025AB2();
						_push(__eax);
						_push(__eax);
						L6E025AC4();
						return 0;
					}
				} else {
					_push(0xffffe013);
					L6E025AB2();
					return 0;
				}
			}

0x6e01f5d6
0x6e01f5db
0x6e01f5e0
0x6e01f5e2
0x6e01f5e7
0x6e01f5ff
0x6e01f604
0x6e01f609
0x6e01f60b
0x6e01f610
0x6e01f632
0x6e01f634
0x6e01f635
0x6e01f63a
0x6e01f63c
0x6e01f641
0x6e01f673
0x6e01f67c
0x6e01f682
0x6e01f687
0x6e01f68c
0x00000000
0x6e01f68e
0x6e01f69e
0x6e01f6a3
0x6e01f6a9
0x00000000
0x6e01f6ab
0x6e01f6b0
0x6e01f6c3
0x6e01f6c8
0x6e01f6cd
0x00000000
0x6e01f6cf
0x6e01f6cf
0x6e01f6d0
0x6e01f6d1
0x6e01f6e1
0x6e01f6e1
0x6e01f6b2
0x6e01f6b2
0x00000000
0x6e01f6b2
0x6e01f6b0
0x6e01f6a9
0x6e01f643
0x6e01f643
0x6e01f648
0x6e01f648
0x6e01f64d
0x6e01f650
0x6e01f650
0x6e01f652
0x6e01f653
0x6e01f65b
0x6e01f65e
0x6e01f66e
0x6e01f66e
0x6e01f612
0x6e01f612
0x6e01f617
0x6e01f61f
0x6e01f620
0x6e01f621
0x6e01f631
0x6e01f631
0x6e01f5e9
0x6e01f5e9
0x6e01f5ee
0x6e01f5fe
0x6e01f5fe

APIs

PORT_NewArena_Util.NSSUTIL3(00000800,?,?,?,?,?,?,?,00000000,?,?,6E01E14B,?,?,?,?), ref: 6E01F5DB
PORT_SetError_Util.NSSUTIL3(FFFFE013,?,?,?,?,?,00000000,?,?,6E01E14B,?,?,?,?,?), ref: 6E01F5EE
PORT_NewArena_Util.NSSUTIL3(00000800,?,?,?,?,?,00000000,?,?,6E01E14B,?,?,?,?,?), ref: 6E01F604
PORT_SetError_Util.NSSUTIL3(FFFFE013,?,?,?,?,?,?,00000000,?,?,6E01E14B,?,?,?,?,?), ref: 6E01F617
PORT_FreeArena_Util.NSSUTIL3(00000000,00000000,?,?,?,?,?,?,?,00000000,?,?,6E01E14B,?,?,?), ref: 6E01F621

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Util$Arena_$Error_$Free
String ID:
API String ID: 1635372823-0
Opcode ID: 5247ed791957a70efc97d4da1443f24d8cef8338698ca8d67db628b5deb655da
Instruction ID: 953db6507288418565de6a43a2bef5f6eaa630bf42ba8466fdb60e0283c34c5a
Opcode Fuzzy Hash: 5247ed791957a70efc97d4da1443f24d8cef8338698ca8d67db628b5deb655da
Instruction Fuzzy Hash: 75213EB69482012AE61065E45C82FDB32DCDFD02BAF54093AFD059A254F629D11D42F7

Uniqueness

Uniqueness Score: -1.00%

Function 6E01C990 Relevance: 15.1, APIs: 10, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E6E01C990(void* __esi, intOrPtr* _a4, intOrPtr _a8) {
				void* __edi;
				intOrPtr _t19;
				intOrPtr _t28;
				intOrPtr _t30;
				intOrPtr _t31;
				intOrPtr _t32;
				intOrPtr* _t33;
				void* _t34;
				void* _t37;
				void* _t38;
				void* _t40;

				_t34 = __esi;
				_t33 = _a4;
				if(_t33 == 0) {
					return _t19;
				} else {
					_t3 = _t33 + 4; // 0xc0335d5e
					_t28 =  *_t3;
					if(_a8 != 0 && _t28 != 0) {
						__imp__PR_EnterMonitor( *((intOrPtr*)(_t28 + 4)));
						_t37 = _t37 + 4;
					}
					__imp__PR_Lock( *0x6e03d988, _t34);
					 *((intOrPtr*)(_t33 + 0x94)) =  *((intOrPtr*)(_t33 + 0x94)) - 1;
					_t7 = _t33 + 0x94; // 0x24a4
					__imp__PR_Unlock( *0x6e03d988);
					_t38 = _t37 + 8;
					if( *_t7 == 0) {
						_t8 = _t33 + 0x6c; // 0xb60f1374
						_t20 =  *_t8;
						if( *_t8 != 0) {
							E6E01CAD0(_t20);
							_t38 = _t38 + 4;
						}
						_t9 = _t33 + 0x88; // 0x89f633cb
						_t30 =  *_t9;
						if(_t30 != 0) {
							_t10 = _t33 + 0x98; // 0x6e01a20e
							if(_t30 != _t10) {
								_push(_t30);
								L6E025A9A();
								_t38 = _t38 + 4;
							}
						}
						_t11 = _t33 + 0x8c; // 0xeb30244c
						_t31 =  *_t11;
						if(_t31 != 0) {
							_t12 = _t33 + 0x160; // 0x6e01a2d6
							if(_t31 != _t12) {
								_push(_t31);
								L6E025A9A();
								_t38 = _t38 + 4;
							}
						}
						_t13 = _t33 + 0x58; // 0x2428d7f
						_t32 =  *_t13;
						if(_t32 != 0) {
							_t14 = _t33 + 0x228; // 0x6e01a39e
							if(_t32 != _t14) {
								_push(_t32);
								L6E025A9A();
								_t38 = _t38 + 4;
							}
						}
						 *((intOrPtr*)(_t33 + 0x58)) = 0;
						 *((intOrPtr*)(_t33 + 0x88)) = 0;
						E6E026D20(_t33, _t33, 0, 0x428);
						__imp__PR_Lock( *0x6e03d990);
						_t19 =  *0x6e03d978; // 0x0
						_t40 = _t38 + 0x10;
						if(_t19 <= 0xa) {
							 *0x6e03d978 = _t19 + 1;
							_t19 =  *0x6e03d96c; // 0x0
							 *_t33 = _t19;
							 *0x6e03d96c = _t33;
						} else {
							_push(_t33);
							L6E025A9A();
							_t40 = _t40 + 4;
						}
						__imp__PR_Unlock( *0x6e03d990);
						_t38 = _t40 + 4;
					}
					if(_a8 != 0 && _t28 != 0) {
						__imp__PR_ExitMonitor( *((intOrPtr*)(_t28 + 4)));
					}
					return _t19;
				}
			}

0x6e01c990
0x6e01c991
0x6e01c997
0x6e01caca
0x6e01c99d
0x6e01c9a3
0x6e01c9a3
0x6e01c9a6
0x6e01c9af
0x6e01c9b5
0x6e01c9b5
0x6e01c9bf
0x6e01c9c5
0x6e01c9d1
0x6e01c9d7
0x6e01c9dd
0x6e01c9e3
0x6e01c9e9
0x6e01c9e9
0x6e01c9ee
0x6e01c9f1
0x6e01c9f6
0x6e01c9f6
0x6e01c9f9
0x6e01c9f9
0x6e01ca01
0x6e01ca03
0x6e01ca0b
0x6e01ca0d
0x6e01ca0e
0x6e01ca13
0x6e01ca13
0x6e01ca0b
0x6e01ca16
0x6e01ca16
0x6e01ca1e
0x6e01ca20
0x6e01ca28
0x6e01ca2a
0x6e01ca2b
0x6e01ca30
0x6e01ca30
0x6e01ca28
0x6e01ca33
0x6e01ca33
0x6e01ca38
0x6e01ca3a
0x6e01ca42
0x6e01ca44
0x6e01ca45
0x6e01ca4a
0x6e01ca4a
0x6e01ca42
0x6e01ca55
0x6e01ca5c
0x6e01ca66
0x6e01ca71
0x6e01ca77
0x6e01ca7c
0x6e01ca82
0x6e01ca90
0x6e01ca95
0x6e01ca9a
0x6e01ca9c
0x6e01ca84
0x6e01ca84
0x6e01ca85
0x6e01ca8a
0x6e01ca8a
0x6e01caa8
0x6e01caae
0x6e01caae
0x6e01cab6
0x6e01cabf
0x6e01cac5
0x00000000
0x6e01cac8

APIs

PR_EnterMonitor.NSPR4(?,?,0000002C,6E01E9DB,6E01A176), ref: 6E01C9AF
PR_Lock.NSPR4(00000000,?,0000002C,6E01E9DB,6E01A176), ref: 6E01C9BF
PR_Unlock.NSPR4(?,?,00000000,?,00000000,?,6E01E01A,?,?,?,00000000), ref: 6E01C9D7
PORT_Free_Util.NSSUTIL3(89F633CB,00000000,?,?,00000000,?,00000000,?,6E01E01A,?,?,?,00000000), ref: 6E01CA0E
PORT_Free_Util.NSSUTIL3(EB30244C,00000000,?,?,00000000,?,00000000,?,6E01E01A,?,?,?,00000000), ref: 6E01CA2B
PORT_Free_Util.NSSUTIL3(02428D7F,00000000,?,?,00000000,?,00000000,?,6E01E01A,?,?,?,00000000), ref: 6E01CA45
PR_Lock.NSPR4(6E01A176,00000000,00000428,00000000,?,?,00000000,?,00000000,?,6E01E01A,?,?,?,00000000), ref: 6E01CA71
PORT_Free_Util.NSSUTIL3(6E01A176,?,?,?,?,?,?,?,?,?,?,00000000,?,6E01E01A,?,?), ref: 6E01CA85
PR_Unlock.NSPR4(?,?,?,?,?,?,?,?,?,?,00000000,?,6E01E01A,?,?), ref: 6E01CAA8
PR_ExitMonitor.NSPR4(?), ref: 6E01CABF

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Free_Util$LockMonitorUnlock$EnterExit
String ID:
API String ID: 1753137619-0
Opcode ID: 7dcbc9656f66706d1e3faf945576a8d96f8639442246a80df08fa71894ddc824
Instruction ID: 5bbec364cfd325f029d290f6c1364b32a4096d397bd96383fdd8b0ca71d0cfde
Opcode Fuzzy Hash: 7dcbc9656f66706d1e3faf945576a8d96f8639442246a80df08fa71894ddc824
Instruction Fuzzy Hash: 7731D570604603AFEF59CFE4D8D4B9AB7E6BF01349F440539E8199E211D731E464CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6E01E9F0 Relevance: 15.1, APIs: 10, Instructions: 75COMMON

Download Yara Rule

APIs

PR_Lock.NSPR4(00F3FCA0,?,?,6E01939E), ref: 6E01EA06
PORT_Free_Util.NSSUTIL3(00000000), ref: 6E01EA25
PR_Unlock.NSPR4 ref: 6E01EA4E
PR_Lock.NSPR4 ref: 6E01EA56
PORT_Free_Util.NSSUTIL3(00000000), ref: 6E01EA74
PR_Unlock.NSPR4 ref: 6E01EA97
PR_Lock.NSPR4 ref: 6E01EA9F
PORT_Free_Util.NSSUTIL3(00000000), ref: 6E01EABE
PR_Unlock.NSPR4 ref: 6E01EAE1
PR_DestroyLock.NSPR4 ref: 6E01EAE9

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Lock$Free_UnlockUtil$Destroy
String ID:
API String ID: 4081554446-0
Opcode ID: 5a7b44322e34a668bdeff98be1b0891edb8774afbe2ed336475c6913f3ba0472
Instruction ID: 50b091ac99167d1ddf9a5bf2335613443cda66cce4793ab7a55609a8ba2c0040
Opcode Fuzzy Hash: 5a7b44322e34a668bdeff98be1b0891edb8774afbe2ed336475c6913f3ba0472
Instruction Fuzzy Hash: 0D213AB0626A038BDF209FB8DC60A0A3BE7FB46344B45002BE819DB251EB31E425CF55

Uniqueness

Uniqueness Score: -1.00%

Function 6E02CE7C Relevance: 15.1, APIs: 10, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E6E02CE7C(void* __edx, void* __esi, char _a4) {
				void* _v5;
				char _v12;
				char _v16;
				char _v20;
				void* __ebp;
				char _t55;
				char _t61;
				intOrPtr _t67;
				void* _t71;
				void* _t72;

				_t72 = __esi;
				_t71 = __edx;
				_t36 = _a4;
				_t67 =  *_a4;
				_t76 = _t67 - 0x6e036628;
				if(_t67 != 0x6e036628) {
					E6E02C4BF(_t67);
					_t36 = _a4;
				}
				E6E02C4BF( *((intOrPtr*)(_t36 + 0x3c)));
				E6E02C4BF( *((intOrPtr*)(_a4 + 0x30)));
				E6E02C4BF( *((intOrPtr*)(_a4 + 0x34)));
				E6E02C4BF( *((intOrPtr*)(_a4 + 0x38)));
				E6E02C4BF( *((intOrPtr*)(_a4 + 0x28)));
				E6E02C4BF( *((intOrPtr*)(_a4 + 0x2c)));
				E6E02C4BF( *((intOrPtr*)(_a4 + 0x40)));
				E6E02C4BF( *((intOrPtr*)(_a4 + 0x44)));
				E6E02C4BF( *((intOrPtr*)(_a4 + 0x360)));
				_v16 =  &_a4;
				_t55 = 5;
				_v12 = _t55;
				_v20 = _t55;
				_push( &_v12);
				_push( &_v16);
				_push( &_v20);
				E6E02CCC4(_t71, _t76);
				_v16 =  &_a4;
				_t61 = 4;
				_v20 = _t61;
				_v12 = _t61;
				_push( &_v20);
				_push( &_v16);
				_push( &_v12);
				return E6E02CD25(_t71, _t72, _t76);
			}

0x6e02ce7c
0x6e02ce7c
0x6e02ce81
0x6e02ce87
0x6e02ce89
0x6e02ce8f
0x6e02ce92
0x6e02ce97
0x6e02ce9a
0x6e02ce9e
0x6e02cea9
0x6e02ceb4
0x6e02cebf
0x6e02ceca
0x6e02ced5
0x6e02cee0
0x6e02ceeb
0x6e02cef9
0x6e02cf04
0x6e02cf0c
0x6e02cf0d
0x6e02cf10
0x6e02cf16
0x6e02cf1a
0x6e02cf1e
0x6e02cf1f
0x6e02cf29
0x6e02cf2f
0x6e02cf30
0x6e02cf33
0x6e02cf39
0x6e02cf3d
0x6e02cf41
0x6e02cf4a

APIs

_free.LIBCMT ref: 6E02CE92

Part of subcall function 6E02C4BF: HeapFree.KERNEL32(00000000,00000000,?,6E03109E,?,00000000,?,00000000,?,6E0310C5,?,00000007,?,?,6E030D6A,?), ref: 6E02C4D5
Part of subcall function 6E02C4BF: GetLastError.KERNEL32(?,?,6E03109E,?,00000000,?,00000000,?,6E0310C5,?,00000007,?,?,6E030D6A,?,?), ref: 6E02C4E7

_free.LIBCMT ref: 6E02CE9E
_free.LIBCMT ref: 6E02CEA9
_free.LIBCMT ref: 6E02CEB4
_free.LIBCMT ref: 6E02CEBF
_free.LIBCMT ref: 6E02CECA
_free.LIBCMT ref: 6E02CED5
_free.LIBCMT ref: 6E02CEE0
_free.LIBCMT ref: 6E02CEEB
_free.LIBCMT ref: 6E02CEF9

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 30f6a18dfff3b73c88ab47e56ab174e82777912d649f81ff6353d9fb137c6f5f
Instruction ID: 49a36da061f5bdd2c6a517b84d08ae6db8b34e65e1bf431d742be40943b87b46
Opcode Fuzzy Hash: 30f6a18dfff3b73c88ab47e56ab174e82777912d649f81ff6353d9fb137c6f5f
Instruction Fuzzy Hash: 7921697AD00118AFDB41DFD4C890EEE7BF9EF08354F1145A6E6199F221DB36DA548B80

Uniqueness

Uniqueness Score: -1.00%

Function 6E02B869 Relevance: 13.8, APIs: 9, Instructions: 300
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E6E02B869(signed int _a4, void* _a8, unsigned int _a12) {
				signed int _v5;
				char _v6;
				void* _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* _v32;
				long _v36;
				void* _v40;
				long _v44;
				signed int* _t139;
				signed int _t141;
				intOrPtr _t145;
				signed int _t149;
				signed int _t151;
				signed char _t153;
				unsigned int _t154;
				intOrPtr _t158;
				void* _t159;
				signed int _t160;
				signed int _t163;
				long _t164;
				intOrPtr _t171;
				signed int _t172;
				intOrPtr _t174;
				signed int _t176;
				signed int _t180;
				char _t187;
				char* _t188;
				char _t195;
				char* _t196;
				signed char _t207;
				signed int _t209;
				long _t211;
				signed int _t212;
				char _t214;
				signed char _t218;
				signed int _t219;
				unsigned int _t220;
				intOrPtr _t221;
				unsigned int _t225;
				signed int _t227;
				signed int _t228;
				signed int _t229;
				signed int _t230;
				signed int _t231;
				signed char _t232;
				signed int _t233;
				signed int _t235;
				signed int _t236;
				signed int _t237;
				signed int _t238;
				signed int _t242;
				void* _t244;
				void* _t245;

				_t209 = _a4;
				if(_t209 != 0xfffffffe) {
					__eflags = _t209;
					if(_t209 < 0) {
						L58:
						_t139 = E6E02829E();
						 *_t139 =  *_t139 & 0x00000000;
						__eflags =  *_t139;
						 *((intOrPtr*)(E6E0282B1())) = 9;
						L59:
						_t141 = E6E02D4C0();
						goto L60;
					}
					__eflags = _t209 -  *0x6e03e120; // 0x40
					if(__eflags >= 0) {
						goto L58;
					}
					_v24 = 1;
					_t235 = _t209 >> 6;
					_t231 = (_t209 & 0x0000003f) * 0x30;
					_v20 = _t235;
					_t145 =  *((intOrPtr*)(0x6e03df20 + _t235 * 4));
					_v28 = _t231;
					_t218 =  *((intOrPtr*)(_t145 + _t231 + 0x28));
					_v5 = _t218;
					__eflags = _t218 & 0x00000001;
					if((_t218 & 0x00000001) == 0) {
						goto L58;
					}
					_t219 = _a12;
					__eflags = _t219 - 0x7fffffff;
					if(_t219 <= 0x7fffffff) {
						__eflags = _t219;
						if(_t219 == 0) {
							L57:
							return 0;
						}
						__eflags = _v5 & 0x00000002;
						if((_v5 & 0x00000002) != 0) {
							goto L57;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							goto L6;
						}
						_t149 =  *((intOrPtr*)(_t145 + _t231 + 0x29));
						_v5 = _t149;
						_v32 =  *((intOrPtr*)(_t145 + _t231 + 0x18));
						_t242 = 0;
						_t151 = _t149 - 1;
						__eflags = _t151;
						if(_t151 == 0) {
							_t232 = _v24;
							_t153 =  !_t219;
							__eflags = _t232 & _t153;
							if((_t232 & _t153) != 0) {
								_t154 = 4;
								_t220 = _t219 >> 1;
								_v16 = _t154;
								__eflags = _t220 - _t154;
								if(_t220 >= _t154) {
									_t154 = _t220;
									_v16 = _t220;
								}
								_t242 = E6E02C4F9(_t220, _t154);
								E6E02C4BF(0);
								E6E02C4BF(0);
								_t245 = _t244 + 0xc;
								_v12 = _t242;
								__eflags = _t242;
								if(_t242 != 0) {
									_t158 = E6E02A93D(_t209, 0, 0, _v24);
									_t221 =  *((intOrPtr*)(0x6e03df20 + _t235 * 4));
									_t244 = _t245 + 0x10;
									_t236 = _v28;
									 *((intOrPtr*)(_t221 + _t236 + 0x20)) = _t158;
									_t159 = _t242;
									 *(_t221 + _t236 + 0x24) = _t232;
									_t231 = _t236;
									_t219 = _v16;
									L21:
									_t237 = 0;
									_v40 = _t159;
									_t211 =  *((intOrPtr*)(0x6e03df20 + _v20 * 4));
									_v36 = _t211;
									__eflags =  *(_t211 + _t231 + 0x28) & 0x00000048;
									_t212 = _a4;
									if(( *(_t211 + _t231 + 0x28) & 0x00000048) != 0) {
										_t214 =  *((intOrPtr*)(_v36 + _t231 + 0x2a));
										_v6 = _t214;
										__eflags = _t214 - 0xa;
										_t212 = _a4;
										if(_t214 != 0xa) {
											__eflags = _t219;
											if(_t219 != 0) {
												_t237 = _v24;
												 *_t159 = _v6;
												_t212 = _a4;
												_t228 = _t219 - 1;
												__eflags = _v5;
												_v12 = _t159 + 1;
												_v16 = _t228;
												 *((char*)( *((intOrPtr*)(0x6e03df20 + _v20 * 4)) + _t231 + 0x2a)) = 0xa;
												if(_v5 != 0) {
													_t187 =  *((intOrPtr*)( *((intOrPtr*)(0x6e03df20 + _v20 * 4)) + _t231 + 0x2b));
													_v6 = _t187;
													__eflags = _t187 - 0xa;
													if(_t187 != 0xa) {
														__eflags = _t228;
														if(_t228 != 0) {
															_t188 = _v12;
															_t237 = 2;
															 *_t188 = _v6;
															_t212 = _a4;
															_t229 = _t228 - 1;
															_v12 = _t188 + 1;
															_v16 = _t229;
															 *((char*)( *((intOrPtr*)(0x6e03df20 + _v20 * 4)) + _t231 + 0x2b)) = 0xa;
															__eflags = _v5 - _v24;
															if(_v5 == _v24) {
																_t195 =  *((intOrPtr*)( *((intOrPtr*)(0x6e03df20 + _v20 * 4)) + _t231 + 0x2c));
																_v6 = _t195;
																__eflags = _t195 - 0xa;
																if(_t195 != 0xa) {
																	__eflags = _t229;
																	if(_t229 != 0) {
																		_t196 = _v12;
																		_t237 = 3;
																		 *_t196 = _v6;
																		_t212 = _a4;
																		_t230 = _t229 - 1;
																		__eflags = _t230;
																		_v12 = _t196 + 1;
																		_v16 = _t230;
																		 *((char*)( *((intOrPtr*)(0x6e03df20 + _v20 * 4)) + _t231 + 0x2c)) = 0xa;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
									_t160 = E6E030822(_t212);
									__eflags = _t160;
									if(_t160 == 0) {
										L41:
										_v24 = 0;
										L42:
										_t163 = ReadFile(_v32, _v12, _v16,  &_v36, 0);
										__eflags = _t163;
										if(_t163 == 0) {
											L53:
											_t164 = GetLastError();
											_t237 = 5;
											__eflags = _t164 - _t237;
											if(_t164 != _t237) {
												__eflags = _t164 - 0x6d;
												if(_t164 != 0x6d) {
													L37:
													E6E02827B(_t164);
													goto L38;
												}
												_t238 = 0;
												goto L39;
											}
											 *((intOrPtr*)(E6E0282B1())) = 9;
											 *(E6E02829E()) = _t237;
											goto L38;
										}
										_t225 = _a12;
										__eflags = _v36 - _t225;
										if(_v36 > _t225) {
											goto L53;
										}
										_t238 = _t237 + _v36;
										__eflags = _t238;
										L45:
										_t233 = _v28;
										_t171 =  *((intOrPtr*)(0x6e03df20 + _v20 * 4));
										__eflags =  *((char*)(_t171 + _t233 + 0x28));
										if( *((char*)(_t171 + _t233 + 0x28)) < 0) {
											__eflags = _v5 - 2;
											if(_v5 == 2) {
												__eflags = _v24;
												_push(_t238 >> 1);
												_push(_v40);
												_push(_t212);
												if(_v24 == 0) {
													_t172 = E6E02B3EA();
												} else {
													_t172 = E6E02B6E9();
												}
											} else {
												_t226 = _t225 >> 1;
												__eflags = _t225 >> 1;
												_t172 = E6E02B592(_t225 >> 1, _t225 >> 1, _t212, _v12, _t238, _a8, _t226);
											}
											_t238 = _t172;
										}
										goto L39;
									}
									_t227 = _v28;
									_t174 =  *((intOrPtr*)(0x6e03df20 + _v20 * 4));
									__eflags =  *((char*)(_t174 + _t227 + 0x28));
									if( *((char*)(_t174 + _t227 + 0x28)) >= 0) {
										goto L41;
									}
									_t176 = GetConsoleMode(_v32,  &_v44);
									__eflags = _t176;
									if(_t176 == 0) {
										goto L41;
									}
									__eflags = _v5 - 2;
									if(_v5 != 2) {
										goto L42;
									}
									_t180 = ReadConsoleW(_v32, _v12, _v16 >> 1,  &_v36, 0);
									__eflags = _t180;
									if(_t180 != 0) {
										_t225 = _a12;
										_t238 = _t237 + _v36 * 2;
										goto L45;
									}
									_t164 = GetLastError();
									goto L37;
								} else {
									 *((intOrPtr*)(E6E0282B1())) = 0xc;
									 *(E6E02829E()) = 8;
									L38:
									_t238 = _t237 | 0xffffffff;
									__eflags = _t238;
									L39:
									E6E02C4BF(_t242);
									return _t238;
								}
							}
							L15:
							 *(E6E02829E()) =  *_t202 & _t242;
							 *((intOrPtr*)(E6E0282B1())) = 0x16;
							E6E02D4C0();
							goto L38;
						}
						__eflags = _t151 != 1;
						if(_t151 != 1) {
							L13:
							_t159 = _a8;
							_v16 = _t219;
							_v12 = _t159;
							goto L21;
						}
						_t207 =  !_t219;
						__eflags = _t207 & 0x00000001;
						if((_t207 & 0x00000001) == 0) {
							goto L15;
						}
						goto L13;
					}
					L6:
					 *(E6E02829E()) =  *_t147 & 0x00000000;
					 *((intOrPtr*)(E6E0282B1())) = 0x16;
					goto L59;
				} else {
					 *(E6E02829E()) =  *_t208 & 0x00000000;
					_t141 = E6E0282B1();
					 *_t141 = 9;
					L60:
					return _t141 | 0xffffffff;
				}
			}

0x6e02b872
0x6e02b879
0x6e02b893
0x6e02b895
0x6e02bbfd
0x6e02bbfd
0x6e02bc02
0x6e02bc02
0x6e02bc0a
0x6e02bc10
0x6e02bc10
0x00000000
0x6e02bc10
0x6e02b89b
0x6e02b8a1
0x00000000
0x00000000
0x6e02b8a9
0x6e02b8b5
0x6e02b8b8
0x6e02b8bb
0x6e02b8be
0x6e02b8c5
0x6e02b8c8
0x6e02b8cc
0x6e02b8cf
0x6e02b8d2
0x00000000
0x00000000
0x6e02b8d8
0x6e02b8db
0x6e02b8e1
0x6e02b8fb
0x6e02b8fd
0x6e02bbf9
0x00000000
0x6e02bbf9
0x6e02b903
0x6e02b907
0x00000000
0x00000000
0x6e02b90d
0x6e02b911
0x00000000
0x00000000
0x6e02b918
0x6e02b91c
0x6e02b91f
0x6e02b922
0x6e02b927
0x6e02b927
0x6e02b92a
0x6e02b947
0x6e02b94c
0x6e02b94e
0x6e02b950
0x6e02b970
0x6e02b971
0x6e02b973
0x6e02b976
0x6e02b978
0x6e02b97a
0x6e02b97c
0x6e02b97c
0x6e02b987
0x6e02b989
0x6e02b990
0x6e02b995
0x6e02b998
0x6e02b99b
0x6e02b99d
0x6e02b9c2
0x6e02b9c7
0x6e02b9ce
0x6e02b9d1
0x6e02b9d4
0x6e02b9d8
0x6e02b9da
0x6e02b9de
0x6e02b9e0
0x6e02b9e3
0x6e02b9e6
0x6e02b9e8
0x6e02b9eb
0x6e02b9f2
0x6e02b9f5
0x6e02b9fa
0x6e02b9fd
0x6e02ba06
0x6e02ba0a
0x6e02ba0d
0x6e02ba10
0x6e02ba13
0x6e02ba19
0x6e02ba1b
0x6e02ba24
0x6e02ba27
0x6e02ba2a
0x6e02ba2d
0x6e02ba2e
0x6e02ba32
0x6e02ba38
0x6e02ba42
0x6e02ba47
0x6e02ba57
0x6e02ba5b
0x6e02ba5e
0x6e02ba60
0x6e02ba62
0x6e02ba64
0x6e02ba66
0x6e02ba6e
0x6e02ba6f
0x6e02ba72
0x6e02ba75
0x6e02ba76
0x6e02ba7c
0x6e02ba86
0x6e02ba8e
0x6e02ba91
0x6e02ba9d
0x6e02baa1
0x6e02baa4
0x6e02baa6
0x6e02baa8
0x6e02baaa
0x6e02baac
0x6e02bab4
0x6e02bab5
0x6e02bab8
0x6e02babb
0x6e02babb
0x6e02babc
0x6e02bac2
0x6e02bacc
0x6e02bacc
0x6e02baaa
0x6e02baa6
0x6e02ba91
0x6e02ba64
0x6e02ba60
0x6e02ba47
0x6e02ba1b
0x6e02ba13
0x6e02bad2
0x6e02bad8
0x6e02bada
0x6e02bb4d
0x6e02bb4d
0x6e02bb51
0x6e02bb61
0x6e02bb67
0x6e02bb69
0x6e02bbc5
0x6e02bbc5
0x6e02bbcd
0x6e02bbce
0x6e02bbd0
0x6e02bbe9
0x6e02bbec
0x6e02bb29
0x6e02bb2a
0x00000000
0x6e02bb2f
0x6e02bbf2
0x00000000
0x6e02bbf2
0x6e02bbd7
0x6e02bbe2
0x00000000
0x6e02bbe2
0x6e02bb6b
0x6e02bb6e
0x6e02bb71
0x00000000
0x00000000
0x6e02bb73
0x6e02bb73
0x6e02bb76
0x6e02bb79
0x6e02bb7c
0x6e02bb83
0x6e02bb88
0x6e02bb8a
0x6e02bb8e
0x6e02bba9
0x6e02bbad
0x6e02bbae
0x6e02bbb1
0x6e02bbb2
0x6e02bbbe
0x6e02bbb4
0x6e02bbb4
0x6e02bbb4
0x6e02bb90
0x6e02bb90
0x6e02bb90
0x6e02bb9b
0x6e02bba0
0x6e02bba3
0x6e02bba3
0x00000000
0x6e02bb88
0x6e02badf
0x6e02bae2
0x6e02bae9
0x6e02baee
0x00000000
0x00000000
0x6e02baf7
0x6e02bafd
0x6e02baff
0x00000000
0x00000000
0x6e02bb01
0x6e02bb05
0x00000000
0x00000000
0x6e02bb19
0x6e02bb1f
0x6e02bb21
0x6e02bb45
0x6e02bb48
0x00000000
0x6e02bb48
0x6e02bb23
0x00000000
0x6e02b99f
0x6e02b9a4
0x6e02b9af
0x6e02bb30
0x6e02bb30
0x6e02bb30
0x6e02bb33
0x6e02bb34
0x00000000
0x6e02bb3c
0x6e02b99d
0x6e02b952
0x6e02b957
0x6e02b95e
0x6e02b964
0x00000000
0x6e02b964
0x6e02b92c
0x6e02b92f
0x6e02b939
0x6e02b939
0x6e02b93c
0x6e02b93f
0x00000000
0x6e02b93f
0x6e02b933
0x6e02b935
0x6e02b937
0x00000000
0x00000000
0x00000000
0x6e02b937
0x6e02b8e3
0x6e02b8e8
0x6e02b8f0
0x00000000
0x6e02b87b
0x6e02b880
0x6e02b883
0x6e02b888
0x6e02bc15
0x00000000
0x6e02bc15

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dce038897670874711330ee48be9b13da90a2c429e64ed6fcb9f959e9f9a75a3
Instruction ID: 9427206ec3b22b6b4cafc8d75360efd87a0bac5e9637baee0bba65b58fbe0093
Opcode Fuzzy Hash: dce038897670874711330ee48be9b13da90a2c429e64ed6fcb9f959e9f9a75a3
Instruction Fuzzy Hash: E3C1E378E0864A9FDB01CFE8C890B9DBBF4AF0A314F1044A9E954AB359C7719941CF61

Uniqueness

Uniqueness Score: -1.00%

Function 6E02FF90 Relevance: 13.7, APIs: 9, Instructions: 202COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 6E02FFBA
_free.LIBCMT ref: 6E030093
_free.LIBCMT ref: 6E0300C0

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: _free$___from_strstr_to_strchr
String ID:
API String ID: 3409252457-0
Opcode ID: 615f1c64f59eaf7dc62de2146aace277fc8260a01909a666b0d464d0d99934fa
Instruction ID: 3d501c15c4d163f86f5a758dce2deb57a205119f5526f23fd88f36480d3b5f11
Opcode Fuzzy Hash: 615f1c64f59eaf7dc62de2146aace277fc8260a01909a666b0d464d0d99934fa
Instruction Fuzzy Hash: 0F51C675D0E327AFEB509FE98890B9E7BF9EF01358F20456AD91497241FB72C5408B90

Uniqueness

Uniqueness Score: -1.00%

Function 6DFB0570 Relevance: 13.7, APIs: 9, Instructions: 172memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSSUTIL3(00000800), ref: 6DFB0579
PORT_ArenaZAlloc_Util.NSSUTIL3(00000000,00000084), ref: 6DFB0596
PORT_FreeArena_Util.NSSUTIL3(00000000,00000001), ref: 6DFB05A7

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: Util$Arena_$Alloc_ArenaFree
String ID:
API String ID: 1390973725-0
Opcode ID: 8f795814bf4034ac1f779c83a15d0ff36e19b9d7cc7d87ec2e3d2d2f7c3ea7dc
Instruction ID: 0bcd5e3e93a2e0e33d7d2bf5abbbb91cfd7b6048a44f1ad4ec8d22b9563db8b0
Opcode Fuzzy Hash: 8f795814bf4034ac1f779c83a15d0ff36e19b9d7cc7d87ec2e3d2d2f7c3ea7dc
Instruction Fuzzy Hash: 0251B3719043019FC750CF6EE980B5ABBE4FF45728F14062DE9998A391E7B2D505CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6DFB0440 Relevance: 13.6, APIs: 9, Instructions: 119COMMON

Download Yara Rule

APIs

SECITEM_CopyItem_Util.NSSUTIL3(?,?,?), ref: 6DFB0479
SECITEM_CopyItem_Util.NSSUTIL3(?,?,?), ref: 6DFB0495
SECITEM_CopyItem_Util.NSSUTIL3(?,?,?), ref: 6DFB04BC
SECITEM_CopyItem_Util.NSSUTIL3(?,?,?), ref: 6DFB04D1
SECITEM_CopyItem_Util.NSSUTIL3(?,?,?), ref: 6DFB04E6
SECITEM_CopyItem_Util.NSSUTIL3(?,?,?), ref: 6DFB04FB
SECITEM_CopyItem_Util.NSSUTIL3(?,?,?), ref: 6DFB0514
SECITEM_CopyItem_Util.NSSUTIL3(?,?,?), ref: 6DFB052D
SECITEM_CopyItem_Util.NSSUTIL3(?,?,?), ref: 6DFB054C

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: CopyItem_Util
String ID:
API String ID: 1930918740-0
Opcode ID: 7f2df1d5f9a09f2cc325c1654b475171beaacd5a79c8bc27a3eb07ec6bd6dd39
Instruction ID: fc0149cb6b484628463cf666adaea03722420874603df19e984ebe95d4f4c34a
Opcode Fuzzy Hash: 7f2df1d5f9a09f2cc325c1654b475171beaacd5a79c8bc27a3eb07ec6bd6dd39
Instruction Fuzzy Hash: B941DDF2504B06ABD310CFAACD80DA7B3ECBE092547155A2BEA56C3A11F735F654CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6DFBD460 Relevance: 12.5, APIs: 8, Instructions: 470memoryCOMMON

Download Yara Rule

APIs

SECITEM_AllocItem_Util.NSSUTIL3(?,?,00000000), ref: 6DFBD7BC
PORT_SetError_Util.NSSUTIL3(FFFFE001), ref: 6DFBDA72
PORT_SetError_Util.NSSUTIL3(FFFFE013), ref: 6DFBDA8D
PORT_SetError_Util.NSSUTIL3(FFFFE002), ref: 6DFBDAA8
PORT_SetError_Util.NSSUTIL3(FFFFE005), ref: 6DFBDAC3
PORT_SetError_Util.NSSUTIL3(FFFFE005), ref: 6DFBDADE

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: Util$Error_$AllocItem_
String ID:
API String ID: 4233208270-0
Opcode ID: ece62c931d5dee8b25532c2ba3705722b8591a06d4cfb4bc2ca82fd184cfa37b
Instruction ID: 4845f6b0ad0ef9207f304d87135edf39e71b90d8fe559c7bcec378da7a739ea7
Opcode Fuzzy Hash: ece62c931d5dee8b25532c2ba3705722b8591a06d4cfb4bc2ca82fd184cfa37b
Instruction Fuzzy Hash: 38F1B5716083069BD720CEEADCC0B9B77ECEF84218F04493AEA5A87151EBB5D558C793

Uniqueness

Uniqueness Score: -1.00%

Function 6E056C30 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 162COMMON

Download Yara Rule

APIs

sqlite3_snprintf.SQLITE3(00000080,?,database %s is locked,00000000), ref: 6E056D67

Strings

no such database: %s, xrefs: 6E056CF0
cannot detach database %s, xrefs: 6E056CFD
database %s is locked, xrefs: 6E056D58
E@n, xrefs: 6E056CA6
cannot DETACH database within transaction, xrefs: 6E056D0A

Memory Dump Source

Source File: 00000011.00000002.1303092111.000000006E051000.00000020.00000001.01000000.00000016.sdmp, Offset: 6E050000, based on PE: true

Associated: 00000011.00000002.1303052213.000000006E050000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303638387.000000006E0CF000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303739246.000000006E0DF000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303779693.000000006E0E0000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303823917.000000006E0E2000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e050000_certutil.jbxd

Similarity

API ID: sqlite3_snprintf
String ID: E@n$cannot DETACH database within transaction$cannot detach database %s$database %s is locked$no such database: %s
API String ID: 949980604-4144709796
Opcode ID: 85cdcc18a8a9dbf96c737e9ae41614631606cc95a53addcd17c0cd1ccdae2478
Instruction ID: 6f70b6648be3f3f55410553e65dc2323b9c9ed7e3eefefb28ac1b2de13f5f7e3
Opcode Fuzzy Hash: 85cdcc18a8a9dbf96c737e9ae41614631606cc95a53addcd17c0cd1ccdae2478
Instruction Fuzzy Hash: 55510571924301DFD710CF94EA44B6ABBF5FB46348F10491DE8985B341D776E829CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6DFAF3C0 Relevance: 12.4, APIs: 8, Instructions: 384memoryCOMMON

Download Yara Rule

APIs

SECITEM_AllocItem_Util.NSSUTIL3(00000000,00000000,00000000,?), ref: 6DFAF470
PORT_SetError_Util.NSSUTIL3(FFFFE00A), ref: 6DFAF70A
PORT_SetError_Util.NSSUTIL3(FFFFE005), ref: 6DFAF78A
SECITEM_ZfreeItem_Util.NSSUTIL3(?,00000000), ref: 6DFAF7FC
PORT_SetError_Util.NSSUTIL3(FFFFE001), ref: 6DFAF81C
PORT_SetError_Util.NSSUTIL3(FFFFE013), ref: 6DFAF837
PORT_SetError_Util.NSSUTIL3(FFFFE002), ref: 6DFAF852
PORT_SetError_Util.NSSUTIL3(FFFFE005), ref: 6DFAF86D

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: Util$Error_$Item_$AllocZfree
String ID:
API String ID: 1921008293-0
Opcode ID: 58b491f27c1484b7ebb858482e597556c9e7b0edad3dce3194f24391d65da7e7
Instruction ID: 333bb670683120fc6c68a7a1e26daeeb5dcbef59909e9452af08be66cf043eb4
Opcode Fuzzy Hash: 58b491f27c1484b7ebb858482e597556c9e7b0edad3dce3194f24391d65da7e7
Instruction Fuzzy Hash: BAC1D3B38093169BC750DAA8EC80E8B73DCAF44764F090A2AFE55C7241E775D91987E3

Uniqueness

Uniqueness Score: -1.00%

Function 6E012630 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

Part of subcall function 6E0125D0: PORT_ZAlloc_Util.NSSUTIL3(00000024,?,6E01263B,00000000,?,?,?,?,6E01931D,?,?,?,6E0197A0,00000000), ref: 6E0125D3
Part of subcall function 6E0125D0: PORT_SetError_Util.NSSUTIL3(FFFFE013,00000000), ref: 6E0125E6

PORT_Strdup_Util.NSSUTIL3(?,?,6E0197A0,00000000), ref: 6E01266B
PORT_Strdup_Util.NSSUTIL3(00000000,?,6E0197A0,00000000), ref: 6E012683
PORT_Strdup_Util.NSSUTIL3(?,?,6E0197A0,00000000), ref: 6E012698
PORT_Free_Util.NSSUTIL3(00000000,00000000,?,?,?,?,?,?,6E0197A0,00000000), ref: 6E012740
PORT_Free_Util.NSSUTIL3(00000000), ref: 6E012754
PORT_SetError_Util.NSSUTIL3(FFFFE012,?,6E0197A0,00000000), ref: 6E012761

Strings

key, xrefs: 6E0126BB

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Util$Strdup_$Error_Free_$Alloc_
String ID: key
API String ID: 4086873281-2324736937
Opcode ID: 5c20f8d5d3cacfec6277c08529ffee7a7ffe54a1db4bc5d0eb5e53cf25455b80
Instruction ID: ad6f4986c0b2d23a5d7a71e411314cac82dfd8368f06bf800451eb6b1a8417d0
Opcode Fuzzy Hash: 5c20f8d5d3cacfec6277c08529ffee7a7ffe54a1db4bc5d0eb5e53cf25455b80
Instruction Fuzzy Hash: D23126B160C3026FDB209EE5AC41BDB76EC9F96398F000D3DF8599B281EB75D50592A3

Uniqueness

Uniqueness Score: -1.00%

Function 6DFAF900 Relevance: 12.2, APIs: 8, Instructions: 206COMMON

Download Yara Rule

APIs

PORT_SetError_Util.NSSUTIL3(FFFFE08E), ref: 6DFAF97D
PORT_SetError_Util.NSSUTIL3(FFFFE005), ref: 6DFAFB29

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: Error_Util
String ID:
API String ID: 1971245937-0
Opcode ID: 67c486b34f4d041328202694e0d4d6d1ad850a6251a7819a29b1f0add89665a6
Instruction ID: 256ca637650d03a1f15bf8f11b2f084398b61af463345a8ce42f6f8a3b96f6c8
Opcode Fuzzy Hash: 67c486b34f4d041328202694e0d4d6d1ad850a6251a7819a29b1f0add89665a6
Instruction Fuzzy Hash: A1510BB2D0811197D7508A7DAC8069B7394EF84774F490336FE398B3D0E766E95983D2

Uniqueness

Uniqueness Score: -1.00%

Function 6E01D6F0 Relevance: 12.1, APIs: 8, Instructions: 142memoryCOMMON

Download Yara Rule

APIs

PR_Lock.NSPR4(00000000,?,00000000), ref: 6E01D704
PR_Unlock.NSPR4 ref: 6E01D724
PORT_NewArena_Util.NSSUTIL3(00000800), ref: 6E01D775
PORT_ArenaAlloc_Util.NSSUTIL3(00000000,000008F8,?), ref: 6E01D789
PORT_SetError_Util.NSSUTIL3(FFFFE013,?,?,?), ref: 6E01D79C
PORT_FreeArena_Util.NSSUTIL3(00000000,00000000,?,?,?,?,?), ref: 6E01D7E4
PR_Lock.NSPR4(?), ref: 6E01D7FB
PR_Unlock.NSPR4 ref: 6E01D81B

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Util$Arena_LockUnlock$Alloc_ArenaError_Free
String ID:
API String ID: 3625728442-0
Opcode ID: a284907b91d6564432428360b2835ce27156714f696d05d5453ec92a3fe2893e
Instruction ID: 5b1d5931724b8c39b118fdbabbd04dbef0eb585a317489bb774051e1152497c2
Opcode Fuzzy Hash: a284907b91d6564432428360b2835ce27156714f696d05d5453ec92a3fe2893e
Instruction Fuzzy Hash: 17417376808701AFD711DFA4C880B9BB7E9BF89715F04062AF994CB240E775E5158F92

Uniqueness

Uniqueness Score: -1.00%

Function 6DFA1E70 Relevance: 12.1, APIs: 8, Instructions: 142COMMON

Download Yara Rule

APIs

PORT_SetError_Util.NSSUTIL3(FFFFE005,?,6DFB67F5,00000000,?), ref: 6DFA1E80
PORT_SetError_Util.NSSUTIL3(FFFFE005,00000000,?,6DFB67F5,00000000,?), ref: 6DFA1E9F

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: Error_Util
String ID:
API String ID: 1971245937-0
Opcode ID: ceb3f2356080b86a021ed969b46a044e57dd70463b62ffb044c4c928417ee3b5
Instruction ID: 2d64fa53acea02ed8abcf4b3fc1f543a85a115ef2660584f679aa619ca191b91
Opcode Fuzzy Hash: ceb3f2356080b86a021ed969b46a044e57dd70463b62ffb044c4c928417ee3b5
Instruction Fuzzy Hash: 854150B1704340BBE7215B3DEC09B6B7799EB42354F1A062DF96681291EB127D04C666

Uniqueness

Uniqueness Score: -1.00%

Function 6E0219F0 Relevance: 12.1, APIs: 8, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

PR_GetLibraryFilePathname.NSPR4(6E0219F0,?,6E035B40), ref: 6E021A02
PR_GetDirectorySeparator.NSPR4 ref: 6E021A17
_strrchr.LIBCMT ref: 6E021A22
PORT_Alloc_Util.NSSUTIL3(00000002), ref: 6E021A4F
PR_LoadLibraryWithFlags.NSPR4 ref: 6E021A91
PORT_Free_Util.NSSUTIL3(00000000), ref: 6E021A9A
PR_Free.NSPR4(00000000), ref: 6E021AA3
PR_LoadLibraryWithFlags.NSPR4(?,?,0000000A), ref: 6E021AD5

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Library$FlagsLoadUtilWith$Alloc_DirectoryFileFreeFree_PathnameSeparator_strrchr
String ID:
API String ID: 782263558-0
Opcode ID: 3bdb604bcb930942ce0a719c6ab7b4b1c1778b19b51dfaab1c695b09a6a48e36
Instruction ID: bd857289e8f0434bb9167359dc1b1fb86eec69db7786b85b59948df418990a91
Opcode Fuzzy Hash: 3bdb604bcb930942ce0a719c6ab7b4b1c1778b19b51dfaab1c695b09a6a48e36
Instruction Fuzzy Hash: EE2109355043015FCB109FA8D88577A7BE5EF82258F04457DEC494B206E637951EC792

Uniqueness

Uniqueness Score: -1.00%

Function 6E019650 Relevance: 12.1, APIs: 8, Instructions: 87memoryCOMMON

Download Yara Rule

APIs

PORT_Alloc_Util.NSSUTIL3(00000050,?,?,?,6E019354,?,?,00000000,00000000), ref: 6E01965F
PORT_Alloc_Util.NSSUTIL3(00000010,00000000), ref: 6E019673
PR_NewLock.NSPR4(?,00000000), ref: 6E019692
PL_NewHashTable.PLDS4(00000040,6E019590,6E025A70,6E025B30,00000000,00000000,?,00000000), ref: 6E0196B8
PORT_Free_Util.NSSUTIL3(00000000,?,00000000), ref: 6E019754
PR_DestroyLock.NSPR4(?,?,?,00000000), ref: 6E019768
PL_HashTableDestroy.PLDS4(?,?,?,00000000), ref: 6E019779
PORT_Free_Util.NSSUTIL3(00000000,?,?,00000000), ref: 6E019782

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Util$Alloc_DestroyFree_HashLockTable
String ID:
API String ID: 3202356090-0
Opcode ID: c86de270900e8caf4b091485c9d8c95c3a2822ddc0a8caec10bc3259692e8e69
Instruction ID: 6c72d34960276ce1b750283e39df81a09c2477be4f658cca72c3fb7ee3b047cf
Opcode Fuzzy Hash: c86de270900e8caf4b091485c9d8c95c3a2822ddc0a8caec10bc3259692e8e69
Instruction Fuzzy Hash: F23168B5508B129FD3208FE5D882B87BBE4BF41650F84892CE69A9F744E731E004CBD6

Uniqueness

Uniqueness Score: -1.00%

Function 6E016910 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 428COMMON

Download Yara Rule

APIs

PORT_Free_Util.NSSUTIL3(?), ref: 6E016BB8
PORT_Free_Util.NSSUTIL3(00000000), ref: 6E016D48

Strings

0, xrefs: 6E0169C5

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Free_Util
String ID: 0
API String ID: 3239092222-4108050209
Opcode ID: 5d391449976cc8258dcf93cd5900fbc3b3af9258fcf7cdd73259a9ec75accf01
Instruction ID: ec686980c3344f519be40ea5d1b24aba655005c7d41545c23749c4372316ee71
Opcode Fuzzy Hash: 5d391449976cc8258dcf93cd5900fbc3b3af9258fcf7cdd73259a9ec75accf01
Instruction Fuzzy Hash: D9C1B972A083155FD7009AD9EC40BEBB7ECEB853A8F450979F9448B311E736D905C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 6E0318B8 Relevance: 10.9, APIs: 7, Instructions: 368timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6E03193A
_free.LIBCMT ref: 6E03195E
_free.LIBCMT ref: 6E031AE3
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,6E0379A4), ref: 6E031AF5
WideCharToMultiByte.KERNEL32(00000000,00000000,6E03E3DC,000000FF,00000000,0000003F,00000000,?,?), ref: 6E031B6D
WideCharToMultiByte.KERNEL32(00000000,00000000,6E03E430,000000FF,?,0000003F,00000000,?), ref: 6E031B9A
_free.LIBCMT ref: 6E031CAF

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: c8a34b23e1088d8f08c3e15e52edf192d0170664414b177fbb6bb7499bf4ccff
Instruction ID: 01580dad4658a4961ed698231276acaae40b35070269e0b24013abe1ea237009
Opcode Fuzzy Hash: c8a34b23e1088d8f08c3e15e52edf192d0170664414b177fbb6bb7499bf4ccff
Instruction Fuzzy Hash: D1C11875904267AFDB108FE9C840BDEBBFDEF4A354F3045AAD45497280E7319A0AC750

Uniqueness

Uniqueness Score: -1.00%

Function 6DFB2E10 Relevance: 10.8, APIs: 7, Instructions: 280COMMON

Download Yara Rule

APIs

PORT_SetError_Util.NSSUTIL3(FFFFE001,00000000), ref: 6DFB2E6B
SECITEM_CopyItem_Util.NSSUTIL3(00000000,?,?,?,?,?,00000000), ref: 6DFB2F7B
PORT_SetError_Util.NSSUTIL3(FFFFE001,?,?,?,?,?,?,?,00000000), ref: 6DFB312B
PORT_SetError_Util.NSSUTIL3(FFFFE013,?,?,?,?,?,?,?,00000000), ref: 6DFB313D
PORT_SetError_Util.NSSUTIL3(FFFFE002,?,?,?,?,?,?,?,00000000), ref: 6DFB314F

Part of subcall function 6DFB1A30: SECITEM_ZfreeItem_Util.NSSUTIL3(?,00000000), ref: 6DFB1A8F

PORT_SetError_Util.NSSUTIL3(FFFFE005,?,?,?,?,?,?,?,00000000), ref: 6DFB3161
SECITEM_FreeItem_Util.NSSUTIL3(?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 6DFB3188

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: Util$Error_$Item_$CopyFreeZfree
String ID:
API String ID: 414615639-0
Opcode ID: c97bc7e2f826dde8ce0627bb6494cfd2d6e137911c4e8ba7d04be52ca7fd7619
Instruction ID: 6e936996acd373180b7e735550c2cbc6b1f1089ff6c2088307dfc160e78c0668
Opcode Fuzzy Hash: c97bc7e2f826dde8ce0627bb6494cfd2d6e137911c4e8ba7d04be52ca7fd7619
Instruction Fuzzy Hash: E2911A72948342ABD720CBADCC40B5F77E8BF81358F050A29FA9497290E772D909C793

Uniqueness

Uniqueness Score: -1.00%

Function 6E0321C8 Relevance: 10.7, APIs: 7, Instructions: 248COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,6E03246C,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 6E032274
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,6E03246C,00000000,00000000,?,00000001,?,?,?,?), ref: 6E0322F7
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,00000000,?,6E03246C,00000000,00000000,?,00000001,?,?,?,?), ref: 6E03236D
MultiByteToWideChar.KERNEL32(00000000,00000009,6E03246C,00000000,00000000,00000000,?,6E03246C,00000000,00000000,?,00000001,?,?,?,?), ref: 6E032384

Part of subcall function 6E02C4F9: HeapAlloc.KERNEL32(00000000,?,00000000,?,6E02B985,00000004,?,?,?), ref: 6E02C52B

MultiByteToWideChar.KERNEL32(00000000,00000001,6E03246C,00000000,00000000,00000000,?,6E03246C,00000000,00000000,?,00000001,?,?,?,?), ref: 6E0323E8
__freea.LIBCMT ref: 6E032413
__freea.LIBCMT ref: 6E03241F

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocHeapInfo
String ID:
API String ID: 2171645-0
Opcode ID: 61f2c6205ea9e4fbccb1869f416862d62c24226bb7558634e6551387bc26fe5d
Instruction ID: 6bf79976bb2632aa9668bc92f6476d9ec9a410ef7cd8e5525a5978dfc6df2cdf
Opcode Fuzzy Hash: 61f2c6205ea9e4fbccb1869f416862d62c24226bb7558634e6551387bc26fe5d
Instruction Fuzzy Hash: 5881C131E0022BEFDB218EE59C50BEEBBF9EF5A354F344469E914A7240D73198418BE0

Uniqueness

Uniqueness Score: -1.00%

Function 6DFA4800 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 231memoryCOMMON

Download Yara Rule

APIs

PORT_SetError_Util.NSSUTIL3(FFFFE005,00000010,00000010,?,?,?,?,?,?,?,?,?,6DFA5FF0,?,?,00000010), ref: 6DFA482F
PORT_ZAlloc_Util.NSSUTIL3(0000005C,0000000C,00000010,00000010,?,?,?,?,?,?,?,?,?,6DFA5FF0,?,?), ref: 6DFA484D

Strings

, xrefs: 6DFA4937

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: Util$Alloc_Error_
String ID:
API String ID: 397771595-3916222277
Opcode ID: bcc931e2979d331858add9d3758c23600976f2d2857a9bae217beaf56b380172
Instruction ID: 2effdfd16800afa67756832cffd76ed6c19ba5f84ad0999ef28d2a0e2743dbb3
Opcode Fuzzy Hash: bcc931e2979d331858add9d3758c23600976f2d2857a9bae217beaf56b380172
Instruction Fuzzy Hash: F58140B1508701DFD350CF29D841B6BBBE8BF48708F48492DE98ACB651EB75E504CB96

Uniqueness

Uniqueness Score: -1.00%

Function 6DFB1FA0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 221COMMON

Download Yara Rule

APIs

PORT_SetError_Util.NSSUTIL3(FFFFE001,?,?,?,00000000), ref: 6DFB205C
PORT_SetError_Util.NSSUTIL3(FFFFE001,?,?,?,?,?,?,00000000), ref: 6DFB21F9
PORT_SetError_Util.NSSUTIL3(FFFFE013,?,?,?,?,?,?,00000000), ref: 6DFB220B
PORT_SetError_Util.NSSUTIL3(FFFFE002,?,?,?,?,?,?,00000000), ref: 6DFB221D
PORT_SetError_Util.NSSUTIL3(FFFFE005,?,?,?,?,?,?,00000000), ref: 6DFB222F

Strings

ggen, xrefs: 6DFB20DE

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: Error_Util
String ID: ggen
API String ID: 1971245937-2024611518
Opcode ID: 0671d6b8114a976644cad262eb7a4c87c966e0c79afc3fae9183efeb532f7509
Instruction ID: 2c5481a8853c92939aef01caba3bc47e7e36bcf9f8c651b7151aaac270718d48
Opcode Fuzzy Hash: 0671d6b8114a976644cad262eb7a4c87c966e0c79afc3fae9183efeb532f7509
Instruction Fuzzy Hash: CA71E5728083016BD720CAADCC80F9F77E8AF85764F410629FB68D3290EB76D9558793

Uniqueness

Uniqueness Score: -1.00%

Function 6E016E20 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 211COMMON

Download Yara Rule

APIs

PORT_Free_Util.NSSUTIL3(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6E016F4A
PORT_Free_Util.NSSUTIL3(00000000), ref: 6E016FC5
PORT_Free_Util.NSSUTIL3(00000000), ref: 6E017037

Strings

@, xrefs: 6E016E65
@, xrefs: 6E016E55
@, xrefs: 6E016E5D

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Free_Util
String ID: @$@$@
API String ID: 3239092222-1177533131
Opcode ID: d248962a712774a0d46713473c42c14de29369f634dd1ac3d491e930cdc26075
Instruction ID: 96b54c81b697c2f00d1a90908137ae4fbaa4aae0e1feb1df7af399caaee7d622
Opcode Fuzzy Hash: d248962a712774a0d46713473c42c14de29369f634dd1ac3d491e930cdc26075
Instruction Fuzzy Hash: 415191B291C3016FD3509BD59C41BEBB6ECAF85398F840C3DF9499B201E776D90886A2

Uniqueness

Uniqueness Score: -1.00%

Function 6DFB9580 Relevance: 10.7, APIs: 7, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

PORT_ZAlloc_Util.NSSUTIL3(00000000,?,?,?,00000000,6DFB8831,?,?,00000002,?), ref: 6DFB95B0
PORT_Alloc_Util.NSSUTIL3(00000000,?,?,?,00000000,6DFB8831,?,?,00000002,?), ref: 6DFB95DF
PORT_Free_Util.NSSUTIL3(00000000,?), ref: 6DFB9612

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: Util$Alloc_$Free_
String ID:
API String ID: 2292727986-0
Opcode ID: a1843bc11ae2acaab97e22b4f64d253ef8bc95daf9fc40380801025889b85bcf
Instruction ID: cbbf678ba991127a8af668fe54da23758d569d6a5c23a68e5dc66d3379e7ca16
Opcode Fuzzy Hash: a1843bc11ae2acaab97e22b4f64d253ef8bc95daf9fc40380801025889b85bcf
Instruction Fuzzy Hash: B751477690C2029FC700DF7DEC80A1ABBE5EF56358F194A6AE45997201EB32E805C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 6DFA4550 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 173COMMON

Download Yara Rule

APIs

Part of subcall function 6DFA0980: PORT_ZAlloc_Util.NSSUTIL3(00000190,?,6DFA456F,ANSI Triple-DES Key Data,00000000,00000002,00000001), ref: 6DFA0986
Part of subcall function 6DFA0980: PORT_ZFree_Util.NSSUTIL3(00000000,00000190,?,?,6DFA456F,ANSI Triple-DES Key Data,00000000,00000002,00000001), ref: 6DFA09B4

PORT_SetError_Util.NSSUTIL3(FFFFE013), ref: 6DFA457D
PORT_SetError_Util.NSSUTIL3(FFFFE001), ref: 6DFA4761

Strings

Netscape, xrefs: 6DFA459B
Security, xrefs: 6DFA4672, 6DFA46E3
ANSI Triple-DES Key Data, xrefs: 6DFA4565, 6DFA45F7, 6DFA4677, 6DFA46E8
Netscape, xrefs: 6DFA468C

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: Util$Error_$Alloc_Free_
String ID: ANSI Triple-DES Key Data$Netscape$Netscape$Security
API String ID: 3186423673-958899549
Opcode ID: b290271e22d1d0c107ee10ba34d593229672cfb0c4c30d562b8ebbe10728aca3
Instruction ID: 74f7caf1fd97ebf82a65ac7d40c3e84a097f94cec196b99481ec2e344e0b73c0
Opcode Fuzzy Hash: b290271e22d1d0c107ee10ba34d593229672cfb0c4c30d562b8ebbe10728aca3
Instruction Fuzzy Hash: E6511631948201FBD710DA5CEC81F7A73B8AB8A764F594508F66C9F381EBA1E94487D3

Uniqueness

Uniqueness Score: -1.00%

Function 6E02BC1E Relevance: 10.7, APIs: 7, Instructions: 162fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,?,?,?,?,?,?,?,?,?,6E02C3AA,?,?,?,00000010,00000001), ref: 6E02BC60
__fassign.LIBCMT ref: 6E02BCDF
__fassign.LIBCMT ref: 6E02BCFE
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 6E02BD2B
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,6E02C3AA), ref: 6E02BD4B
WriteFile.KERNEL32(?,?,00000001,?,00000000,?,?,?,?,?,?,?,?,?,?,6E02C3AA), ref: 6E02BD85

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 7cab4b7c8d5c12550ea6ee418759644f431f9bb2f869b099274eaae788dd11a2
Instruction ID: d8ae8503ea86d90b2d86f46892e70b1dfd9f2cbb49f4aa29ed091ee80fccb30a
Opcode Fuzzy Hash: 7cab4b7c8d5c12550ea6ee418759644f431f9bb2f869b099274eaae788dd11a2
Instruction Fuzzy Hash: 63518D75A0024AAFDB10CFE8C881AEEBBF9EF09310F14452AE595E7255E730A941CF60

Uniqueness

Uniqueness Score: -1.00%

Function 6DFDEF03 Relevance: 10.7, APIs: 7, Instructions: 162fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000001,00000020,?,?,?,?,?,?,?,6DFDF68F,00000008,00000001,00000020,0000002C,?), ref: 6DFDEF45
__fassign.LIBCMT ref: 6DFDEFC4
__fassign.LIBCMT ref: 6DFDEFE3
WideCharToMultiByte.KERNEL32(?,00000000,00000001,00000001,00000020,00000005,00000000,00000000), ref: 6DFDF010
WriteFile.KERNEL32(?,00000020,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,6DFDF68F), ref: 6DFDF030
WriteFile.KERNEL32(?,00000008,00000001,?,00000000,?,?,?,?,?,?,?,?,?,?,6DFDF68F), ref: 6DFDF06A

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 51eee705455c475a734a882f9f3a667539b8fa00f0e75b86ded91f3c63caadf6
Instruction ID: f3c919f8821df58b9364100ae1e8675067e6b6a85886ccca12cbbfaf46603e68
Opcode Fuzzy Hash: 51eee705455c475a734a882f9f3a667539b8fa00f0e75b86ded91f3c63caadf6
Instruction Fuzzy Hash: FB517171D10289AFDB40CFA8D885BEEBBF8FF09310F19416AE655E7251D7309A41CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6E01F470 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON

Download Yara Rule

APIs

PORT_SetError_Util.NSSUTIL3(FFFFE012), ref: 6E01F583
PR_Lock.NSPR4 ref: 6E01F597
PR_Unlock.NSPR4 ref: 6E01F5A9
PORT_Free_Util.NSSUTIL3(00000000), ref: 6E01F5B9

Strings

cert, xrefs: 6E01F4A5, 6E01F54B

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Util$Error_Free_LockUnlock
String ID: cert
API String ID: 3435265499-212476011
Opcode ID: ab641a15ed3218bc49ba0247119d7db5d5c25690a722acff5485b17eb30a1bc4
Instruction ID: 92fbca9deff265956fcce6c2d5b44e65348f17dcf1343799763aa11a15325e59
Opcode Fuzzy Hash: ab641a15ed3218bc49ba0247119d7db5d5c25690a722acff5485b17eb30a1bc4
Instruction Fuzzy Hash: FB3128B290C7026FDB105FE89C40B9B7ADDBF95368F200A39FA6D9A191E725D1008663

Uniqueness

Uniqueness Score: -1.00%

Function 6DFB8170 Relevance: 10.6, APIs: 7, Instructions: 129COMMON

Download Yara Rule

APIs

PORT_SetError_Util.NSSUTIL3(FFFFE00A), ref: 6DFB8193
PORT_SetError_Util.NSSUTIL3(FFFFE002), ref: 6DFB81B1

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: Error_Util
String ID:
API String ID: 1971245937-0
Opcode ID: 1a77a19695a1ade1b2889b371f879ef8108e1c243c154f44899303618b096041
Instruction ID: e9ca88217cacefc974f18531f9e3b6ecd99ec005cdaba34fc58cadd02c3cf427
Opcode Fuzzy Hash: 1a77a19695a1ade1b2889b371f879ef8108e1c243c154f44899303618b096041
Instruction Fuzzy Hash: BE313BA2B0C5870BDB005E7DEC446B9FB21DFC2335B2D03B9D9A54A281D733D8468392

Uniqueness

Uniqueness Score: -1.00%

Function 6E012A80 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 107COMMON

Download Yara Rule

APIs

PR_Lock.NSPR4(?), ref: 6E012A9C
PR_Unlock.NSPR4(?,?,?,?,00000003), ref: 6E012AB7

Strings

global-salt, xrefs: 6E012AE7
password-check, xrefs: 6E012B1E

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: LockUnlock
String ID: global-salt$password-check
API String ID: 4018760208-3927197501
Opcode ID: b6620058edfe9726d88a0228e37a4d201f873500d3ecdc5b205a3a1edd15a401
Instruction ID: 7f79c69a7d1c36e3f20dc286930ccf99ee74388e9bda843ee09b81e3be9f0a13
Opcode Fuzzy Hash: b6620058edfe9726d88a0228e37a4d201f873500d3ecdc5b205a3a1edd15a401
Instruction Fuzzy Hash: A331E2329082129BD300DFD8C880A9BB3F9FF86325F840969F955DF201D730F94A9B92

Uniqueness

Uniqueness Score: -1.00%

Function 6DFB64B0 Relevance: 10.6, APIs: 7, Instructions: 107memoryCOMMON

Download Yara Rule

APIs

PORT_Alloc_Util.NSSUTIL3(?,00000000,00000000,00000000,?,6DFADDEF,?,?), ref: 6DFB64BB
PORT_SetError_Util.NSSUTIL3(FFFFE013,?), ref: 6DFB64CE
PORT_ZFree_Util.NSSUTIL3(00000000,?,?,00000000,?), ref: 6DFB6533
PORT_SetError_Util.NSSUTIL3(FFFFE001,?,?,00000000,?), ref: 6DFB6554

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: Util$Error_$Alloc_Free_
String ID:
API String ID: 3186423673-0
Opcode ID: 4733e369acded96f7109ae20a7518e96cafb8ac748d04b6653072e3ee5fe309b
Instruction ID: 0217d03dc686181645f3045749141e9bcd000dcb1f999088f4d75f5d615bbf06
Opcode Fuzzy Hash: 4733e369acded96f7109ae20a7518e96cafb8ac748d04b6653072e3ee5fe309b
Instruction Fuzzy Hash: 5F2138B390D52116D710117DBC80AAFB744EBC1779F260336FA76862E0EF229D25A1E3

Uniqueness

Uniqueness Score: -1.00%

Function 6E01D270 Relevance: 10.6, APIs: 7, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

PR_Lock.NSPR4 ref: 6E01D2B0
PR_Unlock.NSPR4(?), ref: 6E01D2D7
PORT_ZAlloc_Util.NSSUTIL3(000008F8), ref: 6E01D2E9
PORT_SetError_Util.NSSUTIL3(FFFFE013), ref: 6E01D2FC
PORT_Alloc_Util.NSSUTIL3(00000001), ref: 6E01D32C
PORT_Free_Util.NSSUTIL3(?), ref: 6E01D38D
PORT_Free_Util.NSSUTIL3(?), ref: 6E01D3A2

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Util$Alloc_Free_$Error_LockUnlock
String ID:
API String ID: 1877046244-0
Opcode ID: 466e8ed689ae49d35fcbdf10001c66c45be82eb42ba65f10a1a022724303e34a
Instruction ID: 3ebd9011b929e5a96ff6d0e91c7ca178c4a71d89611ebe99bf0fb629a6e3f528
Opcode Fuzzy Hash: 466e8ed689ae49d35fcbdf10001c66c45be82eb42ba65f10a1a022724303e34a
Instruction Fuzzy Hash: 7031B3758087029FD7208FE4D880BDFB7E9AF85349F000939E8599B245E735E5158F93

Uniqueness

Uniqueness Score: -1.00%

Function 6E02D8AE Relevance: 10.6, APIs: 7, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e281c06cf2b4333660ebc15ee9c27bb77b51ee0a9a5db54d6c0c476514883e43
Instruction ID: c19afb0b4f5069c34e930a6ba707daa10bac673875d921dbfe4620089b1ab785
Opcode Fuzzy Hash: e281c06cf2b4333660ebc15ee9c27bb77b51ee0a9a5db54d6c0c476514883e43
Instruction Fuzzy Hash: 11117275919515BFDB211FF68C48B9B7AECEF86768B100A35F815D7254DB31CC008AA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E01D610 Relevance: 10.6, APIs: 7, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSSUTIL3(00000800,?,00000000,?,?,?,?,?,?,?,?,?,?,6E02002D,?,?), ref: 6E01D61A
PORT_InitCheapArena.NSSUTIL3(?,00000800,00000000,?,?,?,?,?,?,?,?,?,?,6E02002D,?,?), ref: 6E01D636
PORT_ArenaAlloc_Util.NSSUTIL3(00000000,00000034,?,00000800,00000000,?,?,?,?,?,?,?,?,?,?,6E02002D), ref: 6E01D63E

Part of subcall function 6E01CFB0: PORT_ArenaAlloc_Util.NSSUTIL3(00000000,00000001,00000000,00000000,6E01D668,?,?,?,?,?,?,?,00000000), ref: 6E01CFCD

Part of subcall function 6E01D3D0: PR_Lock.NSPR4(00000000,00000000,00000000,?,?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 6E01D3FB
Part of subcall function 6E01D3D0: PR_Unlock.NSPR4(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,6E01E14B,?), ref: 6E01D41B
Part of subcall function 6E01D3D0: PORT_SetError_Util.NSSUTIL3(FFFFE012), ref: 6E01D42D

Part of subcall function 6E01C280: PORT_ArenaMark_Util.NSSUTIL3(00000001,00000000,00000000,00000000,00000000,?,?,6E01D69F,00000000,?,?), ref: 6E01C293
Part of subcall function 6E01C280: SECITEM_CopyItem_Util.NSSUTIL3(00000001,?,?,00000001,00000000,00000000,00000000,00000000,?,?,6E01D69F,00000000,?,?), ref: 6E01C2A5
Part of subcall function 6E01C280: PORT_SetError_Util.NSSUTIL3(FFFFE012,00000000,00000000,00000000,00000000,?,?,6E01D69F,00000000,?,?), ref: 6E01C2C4
Part of subcall function 6E01C280: PORT_ArenaRelease_Util.NSSUTIL3(00000001,?,00000000,00000000,00000000,00000000,?,?,6E01D69F,00000000,?,?), ref: 6E01C63B

PORT_DestroyCheapArena.NSSUTIL3(?), ref: 6E01D6AC
PORT_SetError_Util.NSSUTIL3(FFFFE013,00000000,?,?,?,?,?,?,?,?,?,?,6E02002D,?,?,?), ref: 6E01D6C1
PORT_DestroyCheapArena.NSSUTIL3(?,?,00000000,?,?,?,?,?,?,?,?,?,?,6E02002D,?,?), ref: 6E01D6CE
PORT_FreeArena_Util.NSSUTIL3(00000000,00000000,?,?,00000000,?,?,?,?,?,?,?,?,?,?,6E02002D), ref: 6E01D6DD

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Util$Arena$CheapError_$Alloc_Arena_Destroy$CopyFreeInitItem_LockMark_Release_Unlock
String ID:
API String ID: 1119111148-0
Opcode ID: 11d87dec330f36e9d0a536116e79b674b482870596594ca0046b3586baec0771
Instruction ID: 1e48940be17482ec25103ef340d8d568365b4e785034fa80ad83c124367e91d9
Opcode Fuzzy Hash: 11d87dec330f36e9d0a536116e79b674b482870596594ca0046b3586baec0771
Instruction Fuzzy Hash: A11108B68082012BD30196E49C41FDF77DCAF90259F040A3AFD58D6154F725D3198AD7

Uniqueness

Uniqueness Score: -1.00%

Function 6E02E21B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

Strings

api-ms-, xrefs: 6E02E271
ext-ms-, xrefs: 6E02E285

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: c11f76574fcf40facba2950714f5b8b79d7665628e5c7dc0363531a2f42a0bdf
Instruction ID: ee5cf5a702f22628d30b3cbf8720f957fe9584a1791b9d114239bf39ab2af01a
Opcode Fuzzy Hash: c11f76574fcf40facba2950714f5b8b79d7665628e5c7dc0363531a2f42a0bdf
Instruction Fuzzy Hash: 3F21C631985626AFDB228AF5CC40B4E37E8AF267A4F110631ED16AB290D730E90685E0

Uniqueness

Uniqueness Score: -1.00%

Function 6DFDBC09 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

Strings

api-ms-, xrefs: 6DFDBC5F
ext-ms-, xrefs: 6DFDBC73

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: f74df0a4732c461810ba7d30236c062267bd97c67c9cdc08c18a351c7e0cbf50
Instruction ID: 8f048186709b5c49c5bb92f30270b499cebb24a15a2a47ab2fe984bd5d3cf4b3
Opcode Fuzzy Hash: f74df0a4732c461810ba7d30236c062267bd97c67c9cdc08c18a351c7e0cbf50
Instruction Fuzzy Hash: 4121A832A55236B7DB61CE2D8C45B2E77B8BF02765F194921ED15AB250DF30DC00C6E1

Uniqueness

Uniqueness Score: -1.00%

Function 6E01D000 Relevance: 10.6, APIs: 7, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSSUTIL3(00000800,00000000,00000000,00000000,6E01B8D1,?,?,00000000), ref: 6E01D008
PORT_SetError_Util.NSSUTIL3(FFFFE013,00000000,?,?,?,?,?,?,?,?,00000000,?,00000000,?,?), ref: 6E01D01B
PORT_ArenaAlloc_Util.NSSUTIL3(00000000,00000020,00000000,?,?,?,?,?,?,?,?,00000000,?,00000000,?,?), ref: 6E01D02C
PORT_SetError_Util.NSSUTIL3(FFFFE013,?,?,00000000,?,?,?,?,?,?,?,?,00000000,?,00000000,?), ref: 6E01D03F
PORT_FreeArena_Util.NSSUTIL3(00000000,00000000,?,?,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 6E01D04A

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Util$Arena_Error_$Alloc_ArenaFree
String ID:
API String ID: 2983971270-0
Opcode ID: a891e9070e4057709c76cc684355b81dbe02a7fb54b14d7150cf3bb7094052c9
Instruction ID: e2569bf049ddb68dd2bed3335aec41c308a2bcc78b5c0b118afadc194c9d5648
Opcode Fuzzy Hash: a891e9070e4057709c76cc684355b81dbe02a7fb54b14d7150cf3bb7094052c9
Instruction Fuzzy Hash: 37110BB65043011FD7119EE49C81BAB77F8DFD029AF144D3DE98587204E739D50A87A3

Uniqueness

Uniqueness Score: -1.00%

Function 6E01CAD0 Relevance: 10.6, APIs: 7, Instructions: 65COMMON

Download Yara Rule

APIs

PORT_Free_Util.NSSUTIL3(6674C085,?,6E020330,00000000,?,?,?,?,?,?,?,?), ref: 6E01CAFB
PORT_Free_Util.NSSUTIL3(E9FFFFDB,?,6E020330,00000000,?,?,?,?,?,?,?,?), ref: 6E01CB12
PR_Lock.NSPR4(?,6E020330,00000000,?,?,?,?,?,?,?,?), ref: 6E01CB20
PORT_Free_Util.NSSUTIL3(6E020330,?,?,?,?,?,?,?,?,?), ref: 6E01CB34
PR_Unlock.NSPR4(?,?,?,?,?,?,?,?,?,?), ref: 6E01CB42
PR_Unlock.NSPR4(?,?,?,?,?,?,?,?,?,?,?,?), ref: 6E01CB77
PORT_FreeArena_Util.NSSUTIL3(577F74ED,00000000,?,6E020330,00000000,?,?,?,?,?,?,?,?), ref: 6E01CB91

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Util$Free_$Unlock$Arena_FreeLock
String ID:
API String ID: 4060339092-0
Opcode ID: cbfe267c6747ab9c6ad17b59920b3510ac8b0962b4a3333ff90f942dea5ef509
Instruction ID: 6d0facf489977b755b837541454eba964f4d75a1ec31caf0ace9105fa2986d52
Opcode Fuzzy Hash: cbfe267c6747ab9c6ad17b59920b3510ac8b0962b4a3333ff90f942dea5ef509
Instruction Fuzzy Hash: 8711D6B0915B129FDB788F64E891A9777EABF01214F14083EE49FCA600E731E850CF46

Uniqueness

Uniqueness Score: -1.00%

Function 6E0310AC Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6E031074: _free.LIBCMT ref: 6E031099

_free.LIBCMT ref: 6E0310FA

Part of subcall function 6E02C4BF: HeapFree.KERNEL32(00000000,00000000,?,6E03109E,?,00000000,?,00000000,?,6E0310C5,?,00000007,?,?,6E030D6A,?), ref: 6E02C4D5
Part of subcall function 6E02C4BF: GetLastError.KERNEL32(?,?,6E03109E,?,00000000,?,00000000,?,6E0310C5,?,00000007,?,?,6E030D6A,?,?), ref: 6E02C4E7

_free.LIBCMT ref: 6E031105
_free.LIBCMT ref: 6E031110
_free.LIBCMT ref: 6E031164
_free.LIBCMT ref: 6E03116F
_free.LIBCMT ref: 6E03117A
_free.LIBCMT ref: 6E031185

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 27ebe37a9648d21ae74296eda68394e0e33f6e64ce68118aaeabde51252244cb
Instruction ID: 10f512236ef4c70124004bae0ee2ce6d36a8291e91977c563d722589142f00df
Opcode Fuzzy Hash: 27ebe37a9648d21ae74296eda68394e0e33f6e64ce68118aaeabde51252244cb
Instruction Fuzzy Hash: 0D115171D40B54BAE560ABF0CC45FDB77DC9F08708F504E25A7EDAB090DBA9F9088691

Uniqueness

Uniqueness Score: -1.00%

Function 6DFDEBFD Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6DFDEBC5: _free.LIBCMT ref: 6DFDEBEA

_free.LIBCMT ref: 6DFDEC4B

Part of subcall function 6DFDB7C7: HeapFree.KERNEL32(00000000,00000000,?,6DFDEBEF,?,00000000,?,00000000,?,6DFDEC16,?,00000007,?,?,6DFDE7DE,?), ref: 6DFDB7DD
Part of subcall function 6DFDB7C7: GetLastError.KERNEL32(?,?,6DFDEBEF,?,00000000,?,00000000,?,6DFDEC16,?,00000007,?,?,6DFDE7DE,?,?), ref: 6DFDB7EF

_free.LIBCMT ref: 6DFDEC56
_free.LIBCMT ref: 6DFDEC61
_free.LIBCMT ref: 6DFDECB5
_free.LIBCMT ref: 6DFDECC0
_free.LIBCMT ref: 6DFDECCB
_free.LIBCMT ref: 6DFDECD6

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a0362ef0504cde6ee79d9a52a006c162ca2a3d7f8e63d2a6403d564ddad6e772
Instruction ID: c8ef4a2b965152c386b95ba515681598947aa0561c3880135484fdb6053dfb99
Opcode Fuzzy Hash: a0362ef0504cde6ee79d9a52a006c162ca2a3d7f8e63d2a6403d564ddad6e772
Instruction Fuzzy Hash: 1B115171589B08ABD7A0ABB4CC49FDFB7AC6F00704F490C59A3DEA6050DB65B9048760

Uniqueness

Uniqueness Score: -1.00%

Function 6E011F50 Relevance: 10.6, APIs: 7, Instructions: 57COMMON

Download Yara Rule

APIs

PR_Lock.NSPR4(00C5D9E8,00000000,?,?,6E019470,?), ref: 6E011F69
PR_Unlock.NSPR4(00C5D9E8), ref: 6E011F76
PORT_Free_Util.NSSUTIL3(850C468B,?,6E019470,?), ref: 6E011F99
PORT_Free_Util.NSSUTIL3(04C4836E,?,6E019470,?), ref: 6E011FA9
SECITEM_FreeItem_Util.NSSUTIL3(FF500A74,00000001,?,6E019470,?), ref: 6E011FBB
PR_DestroyLock.NSPR4(00C5D9E8,?,6E019470,?), ref: 6E011FCB
PORT_Free_Util.NSSUTIL3(6E019470,?,6E019470,?), ref: 6E011FD5

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Util$Free_$Lock$DestroyFreeItem_Unlock
String ID:
API String ID: 1897647308-0
Opcode ID: bdd3a742f4b794587fd4b3125372d24b90b988ec560016e115734958b3ef448d
Instruction ID: 58f71064684f21566c5d7f3891a72103ae5a8183e68c3ab1f2e210042645cd64
Opcode Fuzzy Hash: bdd3a742f4b794587fd4b3125372d24b90b988ec560016e115734958b3ef448d
Instruction Fuzzy Hash: DD0180B5A086536BEA049FE9ECC5F97B3EC6F502447080538F819EB200E735E964C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 6E017840 Relevance: 9.3, APIs: 6, Instructions: 340memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSSUTIL3(00000800,?,6E0169EF,?,?,?,?,?,?), ref: 6E017846
PORT_ArenaZAlloc_Util.NSSUTIL3(00000000,000000B0,?,?,?), ref: 6E017869
PORT_FreeArena_Util.NSSUTIL3(00000000,00000000,?,?,?,?), ref: 6E017879

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Util$Arena_$Alloc_ArenaFree
String ID:
API String ID: 1390973725-0
Opcode ID: 0fd686b1fef5c44c3b2fd0443a04e2416f184c66f1e885518512167db05e7eb1
Instruction ID: 15fbde727f5a7ad1fce74b6f875664c0d0c51e084f3f7091324d4b6be33faa3c
Opcode Fuzzy Hash: 0fd686b1fef5c44c3b2fd0443a04e2416f184c66f1e885518512167db05e7eb1
Instruction Fuzzy Hash: ABA1E9B254C216BFD3119AE0CD40FD7B6DDFB49758F850928FD44AB242E326E92097E1

Uniqueness

Uniqueness Score: -1.00%

Function 6DFB57F0 Relevance: 9.3, APIs: 6, Instructions: 326COMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSSUTIL3(00000800), ref: 6DFB58CD
PORT_SetError_Util.NSSUTIL3(FFFFE001), ref: 6DFB5B5F
PORT_SetError_Util.NSSUTIL3(FFFFE013), ref: 6DFB5B71
PORT_SetError_Util.NSSUTIL3(FFFFE002), ref: 6DFB5B83
PORT_SetError_Util.NSSUTIL3(FFFFE005), ref: 6DFB5B95
PORT_FreeArena_Util.NSSUTIL3(?,00000001), ref: 6DFB5BB1

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: Util$Error_$Arena_$Free
String ID:
API String ID: 818136658-0
Opcode ID: 071ece64983176a1b59fb6de09f6451182bc17ac86f6b482844b2e9becb9d67c
Instruction ID: 8f5c2169f232b96574a04499abb30d64f22dd9341047e6a51a61ff6120fd3dec
Opcode Fuzzy Hash: 071ece64983176a1b59fb6de09f6451182bc17ac86f6b482844b2e9becb9d67c
Instruction Fuzzy Hash: E1B1A6B28093165BD711DBAEC880E6B73ECBB44364F05062DE955D3380EB79D9588BD3

Uniqueness

Uniqueness Score: -1.00%

Function 6DFAE460 Relevance: 9.3, APIs: 6, Instructions: 311memoryCOMMON

Download Yara Rule

APIs

PORT_Alloc_Util.NSSUTIL3(00000000,?), ref: 6DFAE6EA
SECITEM_AllocItem_Util.NSSUTIL3(00000000,?,00000080,?,00000000,00000000), ref: 6DFAE71F
PORT_ZFree_Util.NSSUTIL3(00000000,00000000), ref: 6DFAE7D3
PORT_SetError_Util.NSSUTIL3(FFFFE005), ref: 6DFAE808
PORT_ZFree_Util.NSSUTIL3(?,?), ref: 6DFAE81B
PORT_SetError_Util.NSSUTIL3(FFFFE005), ref: 6DFAE843

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: Util$Error_Free_$AllocAlloc_Item_
String ID:
API String ID: 731999546-0
Opcode ID: 5dd39cda91fc1e832bb219395e272353f9fca5e8403a158463ab83b7e60b81c0
Instruction ID: 5af8cee627d8ef5e76b08b1fddeb9b3124e6fcdf603c3eb11ac376ca37bb4120
Opcode Fuzzy Hash: 5dd39cda91fc1e832bb219395e272353f9fca5e8403a158463ab83b7e60b81c0
Instruction Fuzzy Hash: 8EA18172A083069BD710CAE89884F9B77ECAF44214F094939FB68C7151FB75DA58CB93

Uniqueness

Uniqueness Score: -1.00%

Function 6DFAD980 Relevance: 9.3, APIs: 6, Instructions: 278memoryCOMMON

Download Yara Rule

APIs

PORT_Alloc_Util.NSSUTIL3(00000000), ref: 6DFADB68
SECITEM_AllocItem_Util.NSSUTIL3(00000000,?,?), ref: 6DFADBA7
PORT_ZFree_Util.NSSUTIL3(?,00000000), ref: 6DFADC3A
PORT_SetError_Util.NSSUTIL3(FFFFE005), ref: 6DFADC6F
PORT_ZFree_Util.NSSUTIL3(?,?), ref: 6DFADC82
PORT_SetError_Util.NSSUTIL3(FFFFE005), ref: 6DFADCA4

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: Util$Error_Free_$AllocAlloc_Item_
String ID:
API String ID: 731999546-0
Opcode ID: 73b4d018af4feac44bc1f39720a05c20e7d0a97cc8a4d21f5e790bbe0a2c5da7
Instruction ID: 1224e07b2a6d7f87f611565e40cdd49e861ae3af0b8dbee486118064003582b3
Opcode Fuzzy Hash: 73b4d018af4feac44bc1f39720a05c20e7d0a97cc8a4d21f5e790bbe0a2c5da7
Instruction Fuzzy Hash: F081B572908306EAD700CAAD9DC4E8B77DCAF88254F49093AFE58C3150FB75D9198763

Uniqueness

Uniqueness Score: -1.00%

Function 6E0C4EB8 Relevance: 9.3, APIs: 6, Instructions: 261COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 6E0C5042
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6E0C505E
__allrem.LIBCMT ref: 6E0C5075
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6E0C5093
__allrem.LIBCMT ref: 6E0C50AA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6E0C50C8

Memory Dump Source

Source File: 00000011.00000002.1303092111.000000006E051000.00000020.00000001.01000000.00000016.sdmp, Offset: 6E050000, based on PE: true

Associated: 00000011.00000002.1303052213.000000006E050000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303638387.000000006E0CF000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303739246.000000006E0DF000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303779693.000000006E0E0000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303823917.000000006E0E2000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e050000_certutil.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 69e527cd8fca3de4114a940ec54988e7e7edd40951b6e9b968ecaec0a6f67e15
Instruction ID: 252d92a593bb5a6dd39a6d6a64b0bdb262720c43ce2ceb9a413c8240524bb4e0
Opcode Fuzzy Hash: 69e527cd8fca3de4114a940ec54988e7e7edd40951b6e9b968ecaec0a6f67e15
Instruction Fuzzy Hash: 7E71F676A00702AFE7208EE9DC41B9E73F9EF45F64F204A29E450D72D0E7B4D9028792

Uniqueness

Uniqueness Score: -1.00%

Function 6E01DEA0 Relevance: 9.2, APIs: 6, Instructions: 237COMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSSUTIL3(00000800,00000000), ref: 6E01DF6F
PORT_FreeArena_Util.NSSUTIL3(?,00000000,?,?,?,?,00000000,?,?,00000000), ref: 6E01DFB8

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Arena_Util$Free
String ID:
API String ID: 771158934-0
Opcode ID: 66f5aa8f24ba0bbd8cc72a2b32907d80f1ee1a61c6b39afb5a70197308d0a59b
Instruction ID: 56297d6344adad61419ec823a373192722fa417e72f16ee369be7114d016436d
Opcode Fuzzy Hash: 66f5aa8f24ba0bbd8cc72a2b32907d80f1ee1a61c6b39afb5a70197308d0a59b
Instruction Fuzzy Hash: BC816CB15083429FD751CBE4C980BDBB7E8AF88744F04092EF599CB241E735D6498BA3

Uniqueness

Uniqueness Score: -1.00%

Function 6DFB61F0 Relevance: 9.2, APIs: 6, Instructions: 237COMMON

Download Yara Rule

APIs

PORT_SetError_Util.NSSUTIL3(FFFFE028), ref: 6DFB63E0
PORT_SetError_Util.NSSUTIL3(FFFFE001), ref: 6DFB642F
PORT_SetError_Util.NSSUTIL3(FFFFE013), ref: 6DFB6448
PORT_SetError_Util.NSSUTIL3(FFFFE002), ref: 6DFB6461
PORT_SetError_Util.NSSUTIL3(FFFFE005), ref: 6DFB647A
PORT_SetError_Util.NSSUTIL3(FFFFE005,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6DFA40AC), ref: 6DFB6493

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: Error_Util
String ID:
API String ID: 1971245937-0
Opcode ID: 112723973a06840032e08d9a808aaf8ea9af4b81e2bf193b3435f0796de5d4dd
Instruction ID: 1fb0e629548ecde5c5c1155f5f369bf8f706cb7eab8899f15fc86ba09b3f2a8e
Opcode Fuzzy Hash: 112723973a06840032e08d9a808aaf8ea9af4b81e2bf193b3435f0796de5d4dd
Instruction Fuzzy Hash: 6D717172D087125BC3008ABE9C8096FBBA49A41374F090739F9758B3D0E775D99987E3

Uniqueness

Uniqueness Score: -1.00%

Function 6DFA7DA0 Relevance: 9.2, APIs: 6, Instructions: 214memoryCOMMON

Download Yara Rule

APIs

PORT_SetError_Util.NSSUTIL3(FFFFE003), ref: 6DFA7DDE
PORT_Alloc_Util.NSSUTIL3(?), ref: 6DFA7E20
PORT_SetError_Util.NSSUTIL3(FFFFE004), ref: 6DFA803B

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: Util$Error_$Alloc_
String ID:
API String ID: 2938347131-0
Opcode ID: feae3e826f98ca1f6cca479290dbcb9e3b152db8f6b7ac1587dd0b35f3b2ff28
Instruction ID: 3a3c6a560fa547e120795bf54b065d7cb9e9b3887c798396299b5a04f8480e56
Opcode Fuzzy Hash: feae3e826f98ca1f6cca479290dbcb9e3b152db8f6b7ac1587dd0b35f3b2ff28
Instruction Fuzzy Hash: 2E816C7590D3C19BC301CB6C9850A9BBFE4AFC6324F48196EF9D447342E666D909CBA3

Uniqueness

Uniqueness Score: -1.00%

Function 6E01B790 Relevance: 9.2, APIs: 6, Instructions: 213memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6E01D610: PORT_NewArena_Util.NSSUTIL3(00000800,?,00000000,?,?,?,?,?,?,?,?,?,?,6E02002D,?,?), ref: 6E01D61A
Part of subcall function 6E01D610: PORT_InitCheapArena.NSSUTIL3(?,00000800,00000000,?,?,?,?,?,?,?,?,?,?,6E02002D,?,?), ref: 6E01D636
Part of subcall function 6E01D610: PORT_ArenaAlloc_Util.NSSUTIL3(00000000,00000034,?,00000800,00000000,?,?,?,?,?,?,?,?,?,?,6E02002D), ref: 6E01D63E
Part of subcall function 6E01D610: PORT_DestroyCheapArena.NSSUTIL3(?), ref: 6E01D6AC

PORT_NewArena_Util.NSSUTIL3(00000800,00000000,?,00000000,?,?,?,?,?,00000000), ref: 6E01B7E0
PORT_ArenaZAlloc_Util.NSSUTIL3(00000000,000008F8,?,00000000,?,00000000,?,?,?,?,?,00000000), ref: 6E01B7FA
PORT_ArenaAlloc_Util.NSSUTIL3(?,?,?,?,?,00000000,?,00000000,?,?,?,?,?,00000000), ref: 6E01B844
PORT_ArenaAlloc_Util.NSSUTIL3(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,?), ref: 6E01B899

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: ArenaUtil$Alloc_$Arena_Cheap$DestroyInit
String ID:
API String ID: 1754310604-0
Opcode ID: e13a9df1d54f0116a51106332dbedd249b244d54a4a67d82e1b5f1d92d07d216
Instruction ID: 5e6e47c58fa4d96896e9af7870ad6dd2d51de6f3ab57c4d5b8f77e31389f4616
Opcode Fuzzy Hash: e13a9df1d54f0116a51106332dbedd249b244d54a4a67d82e1b5f1d92d07d216
Instruction Fuzzy Hash: E26182759083029BD7008FE5AD81BAB77E8AF84659F04093DEC499B305E736E9168F92

Uniqueness

Uniqueness Score: -1.00%

Function 6E02CA2B Relevance: 9.2, APIs: 6, Instructions: 197COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,00000000,00000000,6E01AA5D,?,?,?,6E02CC45,00000001,00000001,BF418D08), ref: 6E02CA85
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,00000000,?,?,?,6E02CC45,00000001,00000001,BF418D08,00000000,?,?), ref: 6E02CAEE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,00000000,BF418D08,00000000,00000000,?,?,00000000,?,00000000,00000000,00000000,00000000), ref: 6E02CBCE
__freea.LIBCMT ref: 6E02CBDB

Part of subcall function 6E02C4F9: HeapAlloc.KERNEL32(00000000,?,00000000,?,6E02B985,00000004,?,?,?), ref: 6E02C52B

__freea.LIBCMT ref: 6E02CBE4
__freea.LIBCMT ref: 6E02CC09

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocHeap
String ID:
API String ID: 3147120248-0
Opcode ID: 239077fa82c6a84c0fca582e7474f1355f3009f4aebd17e4387333150cdacc6e
Instruction ID: b3e6e73ff1f8a76b6748e47f553cc753f6c9322fb9ae8c03dc50c262a2277315
Opcode Fuzzy Hash: 239077fa82c6a84c0fca582e7474f1355f3009f4aebd17e4387333150cdacc6e
Instruction Fuzzy Hash: 61519E72640217AFEB128EE4CC90FAB3AE9EB45794F614539FD19EB150D732EC1186A0

Uniqueness

Uniqueness Score: -1.00%

Function 6DFB1820 Relevance: 9.2, APIs: 6, Instructions: 174memoryCOMMON

Download Yara Rule

APIs

SECITEM_ZfreeItem_Util.NSSUTIL3(?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 6DFB1938
SECITEM_AllocItem_Util.NSSUTIL3(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6DFB195C
PORT_SetError_Util.NSSUTIL3(FFFFE001), ref: 6DFB19CF
PORT_SetError_Util.NSSUTIL3(FFFFE013), ref: 6DFB19E4
PORT_SetError_Util.NSSUTIL3(FFFFE002), ref: 6DFB19F9
PORT_SetError_Util.NSSUTIL3(FFFFE005), ref: 6DFB1A0E

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: Util$Error_$Item_$AllocZfree
String ID:
API String ID: 1921008293-0
Opcode ID: 67d61788e86367c0d1584ec543e58b7fe419e61721495a1baed668d50227bb1b
Instruction ID: 53781c7b92db3b46faad72c2dd4a4bd3c09423b7f506311116272ba860b971f9
Opcode Fuzzy Hash: 67d61788e86367c0d1584ec543e58b7fe419e61721495a1baed668d50227bb1b
Instruction Fuzzy Hash: D551E9B150830257E700CAEE9CC0B8B76DC9F442A8F440A35FA69822D0EBB9D91D8793

Uniqueness

Uniqueness Score: -1.00%

Function 6E017080 Relevance: 9.2, APIs: 6, Instructions: 160COMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSSUTIL3(00000800), ref: 6E017122
NSS_Get_SEC_OctetStringTemplate_Util.NSSUTIL3(00000000,00000000,?), ref: 6E017141
SEC_QuickDERDecodeItem_Util.NSSUTIL3(00000000,?,00000000,?,?), ref: 6E017150
PORT_FreeArena_Util.NSSUTIL3(00000000,00000000,?,?,?,?,?,?), ref: 6E01715F
PORT_Free_Util.NSSUTIL3(?), ref: 6E017231
PORT_FreeArena_Util.NSSUTIL3(00000000,00000000), ref: 6E017240

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Util$Arena_$Free$DecodeFree_Get_Item_OctetQuickStringTemplate_
String ID:
API String ID: 1423109607-0
Opcode ID: 0c0a9bf4801aa1874af5f02a2f27fcde3af0f753904600974f14725eac6d7d79
Instruction ID: bc8506e22b1750f43be18796ad60a914c388edc218d241243d88c8994c297b23
Opcode Fuzzy Hash: 0c0a9bf4801aa1874af5f02a2f27fcde3af0f753904600974f14725eac6d7d79
Instruction Fuzzy Hash: 425193B16083019FD350CFD8C881B9BB3E8FB9A348F484D29F9599B281E776D5058B93

Uniqueness

Uniqueness Score: -1.00%

Function 6E01C0F0 Relevance: 9.1, APIs: 6, Instructions: 146memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaAlloc_Util.NSSUTIL3(00000001,?,?,?,?,6E01E128,?,?,?,00000800), ref: 6E01C16C
PORT_SetError_Util.NSSUTIL3(FFFFE013), ref: 6E01C182
PORT_ArenaAlloc_Util.NSSUTIL3(00000001,?), ref: 6E01C1AF
PORT_ArenaAlloc_Util.NSSUTIL3(00000001,?), ref: 6E01C1E3
PORT_SetError_Util.NSSUTIL3(FFFFE012,?,?,?,6E01E128,?,?,?,00000800), ref: 6E01C226
PORT_ArenaAlloc_Util.NSSUTIL3(00000001,?), ref: 6E01C250

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Util$Alloc_Arena$Error_
String ID:
API String ID: 1684866764-0
Opcode ID: 86c5c6aa5fa1c3290d8d1b863869679c4c976a500ae9bb6ad8d1680c19a13bcf
Instruction ID: 45f52af00baefce5101d637a14a53d8a20b93541e91220e97d4aa885e907df3a
Opcode Fuzzy Hash: 86c5c6aa5fa1c3290d8d1b863869679c4c976a500ae9bb6ad8d1680c19a13bcf
Instruction Fuzzy Hash: 205138756047024FDB188FE8D890A76BBF5EF952543188A3DD8AB8BB10D731F815CB51

Uniqueness

Uniqueness Score: -1.00%

Function 6DFB84A0 Relevance: 9.1, APIs: 6, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

PORT_SetError_Util.NSSUTIL3(FFFFE00A), ref: 6DFB84C4
PORT_Alloc_Util.NSSUTIL3(?), ref: 6DFB84D7
PORT_SetError_Util.NSSUTIL3(FFFFE013), ref: 6DFB84EA

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: Util$Error_$Alloc_
String ID:
API String ID: 2938347131-0
Opcode ID: 6da1b93912582975f0eb1b560376710ec92dfb332f3aac2962180b5db3fae9d1
Instruction ID: 51808a01c92e921eba280c2cb07e43c9749d2b34fb66b21a08c7d260a1112de2
Opcode Fuzzy Hash: 6da1b93912582975f0eb1b560376710ec92dfb332f3aac2962180b5db3fae9d1
Instruction Fuzzy Hash: 9821F7F7B092136BDB014A2DFC4456EB795DFC1375B18827EE94A97200EA32DD05D352

Uniqueness

Uniqueness Score: -1.00%

Function 6E011810 Relevance: 9.1, APIs: 6, Instructions: 100memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSSUTIL3(00000800,?,?,00000000,?,6E012E18,?,00000002,?,?,?,?,?,?,?,00000000), ref: 6E01182C
PORT_ArenaZAlloc_Util.NSSUTIL3(00000000,00000024,00000002,?,?,?,?,?,?,?,00000000), ref: 6E011841
PORT_ArenaZAlloc_Util.NSSUTIL3(00000000,?,?,?,00000002,?,?,?,?,?,?,?,00000000), ref: 6E01186C
PORT_ArenaZAlloc_Util.NSSUTIL3(00000000,?), ref: 6E0118A0
PORT_ArenaZAlloc_Util.NSSUTIL3(00000000,00000000,?,00000002,?), ref: 6E0118EA
PORT_FreeArena_Util.NSSUTIL3(00000000,00000000,?,?,00000002,?,?,?,?,?,?,?,00000000), ref: 6E011913

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Util$Alloc_Arena$Arena_$Free
String ID:
API String ID: 2496641298-0
Opcode ID: c4d4deede7c84625d6c243d6f5b0f03e9be1422d91565894abb7c91954585b4a
Instruction ID: 4f8e96d686d651f6222463b3d3157c719d09bb74d2a290c47d7bd5425ca42fbe
Opcode Fuzzy Hash: c4d4deede7c84625d6c243d6f5b0f03e9be1422d91565894abb7c91954585b4a
Instruction Fuzzy Hash: 2131D3B56043025FDB208FA5EC91BA7BBF8EF50259F04093DE895CB251E735D6088BA2

Uniqueness

Uniqueness Score: -1.00%

Function 6DFB8880 Relevance: 9.1, APIs: 6, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

PORT_SetError_Util.NSSUTIL3(FFFFE003), ref: 6DFB88A0
PORT_Alloc_Util.NSSUTIL3(?), ref: 6DFB88D7
PORT_SetError_Util.NSSUTIL3(FFFFE013), ref: 6DFB88EA

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: Util$Error_$Alloc_
String ID:
API String ID: 2938347131-0
Opcode ID: 26fd7ed3c48b2b9e1887b9764dfa7b75ce274f96fefdeda122860159811c4aad
Instruction ID: 76baa6199bf913c31c149707d8af8e1ba52a6db50a135697fcee3a0c9da033db
Opcode Fuzzy Hash: 26fd7ed3c48b2b9e1887b9764dfa7b75ce274f96fefdeda122860159811c4aad
Instruction Fuzzy Hash: E921E77250C3026FDB015AAEBC4095BBBA8EFC4778F000A39FA6D46290EB71D915D753

Uniqueness

Uniqueness Score: -1.00%

Function 6E019DF0 Relevance: 9.1, APIs: 6, Instructions: 93COMMON

Download Yara Rule

APIs

PL_HashTableLookup.PLDS4(00000000,?,6E016D86,6E016D86,00000000,00000000,?,6E016D86,?,?,30000000), ref: 6E019E60
SECITEM_ItemsAreEqual_Util.NSSUTIL3(00000000,?,6E016D86,?,?,30000000), ref: 6E019E72
PL_HashTableLookup.PLDS4(00000000,?,6E016D86,?,?,6E016D86,?,?,30000000), ref: 6E019E87
SECITEM_DupItem_Util.NSSUTIL3(?,6E016D86,?,6E016D86,?,?,30000000), ref: 6E019E9D
PL_HashTableAdd.PLDS4(00000000,?,00000000,?,?,6E016D86,?,?,30000000), ref: 6E019EAE
SECITEM_FreeItem_Util.NSSUTIL3(00000000,00000001,?,?,?,?,?,6E016D86,?,?,30000000), ref: 6E019EBD

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: HashTableUtil$Item_Lookup$Equal_FreeItems
String ID:
API String ID: 3494452108-0
Opcode ID: f98b893c42ac271363002cadcdfe8bf6ce81d640d1896c70b5fc4e02724b6b61
Instruction ID: 5484a1764cd24506923a90b10d6fd825d1a1923f94656c63710a42c2d1e32de7
Opcode Fuzzy Hash: f98b893c42ac271363002cadcdfe8bf6ce81d640d1896c70b5fc4e02724b6b61
Instruction Fuzzy Hash: B821D4B2A0C2212AD60056F95C85BFF76DC8F81299F440839F994EB109FB29D91583B6

Uniqueness

Uniqueness Score: -1.00%

Function 6DFB86A0 Relevance: 9.1, APIs: 6, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

PORT_SetError_Util.NSSUTIL3(FFFFE004), ref: 6DFB86D5
PORT_Alloc_Util.NSSUTIL3(?), ref: 6DFB86F6
PORT_SetError_Util.NSSUTIL3(FFFFE013), ref: 6DFB8709
PORT_SetError_Util.NSSUTIL3(FFFFE006), ref: 6DFB877E

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: Util$Error_$Alloc_
String ID:
API String ID: 2938347131-0
Opcode ID: f2afd2a83bb9626ee32280cce604d669772a13b7b6bc5b52b2c038e6f60f1626
Instruction ID: c479399fd284595a8b8d0bcca5af9a50192f930b4062941058f40f3c3fb2d33b
Opcode Fuzzy Hash: f2afd2a83bb9626ee32280cce604d669772a13b7b6bc5b52b2c038e6f60f1626
Instruction Fuzzy Hash: FC2129B290C2126BD7001A2EBC40A5F7BA5EFC5778F150739FA2801290EB72DC85D693

Uniqueness

Uniqueness Score: -1.00%

Function 6E011FE0 Relevance: 9.1, APIs: 6, Instructions: 64COMMON

Download Yara Rule

APIs

PORT_SetError_Util.NSSUTIL3(FFFFE012), ref: 6E011FF1
PR_Lock.NSPR4(?), ref: 6E01201B
PR_Unlock.NSPR4(?,?,?,00000000), ref: 6E012031
PR_Lock.NSPR4(?), ref: 6E012044
PR_Unlock.NSPR4(?), ref: 6E012055
PORT_SetError_Util.NSSUTIL3(FFFFE012), ref: 6E012067

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Error_LockUnlockUtil
String ID:
API String ID: 2257831774-0
Opcode ID: ece0f4f07fde48dedfdc6366f57899014977f635cca5263f2ce08d730c78ce7d
Instruction ID: 9fde00beb4749d3d3a8d0eac266df222fcce3c3b2875198196522d82fa9d87eb
Opcode Fuzzy Hash: ece0f4f07fde48dedfdc6366f57899014977f635cca5263f2ce08d730c78ce7d
Instruction Fuzzy Hash: A411E3369046105BCB10DFE89C80A8BB3E8AF96720F080669FD14DB351E379E80997F3

Uniqueness

Uniqueness Score: -1.00%

Function 6E02F1B3 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6E02F33B

Strings

*?, xrefs: 6E02F1F4
., xrefs: 6E02F540

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: _free
String ID: *?$.
API String ID: 269201875-3972193922
Opcode ID: 58f3d92bd6307c06f60d371aee96f6bf041bf016fdb0d864fb3fdd8aa830343c
Instruction ID: 0174c334779052674c2c7a0a5a5aad217ec8272fad72bb98a3857699c8843023
Opcode Fuzzy Hash: 58f3d92bd6307c06f60d371aee96f6bf041bf016fdb0d864fb3fdd8aa830343c
Instruction Fuzzy Hash: 93612776D002199FDB04CFE8C880AEDFBF9EF49394B24856AD855B7304E731AE418B90

Uniqueness

Uniqueness Score: -1.00%

Function 6DFDD493 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6DFDD61B

Strings

*?, xrefs: 6DFDD4D4
., xrefs: 6DFDD820

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: _free
String ID: *?$.
API String ID: 269201875-3972193922
Opcode ID: 6978798732cef6d2c18e5b0500097d5453f13024e4aced10a3e428e1a4b67e6b
Instruction ID: 6f0262e102b882517ce2c5abc87f43a2ffd259eb5fd429baf4636eb1bc163a26
Opcode Fuzzy Hash: 6978798732cef6d2c18e5b0500097d5453f13024e4aced10a3e428e1a4b67e6b
Instruction Fuzzy Hash: E3612A76D0421A9FDB44CFACC8809EDFBF5EF89314B29416AD955A7300D771AE418F90

Uniqueness

Uniqueness Score: -1.00%

Function 6E014130 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 179COMMON

Download Yara Rule

APIs

PR_GetEnvSecure.NSPR4(NSS_USE_DECODED_CKA_EC_POINT), ref: 6E014280

Strings

NSS_USE_DECODED_CKA_EC_POINT, xrefs: 6E01427B

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Secure
String ID: NSS_USE_DECODED_CKA_EC_POINT
API String ID: 829579058-837408685
Opcode ID: 3fd2a7089efbbade1c0f2fe7c7dee3a74e8df1d18e9649d2d147174b67a38650
Instruction ID: 66b0a6a162a7dd28a1a0399a5b014150581d9fb3ef8aab5b9a7f1b06d58e854e
Opcode Fuzzy Hash: 3fd2a7089efbbade1c0f2fe7c7dee3a74e8df1d18e9649d2d147174b67a38650
Instruction Fuzzy Hash: 3B5104766046029FE700DFE8D841BDAF3E4FF9821AFC0486EE45D8B261D73294158B93

Uniqueness

Uniqueness Score: -1.00%

Function 6E09EE50 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 174COMMON

Download Yara Rule

APIs

sqlite3_reset.SQLITE3(?,?,?), ref: 6E09EE63

Strings

d, xrefs: 6E09EF37
e, xrefs: 6E09EF5A
d, xrefs: 6E09F069
e, xrefs: 6E09F06E

Memory Dump Source

Source File: 00000011.00000002.1303092111.000000006E051000.00000020.00000001.01000000.00000016.sdmp, Offset: 6E050000, based on PE: true

Associated: 00000011.00000002.1303052213.000000006E050000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303638387.000000006E0CF000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303739246.000000006E0DF000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303779693.000000006E0E0000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303823917.000000006E0E2000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e050000_certutil.jbxd

Similarity

API ID: sqlite3_reset
String ID: d$d$e$e
API String ID: 120701357-3211158774
Opcode ID: 3781d5a5afb1191bb1939d1f2b4e4a17bcaf0aac8fc91792a44fb276d7189603
Instruction ID: 80749d261b2f32e7e91c042c2218a4185b8b2b7a63df20d5d469d90a6bf2bf33
Opcode Fuzzy Hash: 3781d5a5afb1191bb1939d1f2b4e4a17bcaf0aac8fc91792a44fb276d7189603
Instruction Fuzzy Hash: 916146705187468FEB60CFE4D890766B7E8BF00348F10246EEC994B286E775E849FB52

Uniqueness

Uniqueness Score: -1.00%

Function 6E021680 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 168COMMON

Download Yara Rule

APIs

PORT_Strdup_Util.NSSUTIL3(?,00000000,?,?,0000000A,6E0208E9,?,?,?,00000001,?), ref: 6E021694
PORT_Free_Util.NSSUTIL3(00000000), ref: 6E021757
PORT_Free_Util.NSSUTIL3(00000000), ref: 6E021794
PORT_Free_Util.NSSUTIL3(00000000), ref: 6E0217AA

Strings

.db, xrefs: 6E0216BC

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Util$Free_$Strdup_
String ID: .db
API String ID: 398476677-1874795567
Opcode ID: 58d4498305738b62d717d883ab07cc8b42c19a6876413bba1ab62b4d1972ea21
Instruction ID: 80753238325eedd6a9d34bbb593114b97fa0b9132f4d96cb14a709be859e9048
Opcode Fuzzy Hash: 58d4498305738b62d717d883ab07cc8b42c19a6876413bba1ab62b4d1972ea21
Instruction Fuzzy Hash: 574149B3B042122FD21149E45C81FEB73EE8BC17A4F584A75FD459B242E667DD0E82E1

Uniqueness

Uniqueness Score: -1.00%

Function 6E011590 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129memoryCOMMON

Download Yara Rule

APIs

PORT_ZAlloc_Util.NSSUTIL3(00000058,?,?,6E01F4C4,00000000,?,00000180,00000001,00000000,?,?,?), ref: 6E011594
PORT_ZAlloc_Util.NSSUTIL3(?,?,?,00000000,?), ref: 6E01161A

Strings

.dir, xrefs: 6E0115E2, 6E011630

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Alloc_Util
String ID: .dir
API String ID: 3106674895-608412691
Opcode ID: bfec077f03d21b8bd88108e0eff5b4e7e7d1d8f01d561abb02e2d240e0988851
Instruction ID: 3fb3e3ab8718b9795a9b98d792659dde3dd1437fc6e6e162701310db66a8b545
Opcode Fuzzy Hash: bfec077f03d21b8bd88108e0eff5b4e7e7d1d8f01d561abb02e2d240e0988851
Instruction Fuzzy Hash: 654116B1A0C7424FD7198FE5D8507E3BBE5ABA62C4B48492DD4868F306E732E40C8795

Uniqueness

Uniqueness Score: -1.00%

Function 6E011D30 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

PR_Lock.NSPR4(?), ref: 6E011D74
PR_Unlock.NSPR4(?), ref: 6E011D81
PR_Lock.NSPR4(?), ref: 6E011E16
PR_Unlock.NSPR4(?), ref: 6E011E25

Strings

key, xrefs: 6E011D98

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: LockUnlock
String ID: key
API String ID: 4018760208-2324736937
Opcode ID: 5318fa7a603c8b939279c1db4e4bedea24b8e3555d2f940b492966a070b96423
Instruction ID: 59bd7c65a5c5bf09d458ade0941ae434708e7d561030a5513420768598da7c53
Opcode Fuzzy Hash: 5318fa7a603c8b939279c1db4e4bedea24b8e3555d2f940b492966a070b96423
Instruction Fuzzy Hash: EC3105B560C3016BEF546EE4DC85BDB36ECAF21385F040460FC418F24AE7B5D959C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 6E029989 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,6E02993A,?,?,6E029902,000004D2,00000001), ref: 6E0299A9
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6E0299BC
FreeLibrary.KERNEL32(00000000,?,?,?,6E02993A,?,?,6E029902,000004D2,00000001), ref: 6E0299DF

Strings

mscoree.dll, xrefs: 6E0299A2
CorExitProcess, xrefs: 6E0299B4

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 28a6c647c16c5495303b43047cb65c861e641f9495ca4d75cb0e54243a95400a
Instruction ID: 36bc4de4ab390ad65835d05c4eafe734eccbc3ac849ce1bd3070c1753aedf13f
Opcode Fuzzy Hash: 28a6c647c16c5495303b43047cb65c861e641f9495ca4d75cb0e54243a95400a
Instruction Fuzzy Hash: 50F0623490061ABFCF219FD5CC48B9DBFF8EF0A7A1F500165F809A6260DB318A44CB95

Uniqueness

Uniqueness Score: -1.00%

Function 6DFDAE31 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,6DFDADE2,00000002,?,6DFDADAA,00000003,6DFDA814), ref: 6DFDAE51
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6DFDAE64
FreeLibrary.KERNEL32(00000000,?,?,?,6DFDADE2,00000002,?,6DFDADAA,00000003,6DFDA814), ref: 6DFDAE87

Strings

mscoree.dll, xrefs: 6DFDAE4A
CorExitProcess, xrefs: 6DFDAE5C

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 3992f0445580ab30a11c3dfc206e2a1eb285f97272ebff5278360f5e9b8c4399
Instruction ID: 4a9c3f629b8a8d43d10a899400984c3724da37b1a32634e663a28f79c5434b6b
Opcode Fuzzy Hash: 3992f0445580ab30a11c3dfc206e2a1eb285f97272ebff5278360f5e9b8c4399
Instruction Fuzzy Hash: 1BF06D31A14109BFCF019FA9C84DFAEBFF9EF05316F0601A8F909A2160DF358A45CA91

Uniqueness

Uniqueness Score: -1.00%

Function 6E0A3F77 Relevance: 7.8, APIs: 5, Instructions: 300COMMON

Download Yara Rule

APIs

__alldvrm.LIBCMT ref: 6E0A4095
__alldvrm.LIBCMT ref: 6E0A40C5
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6E0A41F6
__allrem.LIBCMT ref: 6E0A421B
__allrem.LIBCMT ref: 6E0A4302

Memory Dump Source

Source File: 00000011.00000002.1303092111.000000006E051000.00000020.00000001.01000000.00000016.sdmp, Offset: 6E050000, based on PE: true

Associated: 00000011.00000002.1303052213.000000006E050000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303638387.000000006E0CF000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303739246.000000006E0DF000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303779693.000000006E0E0000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303823917.000000006E0E2000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e050000_certutil.jbxd

Similarity

API ID: __alldvrm__allrem$Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 2031375191-0
Opcode ID: 9ed981770bc1d0baca9c1028a2a11a6893b4896235237e9417dbaed13f948172
Instruction ID: 5546bef44ed9524999ff978decfc43f891f4466be9a4c8833b653d7ba4bca264
Opcode Fuzzy Hash: 9ed981770bc1d0baca9c1028a2a11a6893b4896235237e9417dbaed13f948172
Instruction Fuzzy Hash: B0C19D74918384AFD7248FE8C880B9FB7E6BF89354F54492DE68887352DB309845CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6DFB07A0 Relevance: 7.7, APIs: 5, Instructions: 218memoryCOMMON

Download Yara Rule

APIs

PORT_SetError_Util.NSSUTIL3(FFFFE08D), ref: 6DFB087A
SECOID_FindOIDTag_Util.NSSUTIL3(00000000), ref: 6DFB08A9
PORT_ArenaAlloc_Util.NSSUTIL3 ref: 6DFB08E7
PORT_SetError_Util.NSSUTIL3(FFFFE08D), ref: 6DFB09D2
PORT_SetError_Util.NSSUTIL3(FFFFE08D), ref: 6DFB09E7

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: Util$Error_$Alloc_ArenaFindTag_
String ID:
API String ID: 4007089450-0
Opcode ID: 897cbb5ef845007bb897376ce162ed7f48d800243e79e184189181d6e20dc120
Instruction ID: b606365b8334d238928a371a25ac5e6a0737b2005363b6236d3b9dda8a840a4c
Opcode Fuzzy Hash: 897cbb5ef845007bb897376ce162ed7f48d800243e79e184189181d6e20dc120
Instruction Fuzzy Hash: 195192B1905700AFE310CF2ED98071A7BE4FF49318F15492DE59A8B781E372E50ACB52

Uniqueness

Uniqueness Score: -1.00%

Function 6E01BB00 Relevance: 7.7, APIs: 5, Instructions: 210memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaStrdup_Util.NSSUTIL3(00000001,?,00000000,00000000), ref: 6E01BB22
PORT_ArenaZAlloc_Util.NSSUTIL3(00000001,?,00000000,?,00000000,00000000), ref: 6E01BB49
PORT_ArenaZAlloc_Util.NSSUTIL3(00000001,?,00000001,?,00000000,?,00000000,00000000), ref: 6E01BB58
SECITEM_CopyItem_Util.NSSUTIL3(00000001,?,?,00000000,?,00000000,00000000), ref: 6E01BC8C
SECITEM_CopyItem_Util.NSSUTIL3(00000001,?,?,?,?,?,00000000,?,00000000,00000000), ref: 6E01BCAC

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Util$Arena$Alloc_CopyItem_$Strdup_
String ID:
API String ID: 1024836196-0
Opcode ID: dc552fb3962b6a9e7b0486e687867ee16135f150f0ae6c370a0b9835675100e5
Instruction ID: 228885aae4824f1e829fc0dcd1b29674f5c176aaa9189b32980cecb04be8d983
Opcode Fuzzy Hash: dc552fb3962b6a9e7b0486e687867ee16135f150f0ae6c370a0b9835675100e5
Instruction Fuzzy Hash: 528169B5908306DFC354CFA8C880A9AB7E4FF48318F444A6DE8999B715E731E915CF92

Uniqueness

Uniqueness Score: -1.00%

Function 6DFAE860 Relevance: 7.7, APIs: 5, Instructions: 173COMMON

Download Yara Rule

APIs

PORT_SetError_Util.NSSUTIL3(FFFFE001), ref: 6DFAE9CF
PORT_SetError_Util.NSSUTIL3(FFFFE013), ref: 6DFAE9E6
PORT_SetError_Util.NSSUTIL3(FFFFE002), ref: 6DFAE9FD
PORT_SetError_Util.NSSUTIL3(FFFFE005), ref: 6DFAEA14
PORT_SetError_Util.NSSUTIL3(FFFFE005), ref: 6DFAEA3A

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: Error_Util
String ID:
API String ID: 1971245937-0
Opcode ID: dd49704da5afa9844d5121d1a7592734b2cee8a0e5229d173b618169d2fe6dee
Instruction ID: 439906ea4f8278b6cb8c736eb8d79cc0564557844589e9209931f3d75e4cb3d8
Opcode Fuzzy Hash: dd49704da5afa9844d5121d1a7592734b2cee8a0e5229d173b618169d2fe6dee
Instruction Fuzzy Hash: F1412AB3E0931597C70096ACAC80A9FB3D8AF84674F490635EE14D7250E76AED1943E3

Uniqueness

Uniqueness Score: -1.00%

Function 6E0B2FA0 Relevance: 7.7, APIs: 5, Instructions: 164COMMON

Download Yara Rule

APIs

sqlite3_free.SQLITE3(?), ref: 6E0B3099
sqlite3_free.SQLITE3(?), ref: 6E0B30E4
sqlite3_free.SQLITE3(?), ref: 6E0B312F
sqlite3_free.SQLITE3(?), ref: 6E0B318A

Memory Dump Source

Source File: 00000011.00000002.1303092111.000000006E051000.00000020.00000001.01000000.00000016.sdmp, Offset: 6E050000, based on PE: true

Associated: 00000011.00000002.1303052213.000000006E050000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303638387.000000006E0CF000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303739246.000000006E0DF000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303779693.000000006E0E0000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303823917.000000006E0E2000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e050000_certutil.jbxd

Similarity

API ID: sqlite3_free
String ID:
API String ID: 2313487548-0
Opcode ID: 1a669dafab242e86bd1c9ba4e04cbe6c8d7d0ff2a91db61b884a8515e0afebe1
Instruction ID: ab349ee534e535b6ae3bd93772dde51fbc569e5612d87703fd568f058d6552b5
Opcode Fuzzy Hash: 1a669dafab242e86bd1c9ba4e04cbe6c8d7d0ff2a91db61b884a8515e0afebe1
Instruction Fuzzy Hash: 3851A174910706DBE72CCFA0D4A9BEBB3A4BF09345F204D1DD96A47601D7BAB484CB62

Uniqueness

Uniqueness Score: -1.00%

Function 6E028433 Relevance: 7.6, APIs: 5, Instructions: 142pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,00000000,00000000,00000000), ref: 6E028455
GetFileInformationByHandle.KERNEL32(?,?), ref: 6E0284AF

Part of subcall function 6E028761: __dosmaperr.LIBCMT ref: 6E0287A4

GetLastError.KERNEL32 ref: 6E02853E
__dosmaperr.LIBCMT ref: 6E028545
PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 6E028582

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: File__dosmaperr$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 1206951868-0
Opcode ID: ffd67f8b4ea74befe2af24f22c6dc84e84b5ef6577dfb430498b41aa30e1dc26
Instruction ID: a812713358268786e5c27da9cc42ab296237b6ba848ea8632118a9fff2cb35cb
Opcode Fuzzy Hash: ffd67f8b4ea74befe2af24f22c6dc84e84b5ef6577dfb430498b41aa30e1dc26
Instruction Fuzzy Hash: 07413879900619AFDB24DFF5D845AAFBBF9EF89340B00492DE956D3610E730A940CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6DFB31C0 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

APIs

PORT_SetError_Util.NSSUTIL3(FFFFE001,00000000), ref: 6DFB3201
PORT_SetError_Util.NSSUTIL3(FFFFE001,?,?,?,?,?,?,?,00000000), ref: 6DFB3284
PORT_SetError_Util.NSSUTIL3(FFFFE013,?,?,?,?,?,?,?,00000000), ref: 6DFB32A7

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: Error_Util
String ID:
API String ID: 1971245937-0
Opcode ID: 6f1bbeb79b1162c754985cefcbbbe43a0a9cc1cc539c0d19b591658f42b86722
Instruction ID: aadd755aef44b6874df1d5710a56add0e686446ae0737eee47c575067b22e2f0
Opcode Fuzzy Hash: 6f1bbeb79b1162c754985cefcbbbe43a0a9cc1cc539c0d19b591658f42b86722
Instruction Fuzzy Hash: 9C31EBB3A082141BC7009B6DAC41A6EB7D4AFC5374F590739EA69873D0EF6299488293

Uniqueness

Uniqueness Score: -1.00%

Function 6E01E1B0 Relevance: 7.6, APIs: 5, Instructions: 129memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSSUTIL3(00000800,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,6E01B8E8,?,00000000), ref: 6E01E1BC
PORT_ArenaAlloc_Util.NSSUTIL3(00000000,?), ref: 6E01E201
PORT_SetError_Util.NSSUTIL3(FFFFE013,?,?,00000000,?,?,?,?,?,?,?,?,6E01B8E8,?,00000000), ref: 6E01E218
PORT_FreeArena_Util.NSSUTIL3(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6E01E223
PORT_FreeArena_Util.NSSUTIL3(00000000,00000000), ref: 6E01E300

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Util$Arena_$Free$Alloc_ArenaError_
String ID:
API String ID: 850064599-0
Opcode ID: 0a2ae0e0be0131a368c97d23c573f3828ea17c5a84483b7ba97f5c64745cf155
Instruction ID: acf8626b675272d87a3f609ff5ff408eb1bd43dfb9a493f9de8d4fcf01664eb7
Opcode Fuzzy Hash: 0a2ae0e0be0131a368c97d23c573f3828ea17c5a84483b7ba97f5c64745cf155
Instruction Fuzzy Hash: 0D41E4715182496FC301CFE8DC80ADE7BE8AF55224F084A2AF9548B641E334E65987B3

Uniqueness

Uniqueness Score: -1.00%

Function 6DFA2C80 Relevance: 7.6, APIs: 5, Instructions: 127COMMON

Download Yara Rule

APIs

PORT_SetError_Util.NSSUTIL3(FFFFE004), ref: 6DFA2CC3
PORT_SetError_Util.NSSUTIL3(FFFFE004), ref: 6DFA2CF5

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: Error_Util
String ID:
API String ID: 1971245937-0
Opcode ID: 0ed3cf7a91e99f51ef40250c4774800f6e35e0bed7fd2a845ff978e3040d22d4
Instruction ID: ae8a3e9131cf916d63a73ab2eb4162e24c9f05750f3977aa783302921e9e26b4
Opcode Fuzzy Hash: 0ed3cf7a91e99f51ef40250c4774800f6e35e0bed7fd2a845ff978e3040d22d4
Instruction Fuzzy Hash: 0F31B7B26082006FC610976DDC41B6FB7E8BF89365F55462AF769C2290DE32D904CB93

Uniqueness

Uniqueness Score: -1.00%

Function 6E01B0B0 Relevance: 7.6, APIs: 5, Instructions: 111timeCOMMON

Download Yara Rule

APIs

DER_DecodeTimeChoice_Util.NSSUTIL3(?,?), ref: 6E01B0E1
DER_DecodeTimeChoice_Util.NSSUTIL3(?,?), ref: 6E01B0FB
DER_DecodeTimeChoice_Util.NSSUTIL3(?,?), ref: 6E01B139
DER_DecodeTimeChoice_Util.NSSUTIL3(?,?), ref: 6E01B153
PR_Now.NSPR4(00000000), ref: 6E01B1B4

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Choice_DecodeTimeUtil
String ID:
API String ID: 2662528191-0
Opcode ID: 86a6b34b84785fbb75c2406fa6a29859be775ccbdc917de223d3b22d1b003e94
Instruction ID: dd635cd358fa3d10d21acf444d21b521919da4304c4c3e801a018f7e6b77cce8
Opcode Fuzzy Hash: 86a6b34b84785fbb75c2406fa6a29859be775ccbdc917de223d3b22d1b003e94
Instruction Fuzzy Hash: 0431307290C242DFD741DAD5C950BDB77ECAB84245F814C29F944DB218F325E6588B92

Uniqueness

Uniqueness Score: -1.00%

Function 6DFA2110 Relevance: 7.6, APIs: 5, Instructions: 109COMMON

Download Yara Rule

APIs

PR_Lock.NSPR4(6DFF9B70,00000000,6DFF9B70,?,6DF9114B,?,00000000,?,00000014), ref: 6DFA211A
PR_Unlock.NSPR4(6DFF9B70), ref: 6DFA2153
PR_Unlock.NSPR4(6DFF9B70), ref: 6DFA217E
PR_Unlock.NSPR4(6DFF9B70), ref: 6DFA21BD

Part of subcall function 6DFA1B70: PORT_Alloc_Util.NSSUTIL3(00000020,00000000,6DFF9B70), ref: 6DFA1B82
Part of subcall function 6DFA1B70: PORT_SetError_Util.NSSUTIL3(FFFFE013,6DFF9B70), ref: 6DFA1B95
Part of subcall function 6DFA1B70: PORT_GetError_Util.NSSUTIL3(?,?,?,?,?,?,?,?,6DFF9B70), ref: 6DFA1B9D
Part of subcall function 6DFA1B70: PORT_Alloc_Util.NSSUTIL3(00000050,?,?,?,?,?,?,?,?,6DFF9B70), ref: 6DFA1BAF
Part of subcall function 6DFA1B70: PORT_SetError_Util.NSSUTIL3(FFFFE001,?,?,?,?,?,?,?,?,6DFF9B70), ref: 6DFA1E10

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: Util$Error_Unlock$Alloc_$Lock
String ID:
API String ID: 1090573766-0
Opcode ID: 8a8a1f335cf4548d2f62cdfb149c73bfae7b1e665729649df09eb43a5de785e2
Instruction ID: 534373457372f35581c5b7f971665332821b005bb6563722883c9f279dd676db
Opcode Fuzzy Hash: 8a8a1f335cf4548d2f62cdfb149c73bfae7b1e665729649df09eb43a5de785e2
Instruction Fuzzy Hash: A231EAB6B04300FBEB205F6EEC88B4B7BA9EB41359F190539F71583251E7226D14C761

Uniqueness

Uniqueness Score: -1.00%

Function 6E01D3D0 Relevance: 7.6, APIs: 5, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

PR_Lock.NSPR4(00000000,00000000,00000000,?,?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 6E01D3FB
PR_Unlock.NSPR4(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,6E01E14B,?), ref: 6E01D41B
PORT_SetError_Util.NSSUTIL3(FFFFE012), ref: 6E01D42D
PORT_ArenaAlloc_Util.NSSUTIL3(?,?), ref: 6E01D487
PORT_SetError_Util.NSSUTIL3(FFFFE013), ref: 6E01D49D

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Util$Error_$Alloc_ArenaLockUnlock
String ID:
API String ID: 303087441-0
Opcode ID: 24d790919e1d59409c11f4927b4f2ba8ff3424f4d9a05e0950bb2f32aee8bc35
Instruction ID: cf10f0c4dd1e85ffd4df2f527338b4b0743078f3d0466fe4b27192336f5dac34
Opcode Fuzzy Hash: 24d790919e1d59409c11f4927b4f2ba8ff3424f4d9a05e0950bb2f32aee8bc35
Instruction Fuzzy Hash: 3F312675508A125FD700CFACD8006DBBBE5FF85221F888A6AF4A887351E338E514CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6E01F0D0 Relevance: 7.6, APIs: 5, Instructions: 100memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6E01D270: PR_Lock.NSPR4 ref: 6E01D2B0
Part of subcall function 6E01D270: PR_Unlock.NSPR4(?), ref: 6E01D2D7
Part of subcall function 6E01D270: PORT_ZAlloc_Util.NSSUTIL3(000008F8), ref: 6E01D2E9
Part of subcall function 6E01D270: PORT_SetError_Util.NSSUTIL3(FFFFE013), ref: 6E01D2FC

PR_Lock.NSPR4(?,?,?,00000000,00000000,?), ref: 6E01F121
PR_Unlock.NSPR4 ref: 6E01F147
PORT_ZAlloc_Util.NSSUTIL3(00000220), ref: 6E01F159
PORT_Alloc_Util.NSSUTIL3(?), ref: 6E01F18C
PORT_Free_Util.NSSUTIL3(00000000), ref: 6E01F1B5

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Util$Alloc_$LockUnlock$Error_Free_
String ID:
API String ID: 2025831573-0
Opcode ID: 8373df30e0086ef17cdc940f4a8975c683b7f94bf66ea19c3ce2ed26b58a33b8
Instruction ID: 646a94ae5a76229820059661182b6d9f55816a605c548bc15d2e2a43a284a48f
Opcode Fuzzy Hash: 8373df30e0086ef17cdc940f4a8975c683b7f94bf66ea19c3ce2ed26b58a33b8
Instruction Fuzzy Hash: 2131AB769087018FD750CFD4E840A97B7F8FF84394F04092AEC599B211E731E9188B92

Uniqueness

Uniqueness Score: -1.00%

Function 6DFA80D0 Relevance: 7.6, APIs: 5, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

PORT_SetError_Util.NSSUTIL3(FFFFE005), ref: 6DFA810F
PORT_ZAlloc_Util.NSSUTIL3(00000128), ref: 6DFA8123
PORT_SetError_Util.NSSUTIL3(FFFFE013), ref: 6DFA8136
PORT_ZFree_Util.NSSUTIL3(00000000,00000128), ref: 6DFA81AF
PORT_SetError_Util.NSSUTIL3(FFFFE005), ref: 6DFA81CA

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: Util$Error_$Alloc_Free_
String ID:
API String ID: 3186423673-0
Opcode ID: 0f879a005dbb71af14015a4a71b4f6ca1169ab3c7b88632d71de0e9d58eb2705
Instruction ID: af397c7a649efa58806c29bfc845bf2ad75cf65f04ef97b6f105bac5df6ac05c
Opcode Fuzzy Hash: 0f879a005dbb71af14015a4a71b4f6ca1169ab3c7b88632d71de0e9d58eb2705
Instruction Fuzzy Hash: 5321087270D355EBE7508A5CFC406AFB3E4FF84765F084A3AF94887204E772D8408692

Uniqueness

Uniqueness Score: -1.00%

Function 6E0214C9 Relevance: 7.6, APIs: 5, Instructions: 79COMMON

Download Yara Rule

APIs

PORT_Free_Util.NSSUTIL3(?,?,?,?,?,?,00000000,?,?,00000000,?,?), ref: 6E021567
PORT_Free_Util.NSSUTIL3(?,00000000,?,?,00000000,?,?), ref: 6E021578
PORT_Free_Util.NSSUTIL3(?,00000000,?,?,00000000,?,?), ref: 6E021589
PORT_Free_Util.NSSUTIL3(00000000,00000000,?,?,00000000,?,?), ref: 6E021596
PORT_Free_Util.NSSUTIL3(?,00000000,?,?,00000000,?,?), ref: 6E0215A7

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Free_Util
String ID:
API String ID: 3239092222-0
Opcode ID: ad24d351d345fbb2b03b292081ebb9d5136d7a3949efd8a7de0eb9aae78aaefa
Instruction ID: adf83ddfff0288abf4467a1687a0b851923ee758dcff2570578e8125e53cf5d4
Opcode Fuzzy Hash: ad24d351d345fbb2b03b292081ebb9d5136d7a3949efd8a7de0eb9aae78aaefa
Instruction Fuzzy Hash: 023184B490A2E28FC709C77954A927DFFD45D2610170809EEE8D64F352E125D648CF76

Uniqueness

Uniqueness Score: -1.00%

Function 6E02FF0D Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 6E02FF16
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6E02FF39

Part of subcall function 6E02C4F9: HeapAlloc.KERNEL32(00000000,?,00000000,?,6E02B985,00000004,?,?,?), ref: 6E02C52B

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 6E02FF5F
_free.LIBCMT ref: 6E02FF72
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6E02FF81

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocFreeHeap_free
String ID:
API String ID: 2278895681-0
Opcode ID: eccef78af90a11e7893e44e7e6af15e7d19a2693eb9282fc7d3d6d0b374bf1b1
Instruction ID: 6c6f20c093d3414c803ad0b78fe13d753a9f4d44fa00d0497eeb742327a3dde1
Opcode Fuzzy Hash: eccef78af90a11e7893e44e7e6af15e7d19a2693eb9282fc7d3d6d0b374bf1b1
Instruction Fuzzy Hash: 7601B576601A167F676115FA4C88E7FA9EDEEC7AE07210139F914F7200EA61CC0181B4

Uniqueness

Uniqueness Score: -1.00%

Function 6E02D110 Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(6E01931B,00000000,00000000,6E0282B6,6E021B3A,6E0126D7,00000000,6E01931B,00000180,00000001,00000000,?,6E0197A0,00000000), ref: 6E02D115
SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF), ref: 6E02D13B
_free.LIBCMT ref: 6E02D17B
_free.LIBCMT ref: 6E02D1AE
SetLastError.KERNEL32(00000000,?,?,?,00000000,FFFFFFFF,000000FF), ref: 6E02D1BB

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: d67366497b73bc4c239f5c5049e88b2720f383521d360f3f46d29123fb53cfb1
Instruction ID: 9caa541ae553b78bccefb8d404f4a102462bea90680f7634238faf68dce7ee35
Opcode Fuzzy Hash: d67366497b73bc4c239f5c5049e88b2720f383521d360f3f46d29123fb53cfb1
Instruction Fuzzy Hash: DD1104761449027FD62256F95C80B9F26EDAFE23B87614734F435975D4EF21CC01AC60

Uniqueness

Uniqueness Score: -1.00%

Function 6DFDC57F Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(6DFE5907,6DFE5908,?,6DFDBBC7,6DFDB8FB), ref: 6DFDC584
SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF,?,6DFDBBC7,6DFDB8FB), ref: 6DFDC5AA
_free.LIBCMT ref: 6DFDC5EA
_free.LIBCMT ref: 6DFDC61D
SetLastError.KERNEL32(00000000,6DFDBBC7,6DFDB8FB), ref: 6DFDC62A

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: f82c14d5248e2deb5108d15dc11755c94d168ff3b3d2101891e5937a5a536a05
Instruction ID: e7082dd26b83cb7ff9689a66fc43620006fd18229d271ee2803f463095af4051
Opcode Fuzzy Hash: f82c14d5248e2deb5108d15dc11755c94d168ff3b3d2101891e5937a5a536a05
Instruction Fuzzy Hash: 6F1182721185116ADB826B3DAC84B6F367E9F8A67972F4714FB24D3290EF228D425121

Uniqueness

Uniqueness Score: -1.00%

Function 6E02CFC2 Relevance: 7.6, APIs: 5, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(000004D2,000004D2,6E02BE87,?,?,6E02413F,?,6E02C36B,?,00000001,000004D2,000004D2,?,6E02C260,000004D2,?), ref: 6E02CFC6
_free.LIBCMT ref: 6E02D01D
_free.LIBCMT ref: 6E02D051
SetLastError.KERNEL32(00000000,00000001,000004D2,000004D2,?,6E02C260,000004D2,?,?,6E03AC70,00000010,6E02413F,000001C4,?,?,?), ref: 6E02D05E
SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF,?,6E02C36B,?,00000001,000004D2,000004D2,?,6E02C260,000004D2,?,?,6E03AC70,00000010), ref: 6E02D06A

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 589040adde30f1758c6f8f6c737275c4109d6eddd5fd374f9f24e3905b6eafc6
Instruction ID: bde6ec66ac3c8aa53d6003ae374ad82142834316a22f3466c7a2011e3a1c7397
Opcode Fuzzy Hash: 589040adde30f1758c6f8f6c737275c4109d6eddd5fd374f9f24e3905b6eafc6
Instruction Fuzzy Hash: 3E1108395449026ED67212F4AC84F9E27ED9F92778B610A34F934AB1E0EF21CC025DA0

Uniqueness

Uniqueness Score: -1.00%

Function 6DFDC431 Relevance: 7.6, APIs: 5, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,6DFDA853,?,?,?,00000003,6DFBFE21), ref: 6DFDC435
_free.LIBCMT ref: 6DFDC48C
_free.LIBCMT ref: 6DFDC4C0
SetLastError.KERNEL32(00000000,?,00000003,6DFBFE21), ref: 6DFDC4CD
SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF,?,?,6DFDA853,?,?,?,00000003,6DFBFE21), ref: 6DFDC4D9

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 6684731330a75da8bfad6e9d67d690295da29d2b999fddd2f4d10fe751d0da61
Instruction ID: 63152f778d9817c28bf8770fe73a1d784b06dcfb54e7163492ce867808382daa
Opcode Fuzzy Hash: 6684731330a75da8bfad6e9d67d690295da29d2b999fddd2f4d10fe751d0da61
Instruction Fuzzy Hash: E4118E32158501AADBC27F2CAC44B7E367E9F87639B2E8715FB24932D0DF218A025271

Uniqueness

Uniqueness Score: -1.00%

Function 6E01C750 Relevance: 7.6, APIs: 5, Instructions: 54COMMON

Download Yara Rule

APIs

PR_Lock.NSPR4(?,00000000,00000006,?,?,?,?,00000000,6E01FE8F,?,?), ref: 6E01C779
PR_Unlock.NSPR4(?,?,?,00000000,6E01FE8F,?,?), ref: 6E01C794
PR_Lock.NSPR4(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6E01C7B1
PR_Unlock.NSPR4(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6E01C7C7
PORT_SetError_Util.NSSUTIL3(FFFFE012), ref: 6E01C7D9

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: LockUnlock$Error_Util
String ID:
API String ID: 855844629-0
Opcode ID: e2f21798683e121ed66d739656c8e64be05ef726697fe6d2def1681e031bb1c9
Instruction ID: 6bf2ad81818a0718bdb964c97e0d11c14e82b0e2d396b22c51826a2dad3a1cab
Opcode Fuzzy Hash: e2f21798683e121ed66d739656c8e64be05ef726697fe6d2def1681e031bb1c9
Instruction Fuzzy Hash: D811E93A805A129FCB11DFA8DC44A9ABBE1AF8A710F080565FC5597361E330D814DB92

Uniqueness

Uniqueness Score: -1.00%

Function 6E02A893 Relevance: 7.6, APIs: 5, Instructions: 52COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?), ref: 6E02A8A9
GetLastError.KERNEL32(?,?,?), ref: 6E02A8B3
__dosmaperr.LIBCMT ref: 6E02A8BA
SetFilePointerEx.KERNEL32(?,?,?,?,?), ref: 6E02A8D8
SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,?,?,?), ref: 6E02A8FE

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: FilePointer$ErrorLast__dosmaperr
String ID:
API String ID: 1114809156-0
Opcode ID: a093af7f5d43aa24bc9d25acff805d717c38e52bcb6280f73271cba0843fd04e
Instruction ID: a9250ce989c9627de08f82f02a2dcc803be758444df92687af8618f200e40f24
Opcode Fuzzy Hash: a093af7f5d43aa24bc9d25acff805d717c38e52bcb6280f73271cba0843fd04e
Instruction Fuzzy Hash: 1001177590151ABFDF20AFE5CC48EDE7FBDEF017A0F204565B828961A0DB318A51DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E01EB60 Relevance: 7.5, APIs: 5, Instructions: 45COMMON

Download Yara Rule

APIs

PORT_Free_Util.NSSUTIL3(?,00000000,6E01858D,00000000,?,00000000,?,00000008,20000000,00000000,?,-00000050,?,?,?,?), ref: 6E01EB84
PR_Lock.NSPR4(00000008,00000000,00000220,00000000,6E01858D,00000000,?,00000000,?,00000008,20000000,00000000,?,-00000050,?,?), ref: 6E01EB9F
PORT_Free_Util.NSSUTIL3(00000008), ref: 6E01EBB3
PR_Unlock.NSPR4 ref: 6E01EBC1

Part of subcall function 6E01CAD0: PORT_Free_Util.NSSUTIL3(6674C085,?,6E020330,00000000,?,?,?,?,?,?,?,?), ref: 6E01CAFB
Part of subcall function 6E01CAD0: PORT_Free_Util.NSSUTIL3(E9FFFFDB,?,6E020330,00000000,?,?,?,?,?,?,?,?), ref: 6E01CB12
Part of subcall function 6E01CAD0: PR_Lock.NSPR4(?,6E020330,00000000,?,?,?,?,?,?,?,?), ref: 6E01CB20
Part of subcall function 6E01CAD0: PORT_Free_Util.NSSUTIL3(6E020330,?,?,?,?,?,?,?,?,?), ref: 6E01CB34
Part of subcall function 6E01CAD0: PR_Unlock.NSPR4(?,?,?,?,?,?,?,?,?,?), ref: 6E01CB42

PR_Unlock.NSPR4 ref: 6E01EBE5

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Free_Util$Unlock$Lock
String ID:
API String ID: 2418919064-0
Opcode ID: 78ffb8be8cd9911dd40fd5e06087046169f3fc4da878fc4dc448cda71d19175b
Instruction ID: 2810d4d0095ab66c231b3e25dfec76899becc0ac2d3d0b21806159c5b40ede0d
Opcode Fuzzy Hash: 78ffb8be8cd9911dd40fd5e06087046169f3fc4da878fc4dc448cda71d19175b
Instruction Fuzzy Hash: E301D4B0901A129FDF249FA4E880B8B37EABB05218B04082AF85BC7601E730E421CE47

Uniqueness

Uniqueness Score: -1.00%

Function 6E03100B Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 6E031023

Part of subcall function 6E02C4BF: HeapFree.KERNEL32(00000000,00000000,?,6E03109E,?,00000000,?,00000000,?,6E0310C5,?,00000007,?,?,6E030D6A,?), ref: 6E02C4D5
Part of subcall function 6E02C4BF: GetLastError.KERNEL32(?,?,6E03109E,?,00000000,?,00000000,?,6E0310C5,?,00000007,?,?,6E030D6A,?,?), ref: 6E02C4E7

_free.LIBCMT ref: 6E031035
_free.LIBCMT ref: 6E031047
_free.LIBCMT ref: 6E031059
_free.LIBCMT ref: 6E03106B

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 353f7bf2a25733a2f1708b1e97adaa111a8876587f859f6f7c8f4e6a77520cf3
Instruction ID: 8b49a8d79f5f9a0ccb251262ba7c4bf7f6f97cbd089603f0dd03a5858e1f64f5
Opcode Fuzzy Hash: 353f7bf2a25733a2f1708b1e97adaa111a8876587f859f6f7c8f4e6a77520cf3
Instruction Fuzzy Hash: 29F06239904A679BCA60DBD5D4D0E6B33EDEA457547644C06F51CDBA40CB75FC808E90

Uniqueness

Uniqueness Score: -1.00%

Function 6DFB0CC0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

PORT_FreeArena_Util.NSSUTIL3(?,00000000), ref: 6DFB0CD2
SECITEM_FreeItem_Util.NSSUTIL3(?,00000000), ref: 6DFB0CE0
SECITEM_FreeItem_Util.NSSUTIL3(?,00000000,?,00000000), ref: 6DFB0CEB
SECITEM_FreeItem_Util.NSSUTIL3(?,00000000,?,00000000,?,00000000), ref: 6DFB0CF6
PORT_Free_Util.NSSUTIL3(?,?,00000000,?,00000000,?,00000000), ref: 6DFB0CFC

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: Util$Free$Item_$Arena_Free_
String ID:
API String ID: 2810683504-0
Opcode ID: 4c95b6f87a91df298f17e47ca521b29dc4c57df0e5a79813f05c7f858efad015
Instruction ID: 532d7c194fa7d5a42635ff65402e573f998cbd63e5a837b05a588bd1b29ae30a
Opcode Fuzzy Hash: 4c95b6f87a91df298f17e47ca521b29dc4c57df0e5a79813f05c7f858efad015
Instruction Fuzzy Hash: 93E092B29047116ADB60EAACBC40FDB739C6F04600F2A4825FA4097080E774F944C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 6E0205B0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 165COMMON

Download Yara Rule

APIs

PORT_Strdup_Util.NSSUTIL3(00000000), ref: 6E0205D0
PORT_Free_Util.NSSUTIL3(00000000,?,6E035400,00000000,00000002,00000000), ref: 6E02063F

Strings

.db, xrefs: 6E0205F1

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Util$Free_Strdup_
String ID: .db
API String ID: 2055704692-1874795567
Opcode ID: 01d902a659fad8dda1dbe60d3539cd405e338bd2aa8d21544f522793db7de000
Instruction ID: 90db64b8bee48e83b0b6b735fec1276afc57a11870e97956473b71d0f53007d0
Opcode Fuzzy Hash: 01d902a659fad8dda1dbe60d3539cd405e338bd2aa8d21544f522793db7de000
Instruction Fuzzy Hash: FD412672A483121FD3109AE88C91BDB73E99FC17A4F440A74ED5497241F76ADA0A83E2

Uniqueness

Uniqueness Score: -1.00%

Function 6E0130A0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 155COMMON

Download Yara Rule

APIs

PORT_Free_Util.NSSUTIL3(00000000,00000000,00000000,00000180,00000001,00000000), ref: 6E013193
PR_Lock.NSPR4(?), ref: 6E0131C3
PR_Unlock.NSPR4(?), ref: 6E0131D4

Strings

key, xrefs: 6E0130C2

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Free_LockUnlockUtil
String ID: key
API String ID: 3093347579-2324736937
Opcode ID: 6e2417623c1a9e2b8b7af83497795f6d9f4fbdf9a63045909d88bb5ae2d7bc6d
Instruction ID: 6c979ab6ae7233b126d6882e0f80a89f0c4927e248dac09134973882b515d6f0
Opcode Fuzzy Hash: 6e2417623c1a9e2b8b7af83497795f6d9f4fbdf9a63045909d88bb5ae2d7bc6d
Instruction Fuzzy Hash: 3241AC72A492206BDB1256E48C86BCF33ED9F45B64F054935FD05BF281D7B9D80582D3

Uniqueness

Uniqueness Score: -1.00%

Function 6E020750 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

PORT_Strdup_Util.NSSUTIL3(00000000), ref: 6E020770
PORT_Free_Util.NSSUTIL3(00000000,?,6E035400,00000000,00000002,00000000), ref: 6E0207DF

Strings

.db, xrefs: 6E020791

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Util$Free_Strdup_
String ID: .db
API String ID: 2055704692-1874795567
Opcode ID: 8a3de247bf1c1d174a02087fce4b986757c1c161783aca2ca02f1874cc1b0edb
Instruction ID: 69584fdbc11b17b24da5f16a7ff9c66e3f0a5711238086978f77e837665ff31a
Opcode Fuzzy Hash: 8a3de247bf1c1d174a02087fce4b986757c1c161783aca2ca02f1874cc1b0edb
Instruction Fuzzy Hash: 4C418D32D4C3021FD7118AA49C52BDB73E95F81B54F440A74FD949B281F36AD90E87E2

Uniqueness

Uniqueness Score: -1.00%

Function 6E01E860 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

PR_EnterMonitor.NSPR4(?,00000000,00000000,?,6E017DB2,00000000), ref: 6E01E86D

Part of subcall function 6E01C650: PORT_Alloc_Util.NSSUTIL3(00000001,00000000,00000000,00000000,6E01B995,?,?), ref: 6E01C675
Part of subcall function 6E01C650: PORT_Free_Util.NSSUTIL3(00000000,?,?,?,00000000,00000000,00000000,6E01B995,?,?), ref: 6E01C6B6

SECITEM_CompareItem_Util.NSSUTIL3(?,6E017E06,?), ref: 6E01E8D2
PR_ExitMonitor.NSPR4(?), ref: 6E01E9B5

Strings

Qj, xrefs: 6E01E899, 6E01E932, 6E01E980

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Util$Monitor$Alloc_CompareEnterExitFree_Item_
String ID: Qj
API String ID: 1594178629-3942019279
Opcode ID: 98b84cca576c413ea0c1f8eb5b6571a6e32e0ad2f24a6e00285c0a6be34c6dd4
Instruction ID: ad4c1dbd1bb7bfdec4553d4adea9dfdd066e543a8b0a62428400c4833b5e1c10
Opcode Fuzzy Hash: 98b84cca576c413ea0c1f8eb5b6571a6e32e0ad2f24a6e00285c0a6be34c6dd4
Instruction Fuzzy Hash: 5E41C371504205DFDB50DFD8CD80B9ABBE9FF45348B048568E8498FA16E332E856CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E019EF0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

PL_HashTableLookup.PLDS4(00000000,00000000,-28000000,-28000000,00000000,?,00000000,-28000000,6E016BEC,?,?,-28000000), ref: 6E019F61
SECITEM_ItemsAreEqual_Util.NSSUTIL3(00000000,6E016BEC,6E016BEC,?,?,-28000000), ref: 6E019F72
PL_HashTableLookup.PLDS4(00000000,00000001,-28000000,?,?,6E016BEC,?,?,-28000000), ref: 6E019F87

Strings

8PV, xrefs: 6E019F14

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: HashLookupTable$Equal_ItemsUtil
String ID: 8PV
API String ID: 312833382-4222439693
Opcode ID: 2a7c1f5b4f3486e75edba6cdc497ef10087d12c90f745b4e83a0c57d829d0e53
Instruction ID: 245d5f37b7c1deba94f91908eb19ad7058ca8405650bb95ed90dffd68c71d571
Opcode Fuzzy Hash: 2a7c1f5b4f3486e75edba6cdc497ef10087d12c90f745b4e83a0c57d829d0e53
Instruction Fuzzy Hash: 67113B725082112BD70096F85C84BEF7BDCDF81269F440939F999AB205FB29D905C3B2

Uniqueness

Uniqueness Score: -1.00%

Function 6E021950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

PR_SetError.NSPR4(FFFFE8A7,6E035B40), ref: 6E021961
PR_FindSymbol.NSPR4(00000000,FREEBL_GetVector), ref: 6E021985

Strings

FREEBL_GetVector, xrefs: 6E02197F

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: ErrorFindSymbol
String ID: FREEBL_GetVector
API String ID: 2161404022-221879721
Opcode ID: 81d460b142a4519553234b8faa3b71ebe27426893f548e8afecf077982bd03d9
Instruction ID: 86da5c853497db52b9df299f554b06b2d69b9cdda138895667293c820ff7c2cc
Opcode Fuzzy Hash: 81d460b142a4519553234b8faa3b71ebe27426893f548e8afecf077982bd03d9
Instruction Fuzzy Hash: D3012870A055135FEB215BBDBC1036B32EA9FC2261B04013BE819C6385DB36C58586E2

Uniqueness

Uniqueness Score: -1.00%

Function 6E011490 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

PR_smprintf.NSPR4(%s/%s,00000026,?,?,6E01107A,?,?), ref: 6E0114D5
PR_Delete.NSPR4(00000000), ref: 6E0114E5
PR_smprintf_free.NSPR4(00000000), ref: 6E0114EC

Strings

%s/%s, xrefs: 6E0114D0

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: DeleteR_smprintfR_smprintf_free
String ID: %s/%s
API String ID: 382383796-2758257063
Opcode ID: c5e6153b489511be8d69d31c8b013ac42016da27679e71bf0454af2e5ffc75d5
Instruction ID: 1937f546dd23d0f45b28b3c0dcc65726ce3565570f0c4070c799534be6573d7e
Opcode Fuzzy Hash: c5e6153b489511be8d69d31c8b013ac42016da27679e71bf0454af2e5ffc75d5
Instruction Fuzzy Hash: 74012974409B03EBDB288B94D90875FBBE1EBC6746F04C55CE8894B321D3788845DB52

Uniqueness

Uniqueness Score: -1.00%

Function 6DFA2B80 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

PORT_Alloc_Util.NSSUTIL3(00000021), ref: 6DFA2B83
PORT_SetError_Util.NSSUTIL3(FFFFE004), ref: 6DFA2BCB
PORT_Free_Util.NSSUTIL3(00000000), ref: 6DFA2BD4

Strings

, xrefs: 6DFA2B93

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: Util$Alloc_Error_Free_
String ID:
API String ID: 1799102543-3916222277
Opcode ID: fd5b928fe82b7491303de0822f2a68382b4f264da5a14292d4d9fe3ffa7b4c92
Instruction ID: f5301b8eb2c6e2e6a763f577fe4020f33115fd81bf15e3068e45fe38edd813cb
Opcode Fuzzy Hash: fd5b928fe82b7491303de0822f2a68382b4f264da5a14292d4d9fe3ffa7b4c92
Instruction Fuzzy Hash: C9F02EA27082019FFB104DDE6CC095BF2847B94265F19543BFE0993341D7A2D8089263

Uniqueness

Uniqueness Score: -1.00%

Function 6E0197A0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

PR_smprintf.NSPR4(%skey%s.db,?,6E035448), ref: 6E0197D8
PORT_Strdup_Util.NSSUTIL3(00000000), ref: 6E0197E9
PR_smprintf_free.NSPR4(00000000,00000000), ref: 6E0197F1

Strings

%skey%s.db, xrefs: 6E0197D3

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: R_smprintfR_smprintf_freeStrdup_Util
String ID: %skey%s.db
API String ID: 3824127947-463976047
Opcode ID: 0e9d2d698dd1d017d84a2bb54c71299016f0ba5ee1efbb83f9ba32bc8c2e567f
Instruction ID: 81136473b5c0c903463eae3bde85cb3c923c8ebbfa114e6cf8e6cf7737e357df
Opcode Fuzzy Hash: 0e9d2d698dd1d017d84a2bb54c71299016f0ba5ee1efbb83f9ba32bc8c2e567f
Instruction Fuzzy Hash: 0BF0373E24C6135B85511DFDA82879E7AD5DFC36557D04A35F424DF328D535C8418252

Uniqueness

Uniqueness Score: -1.00%

Function 6E0195B0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

PR_smprintf.NSPR4(%scert%s.db,?,6E035400), ref: 6E0195EF
PORT_Strdup_Util.NSSUTIL3(00000000), ref: 6E019600
PR_smprintf_free.NSPR4(00000000,00000000), ref: 6E019608

Strings

%scert%s.db, xrefs: 6E0195EA

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: R_smprintfR_smprintf_freeStrdup_Util
String ID: %scert%s.db
API String ID: 3824127947-2009488306
Opcode ID: 595df716dfa449579e6979732003135f75af08b1c7b494c5af8dc7a13cc532ea
Instruction ID: 40420df7640a2550ad7f3675d02b5133e8fd99d834964f628561fb9730a2ba6d
Opcode Fuzzy Hash: 595df716dfa449579e6979732003135f75af08b1c7b494c5af8dc7a13cc532ea
Instruction Fuzzy Hash: 29F0823960C452AB8B1049EDEC0478EBA94EBC36AA7E44532F914DE329D535C951C752

Uniqueness

Uniqueness Score: -1.00%

Function 6E021630 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMON

Download Yara Rule

APIs

NSSUTIL_ArgGetParamValue.NSSUTIL3(name,6E0206AB,00000000,6E0206AB,?,?), ref: 6E02163B
NSSUTIL_ArgGetParamValue.NSSUTIL3(library,6E0206AB,?,?), ref: 6E02164F

Strings

name, xrefs: 6E021636
library, xrefs: 6E02164A

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: ParamValue
String ID: library$name
API String ID: 2093758156-1995335093
Opcode ID: fc321780e8a0c23a14c044881cd987a2b35b5d51704c880d9e649220f078a6a9
Instruction ID: 34b50282b2b23f38f836761ce35106720328fb596f5ce48e85349e54152c1fdd
Opcode Fuzzy Hash: fc321780e8a0c23a14c044881cd987a2b35b5d51704c880d9e649220f078a6a9
Instruction Fuzzy Hash: 1CF0EC39A151235F47044AE85814BCA3BEADE82374B1CC17DE4585B319DA36940687A1

Uniqueness

Uniqueness Score: -1.00%

Function 6DFB5BD0 Relevance: 6.5, APIs: 4, Instructions: 463COMMON

Download Yara Rule

APIs

PORT_SetError_Util.NSSUTIL3(FFFFE001), ref: 6DFB613E
PORT_SetError_Util.NSSUTIL3(FFFFE013), ref: 6DFB6157
PORT_SetError_Util.NSSUTIL3(FFFFE002), ref: 6DFB6170
PORT_SetError_Util.NSSUTIL3(FFFFE005), ref: 6DFB6189

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: Error_Util
String ID:
API String ID: 1971245937-0
Opcode ID: 83f0dded2487b22185a2bb2adc3681da3163668e8fedd62c3ebb9ea4fb38662c
Instruction ID: b87940b86d33ebffa0d1cd4ad6d9c8332777e010c262d4fb803a86557ee9cc61
Opcode Fuzzy Hash: 83f0dded2487b22185a2bb2adc3681da3163668e8fedd62c3ebb9ea4fb38662c
Instruction Fuzzy Hash: CFE1B673C087166BCB20C6AA9C80E8B77DC6F443A4F490A29BE54C7180E775D9698BD3

Uniqueness

Uniqueness Score: -1.00%

Function 6DFBCEB0 Relevance: 6.4, APIs: 4, Instructions: 407memoryCOMMON

Download Yara Rule

APIs

SECITEM_AllocItem_Util.NSSUTIL3(?,?,00000000), ref: 6DFBD17C
PORT_SetError_Util.NSSUTIL3(FFFFE005), ref: 6DFBD419
PORT_SetError_Util.NSSUTIL3(FFFFE005), ref: 6DFBD441

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: Util$Error_$AllocItem_
String ID:
API String ID: 4233208270-0
Opcode ID: e6e36788d1ab9e31665710894f9f25145848ac082dda2e074106c84c1e0b7834
Instruction ID: e9032b9396678fe29bf2a86d87568bab4289b94a45c5bb70871698afaad618a7
Opcode Fuzzy Hash: e6e36788d1ab9e31665710894f9f25145848ac082dda2e074106c84c1e0b7834
Instruction Fuzzy Hash: F9E1E2716083429BE710CBEACC84F9B73ECAF84218F044539EA5987152EBB5E698C753

Uniqueness

Uniqueness Score: -1.00%

Function 6DFB4BE0 Relevance: 6.4, APIs: 4, Instructions: 407COMMON

Download Yara Rule

APIs

SECITEM_FreeItem_Util.NSSUTIL3(?,00000000,?,?,?,?,?,?,?,?), ref: 6DFB50B4

Part of subcall function 6DFB4140: SECITEM_AllocItem_Util.NSSUTIL3(6DFB409B,6DFB409B,?,?,?,?,6DFB409B,00000000,?,?), ref: 6DFB4182

PORT_SetError_Util.NSSUTIL3(FFFFE03F), ref: 6DFB500F
PORT_SetError_Util.NSSUTIL3(FFFFE005,00000000), ref: 6DFB50EC
PORT_SetError_Util.NSSUTIL3(FFFFE005,0000000A,?,00000000), ref: 6DFB50FE

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: Util$Error_$Item_$AllocFree
String ID:
API String ID: 2351708056-0
Opcode ID: 06c6596356c1b70d681233d025a75a286f9d5115340f9022efd9e922e6a36e5c
Instruction ID: 0025c4fbdac45449031c927ae4ca4132b13a37323f60cc07c4df260aaba91c40
Opcode Fuzzy Hash: 06c6596356c1b70d681233d025a75a286f9d5115340f9022efd9e922e6a36e5c
Instruction Fuzzy Hash: 27D164B2C097166BC721CBA9C840E9BB7DCAF44754F050A29FA89D3240EB75D9188BD3

Uniqueness

Uniqueness Score: -1.00%

Function 6DFB7040 Relevance: 6.3, APIs: 4, Instructions: 281COMMON

Download Yara Rule

APIs

PORT_SetError_Util.NSSUTIL3(FFFFE001), ref: 6DFB7382
PORT_SetError_Util.NSSUTIL3(FFFFE013), ref: 6DFB739A
PORT_SetError_Util.NSSUTIL3(FFFFE002), ref: 6DFB73B2
PORT_SetError_Util.NSSUTIL3(FFFFE005), ref: 6DFB73CA

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: Error_Util
String ID:
API String ID: 1971245937-0
Opcode ID: 3597315297b750318e98c8be1bd773ae32e72a69dfb7c8b1ad493e89ca12aa81
Instruction ID: b2d07546a21374fc81072888dd0efa017836336ef53392ec00e54430c8028a40
Opcode Fuzzy Hash: 3597315297b750318e98c8be1bd773ae32e72a69dfb7c8b1ad493e89ca12aa81
Instruction Fuzzy Hash: BC91AFB2C09716ABC7218AA8C840F8F77DC6F40764F090A29EE55D7240E779E96987D3

Uniqueness

Uniqueness Score: -1.00%

Function 6DFB9140 Relevance: 6.2, APIs: 4, Instructions: 181memoryCOMMON

Download Yara Rule

APIs

PORT_Alloc_Util.NSSUTIL3(?), ref: 6DFB9249
PORT_SetError_Util.NSSUTIL3(FFFFE013), ref: 6DFB925C
PORT_ZFree_Util.NSSUTIL3(00000000,?), ref: 6DFB92E5
PORT_SetError_Util.NSSUTIL3(FFFFE004,?), ref: 6DFB92FA

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: Util$Error_$Alloc_Free_
String ID:
API String ID: 3186423673-0
Opcode ID: ad50dd8abbcba1e409bf557b32ab72ff2189db8bb8cbe491506a6686873964bb
Instruction ID: b1c14dc537dff07276a280005278ce1160f05da7a4ca940c8e95e8715a84724d
Opcode Fuzzy Hash: ad50dd8abbcba1e409bf557b32ab72ff2189db8bb8cbe491506a6686873964bb
Instruction Fuzzy Hash: AA51BF71A083426FD704CF6DDC80A6BB7E9EFD4214F140A3DF99586250EB72D915CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6E01FFF0 Relevance: 6.2, APIs: 4, Instructions: 154COMMON

Download Yara Rule

APIs

PORT_Free_Util.NSSUTIL3(00000000,?,?,00000000,?,?), ref: 6E02003E

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Free_Util
String ID:
API String ID: 3239092222-0
Opcode ID: 901d571e137c39da12000a1863346a081d0f952eb18fea78b8e7f2834fd4ddeb
Instruction ID: d369311dff05f2b95279bca199add5514e5ada02bb6a2d5bdcaf72874153f6f7
Opcode Fuzzy Hash: 901d571e137c39da12000a1863346a081d0f952eb18fea78b8e7f2834fd4ddeb
Instruction Fuzzy Hash: A44106715183169FD340DEF898E0B9AB7E5FF45364F440A39EC999B640F332E8258792

Uniqueness

Uniqueness Score: -1.00%

Function 6E030691 Relevance: 6.2, APIs: 4, Instructions: 152COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6E0307C0

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: ab67d78c14f888fc40a9ed2c2d15f57b6f1caf90407c054cd7349b98bcd63e4b
Instruction ID: db121baa0a1a0da437f9368f040a494ce50afd4f5fb704925753251aaa2fe1f5
Opcode Fuzzy Hash: ab67d78c14f888fc40a9ed2c2d15f57b6f1caf90407c054cd7349b98bcd63e4b
Instruction Fuzzy Hash: A941E635E0A6236FEB505AFD8C807DE3BE8EF52774F304A65F81897290F77488014AA1

Uniqueness

Uniqueness Score: -1.00%

Function 6DFB1E10 Relevance: 6.1, APIs: 4, Instructions: 146COMMON

Download Yara Rule

APIs

PORT_SetError_Util.NSSUTIL3(FFFFE001,?,?,00000000,?,?,6DFB3C3B,?,?,?,?,?), ref: 6DFB1F3A
PORT_SetError_Util.NSSUTIL3(FFFFE013,?,?,00000000,?,?,6DFB3C3B,?,?,?,?,?), ref: 6DFB1F51
PORT_SetError_Util.NSSUTIL3(FFFFE002,?,?,00000000,?,?,6DFB3C3B,?,?,?,?,?), ref: 6DFB1F68
PORT_SetError_Util.NSSUTIL3(FFFFE005,?,?,00000000,?,?,6DFB3C3B,?,?,?,?,?), ref: 6DFB1F7F

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: Error_Util
String ID:
API String ID: 1971245937-0
Opcode ID: 6cf5f8b0964dd9dbecec721b385c5a822b673afd4f6b747351a555f36d4763c7
Instruction ID: 11f81f034494742fc07b6fd7047a886d8e98496d84109f166f5e515cee80c5f9
Opcode Fuzzy Hash: 6cf5f8b0964dd9dbecec721b385c5a822b673afd4f6b747351a555f36d4763c7
Instruction Fuzzy Hash: 024107B3C082162BD7105A6E6C80AABB798AF40775F450725FE38922D0E776DD5A83D3

Uniqueness

Uniqueness Score: -1.00%

Function 6E01EF30 Relevance: 6.1, APIs: 4, Instructions: 144memoryCOMMON

Download Yara Rule

APIs

PORT_Alloc_Util.NSSUTIL3(?), ref: 6E01EFCB
PORT_Free_Util.NSSUTIL3(?), ref: 6E01F02F
PORT_Free_Util.NSSUTIL3(?), ref: 6E01F050
PORT_Free_Util.NSSUTIL3(?), ref: 6E01F0A8

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Util$Free_$Alloc_
String ID:
API String ID: 1841663735-0
Opcode ID: dd3083607c3e175e8bbbda98ac5f6ab446be61eebdfd8c6b2ab4083bde324707
Instruction ID: a5674912c9ea09b7de3454765875b78d00c5149270f204d9405684b756b95cda
Opcode Fuzzy Hash: dd3083607c3e175e8bbbda98ac5f6ab446be61eebdfd8c6b2ab4083bde324707
Instruction Fuzzy Hash: BD41B0756183569FD721CFE0D890B9AB7ECBF88284F000A3DF859DB600E735E9558B92

Uniqueness

Uniqueness Score: -1.00%

Function 6E0123D0 Relevance: 6.1, APIs: 4, Instructions: 131memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6E01A800: PORT_NewArena_Util.NSSUTIL3(00000800,?,?,?,?,?,?,?,?,?,?,?,?,?,6E0123EE,?), ref: 6E01A809

PR_Lock.NSPR4(?), ref: 6E0124A3
PR_Unlock.NSPR4(?,?,?,?,00000000), ref: 6E0124C0
PORT_Alloc_Util.NSSUTIL3(?), ref: 6E0124D7
PORT_Free_Util.NSSUTIL3(00000000,?,00000000,?), ref: 6E012518

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Util$Alloc_Arena_Free_LockUnlock
String ID:
API String ID: 3104189009-0
Opcode ID: dff3f4387e1ad2d37231d2c8a57536c0640ae380ab5cdb764f5190d2921e6b5e
Instruction ID: af0d160e8ae0fdab028169211d528b50361014f52281af4469511a645681b846
Opcode Fuzzy Hash: dff3f4387e1ad2d37231d2c8a57536c0640ae380ab5cdb764f5190d2921e6b5e
Instruction Fuzzy Hash: 09413675608301AFC704CFA8D880B9BBBE8EF89314F44896DF8999B311D734EA44CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6DF98F10 Relevance: 6.1, APIs: 4, Instructions: 131memoryCOMMON

Download Yara Rule

APIs

PORT_ZAlloc_Util.NSSUTIL3(0000010C,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6DFA47B3), ref: 6DF98F29
PORT_SetError_Util.NSSUTIL3(FFFFE005), ref: 6DF98F68
PORT_Free_Util.NSSUTIL3(00000000), ref: 6DF99019

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: Util$Alloc_Error_Free_
String ID:
API String ID: 1799102543-0
Opcode ID: 2d71e35c99b4575f8a7c81199a7e6551bbfb6931db246fb1421a58c40235f1ed
Instruction ID: c5ce1505719633d02c2f87837b11c2186d96cfcfaea4d63451487eef2dfe7cf4
Opcode Fuzzy Hash: 2d71e35c99b4575f8a7c81199a7e6551bbfb6931db246fb1421a58c40235f1ed
Instruction Fuzzy Hash: 0B41B4756083019FEB00DF6CDC80A1AB7E4BF88314F19855CFA298F295DB72E905CB62

Uniqueness

Uniqueness Score: -1.00%

Function 6DFB5130 Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

PORT_SetError_Util.NSSUTIL3(FFFFE001,?,?,?,?,?,?,?,6DFB4873,6DFA3E86,6DFA3E86,00000014,6DFE5B38,6DFA3E86,6DFE5B38,6DFE5A0C), ref: 6DFB522B
PORT_SetError_Util.NSSUTIL3(FFFFE013,?,?,?,?,?,?,?,6DFB4873,6DFA3E86,6DFA3E86,00000014,6DFE5B38,6DFA3E86,6DFE5B38,6DFE5A0C), ref: 6DFB5240
PORT_SetError_Util.NSSUTIL3(FFFFE002,?,?,?,?,?,?,?,6DFB4873,6DFA3E86,6DFA3E86,00000014,6DFE5B38,6DFA3E86,6DFE5B38,6DFE5A0C), ref: 6DFB5255
PORT_SetError_Util.NSSUTIL3(FFFFE005,?,?,?,?,?,?,?,6DFB4873,6DFA3E86,6DFA3E86,00000014,6DFE5B38,6DFA3E86,6DFE5B38,6DFE5A0C), ref: 6DFB526A

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: Error_Util
String ID:
API String ID: 1971245937-0
Opcode ID: 44fe2127e15ffe36252316b155d6478b6ea1a5f51ae6ec821bc0550c6dc3d841
Instruction ID: a9737776ada5998b52bcd0598aad3a65279720afca0e0a42be7005f7f8a38426
Opcode Fuzzy Hash: 44fe2127e15ffe36252316b155d6478b6ea1a5f51ae6ec821bc0550c6dc3d841
Instruction Fuzzy Hash: 2B31D6B2C0962267C710D66DDC40A9F77D86F80738F450B25EE6893390F77ADA2946D3

Uniqueness

Uniqueness Score: -1.00%

Function 6DFD2160 Relevance: 6.1, APIs: 4, Instructions: 105COMMON

Download Yara Rule

APIs

PORT_SetError_Util.NSSUTIL3(FFFFE004), ref: 6DFD21A3
PORT_SetError_Util.NSSUTIL3(FFFFE003), ref: 6DFD21D0

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: Error_Util
String ID:
API String ID: 1971245937-0
Opcode ID: ea448aa013b29f8fcf37142c7f525ebd31e57b51549c074f45672c4be42e2f21
Instruction ID: 808d6e6cdb18f62b38d13f8cef9c67f00d8893f1dbfaaed3beb4d41ccfa66de9
Opcode Fuzzy Hash: ea448aa013b29f8fcf37142c7f525ebd31e57b51549c074f45672c4be42e2f21
Instruction Fuzzy Hash: B73198B2A082145BC750DF2DDC41A9FBBE8EF89364F990659F61987250DB329A04C7D2

Uniqueness

Uniqueness Score: -1.00%

Function 6DF92E40 Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

PORT_ZAlloc_Util.NSSUTIL3(00000041), ref: 6DF92E43
PORT_SetError_Util.NSSUTIL3(FFFFE890), ref: 6DF92E56
PORT_SetError_Util.NSSUTIL3(FFFFE890,FFFFE890), ref: 6DF92E60
PORT_ZFree_Util.NSSUTIL3(00000000,00000041,00000000,00000000,?,00000000,00000000), ref: 6DF92F41

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: Util$Error_$Alloc_Free_
String ID:
API String ID: 3186423673-0
Opcode ID: 1146bf2472ae1e634783c352cf6f73755c8e15955178cb637f4c4694300bf3f7
Instruction ID: 825459efefd8ab1b3a91e04b8ad9ed395479725daa1df30784796382c67d44dc
Opcode Fuzzy Hash: 1146bf2472ae1e634783c352cf6f73755c8e15955178cb637f4c4694300bf3f7
Instruction Fuzzy Hash: 3331E0B5D047109FD320DF7DD880A47BBE8AF48318B080A29E58AC7701E771F845CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E030A35 Relevance: 6.1, APIs: 4, Instructions: 99COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(6E0259E9,00000000,4FE96106,00000004,00000000,00000000,6E0259E9,?,?,?,6E0259E9,00000001,00000004,4FE96106,00000001,6E0259E9), ref: 6E030A7D
MultiByteToWideChar.KERNEL32(6E0259E9,00000001,?,?,00000000,?), ref: 6E030AF2
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 6E030B04
__freea.LIBCMT ref: 6E030B0D

Part of subcall function 6E02C4F9: HeapAlloc.KERNEL32(00000000,?,00000000,?,6E02B985,00000004,?,?,?), ref: 6E02C52B

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: ByteCharMultiWide$AllocHeapStringType__freea
String ID:
API String ID: 573072132-0
Opcode ID: c8e98c994571d2500e84dccca8a37894fdeb9de345297d966e641ccd2c647fdf
Instruction ID: def67daf484eb4129d6ec4dd0b4db4feb006ebf8b35a4d13a7eb1b2f2d83c7d2
Opcode Fuzzy Hash: c8e98c994571d2500e84dccca8a37894fdeb9de345297d966e641ccd2c647fdf
Instruction Fuzzy Hash: 3131DC7290162BAFDB209FE4DC50FEF7BB9EF44764F154528E814AB290E7318950CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E0CAF3D Relevance: 6.1, APIs: 4, Instructions: 99COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,000031E6,6E0C744B,00000000,00000000,?,0000000A,00000000,?,?,00000001,6E0C744B,000031E6,00000001,?), ref: 6E0CAF85
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 6E0CAFFA
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,6E0C6391), ref: 6E0CB00C
__freea.LIBCMT ref: 6E0CB015

Part of subcall function 6E0C61B4: RtlAllocateHeap.NTDLL(00000000,?), ref: 6E0C61E6

Memory Dump Source

Source File: 00000011.00000002.1303092111.000000006E051000.00000020.00000001.01000000.00000016.sdmp, Offset: 6E050000, based on PE: true

Associated: 00000011.00000002.1303052213.000000006E050000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303638387.000000006E0CF000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303739246.000000006E0DF000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303779693.000000006E0E0000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303823917.000000006E0E2000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e050000_certutil.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: e19b72ba35811b93465d54e562e429b1d956744bd5a61de0e80dddea107b4e2a
Instruction ID: 87e9a4e078fbf79f286d24e373ff952c6fea389a840639d3dcc447b002f78174
Opcode Fuzzy Hash: e19b72ba35811b93465d54e562e429b1d956744bd5a61de0e80dddea107b4e2a
Instruction Fuzzy Hash: 2E31D27190020AAFDB218FE4CC44EEF7BB8EF44B54F214618FD15AB250D7348812DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6DFDE95A Relevance: 6.1, APIs: 4, Instructions: 99COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,6DFDE097,00000000,00000000,00000001,00000020,00000100,?,5EFC4D8B), ref: 6DFDE9A2
MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?), ref: 6DFDEA17
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 6DFDEA29
__freea.LIBCMT ref: 6DFDEA32

Part of subcall function 6DFDB801: RtlAllocateHeap.NTDLL(00000000,6DFC008D,?,?,6DFC008D,00000000), ref: 6DFDB833

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 4f6768c2db3b21e2f791e6bb60be08b24391b467000bde2f6a87feaadfec263a
Instruction ID: af7c3a86d54d7142cbf74d7548fb3cd8c9e3ad4399dcc74a268d4acb1c96cb02
Opcode Fuzzy Hash: 4f6768c2db3b21e2f791e6bb60be08b24391b467000bde2f6a87feaadfec263a
Instruction Fuzzy Hash: 8A31C17290121AABDF518FA8CC44EFEBBB9EF45314F094218FD549B250D7348851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E01BA00 Relevance: 6.1, APIs: 4, Instructions: 97COMMON

Download Yara Rule

APIs

PORT_Free_Util.NSSUTIL3(?,00000000,00000000,00000000,6E01E68C,00000000,?,?,?,?,?,?,?,00000000,?,?), ref: 6E01BA21
PORT_Strdup_Util.NSSUTIL3(00000000,00000000,00000000,00000000,00000000,6E01E68C,00000000,?,?,?,?,?,?,?,00000000,?), ref: 6E01BA64
PORT_Free_Util.NSSUTIL3(?,?,?,?,?,?,?,?,00000000,?,?), ref: 6E01BA98
PORT_Strdup_Util.NSSUTIL3(00000000), ref: 6E01BAE0

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Util$Free_Strdup_
String ID:
API String ID: 2055704692-0
Opcode ID: 3190d0cda377ecae0c8d91cc5d3750701b87ca2e81d2ce52ff122a8516ff03b3
Instruction ID: 28cf0c6204b982576b7e206d62ed1a61aad71e302676c01b7d2ad4e7ba1d32e0
Opcode Fuzzy Hash: 3190d0cda377ecae0c8d91cc5d3750701b87ca2e81d2ce52ff122a8516ff03b3
Instruction Fuzzy Hash: 032159B66146029FEB48CEF498907EBB3DCFF45254F80493DE84A87705E731A40D8BA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E019B40 Relevance: 6.1, APIs: 4, Instructions: 87memoryCOMMON

Download Yara Rule

APIs

PORT_SetError_Util.NSSUTIL3(FFFFE001,00000000,00000000,?,?,00000030,?,?,?,?,?,?,?,?,?,?), ref: 6E019BA7
SECITEM_AllocItem_Util.NSSUTIL3(?,?,?), ref: 6E019BE8
SECITEM_FreeItem_Util.NSSUTIL3(?,00000001), ref: 6E019BFD
SECITEM_FreeItem_Util.NSSUTIL3(?,00000001,00000000,00000000,?), ref: 6E019C26

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Util$Item_$Free$AllocError_
String ID:
API String ID: 1187577583-0
Opcode ID: 34bc2def8333e3b8eb668a45cdc69858a58c3925d0f7398b25c915907663cf39
Instruction ID: 585fb78f89aaf714c5cd76e1d17054b2b2a0e8e2c59972c7237a616e9c12d193
Opcode Fuzzy Hash: 34bc2def8333e3b8eb668a45cdc69858a58c3925d0f7398b25c915907663cf39
Instruction Fuzzy Hash: FA219E356082016BEB00DB9CD881BDBB7E1FFC4318F84496DF89987261E336D995CB82

Uniqueness

Uniqueness Score: -1.00%

Function 6E01F700 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

PR_Lock.NSPR4(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6E01F714
PR_Unlock.NSPR4(?,?,?,?,?,?,?,?,?,?,?,?), ref: 6E01F734
PR_Lock.NSPR4(00000000), ref: 6E01F7AC
PR_Unlock.NSPR4(?,?,?,00000000), ref: 6E01F7CC

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: LockUnlock
String ID:
API String ID: 4018760208-0
Opcode ID: f228685baff8b9f982b83ea528f7a612e8292ed1c83890ca39ca4932784926ff
Instruction ID: 115645604e9b55dc711243c5df30f0eee7c131fbec7fbcbf4c8a4b272c5b392a
Opcode Fuzzy Hash: f228685baff8b9f982b83ea528f7a612e8292ed1c83890ca39ca4932784926ff
Instruction Fuzzy Hash: 4B219136408705AFC710DF98C984A5BBBF9FF8D750F440919F984D3210D731E9058B92

Uniqueness

Uniqueness Score: -1.00%

Function 6E01BF30 Relevance: 6.1, APIs: 4, Instructions: 85memoryCOMMON

Download Yara Rule

APIs

PORT_SetError_Util.NSSUTIL3(FFFFE012,00000000,?,?,6E01DF92,?,?,00000000), ref: 6E01BF42
PORT_ArenaAlloc_Util.NSSUTIL3(00000001,?,00000000,?,?,6E01DF92,?,?,00000000), ref: 6E01BF98
PORT_ArenaAlloc_Util.NSSUTIL3(00000001,?,?,?,?,?,?,00000000), ref: 6E01BFCB
PORT_SetError_Util.NSSUTIL3(FFFFE013,?,?,00000000), ref: 6E01BFE1

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Util$Alloc_ArenaError_
String ID:
API String ID: 1998636099-0
Opcode ID: 09248523dde460b7ad71e989a0d9f16f4ecbb0c5f776250de8adbbdda78a99e8
Instruction ID: cae673686d672d67a4d5c35a3ba7ef5393adbd4d6b9ef064f0b6bcece0b841e4
Opcode Fuzzy Hash: 09248523dde460b7ad71e989a0d9f16f4ecbb0c5f776250de8adbbdda78a99e8
Instruction Fuzzy Hash: 762147B55046015FE7248FE9DC90A66BBF4EF802293088A3DE85696764D334E818CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 6DFB4140 Relevance: 6.1, APIs: 4, Instructions: 85memoryCOMMON

Download Yara Rule

APIs

SECITEM_AllocItem_Util.NSSUTIL3(6DFB409B,6DFB409B,?,?,?,?,6DFB409B,00000000,?,?), ref: 6DFB4182

Part of subcall function 6DFB4880: PORT_SetError_Util.NSSUTIL3(FFFFE005,0000000A,6DFB409B,6DFB40A3,6DFB40A3,?,?), ref: 6DFB48A1

PORT_SetError_Util.NSSUTIL3(FFFFE03F,?,?,?,?,?), ref: 6DFB41DE
SECITEM_FreeItem_Util.NSSUTIL3(6DFB409B,00000000), ref: 6DFB41F0
PORT_SetError_Util.NSSUTIL3(FFFFE005,?,?,6DFB409B,00000000,?,?), ref: 6DFB420C

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: Util$Error_$Item_$AllocFree
String ID:
API String ID: 2351708056-0
Opcode ID: 2342a98d587305c75595a5a8e27ecac8302f5e4652545be2ed60fb522ddf9d52
Instruction ID: 1e564cb92cc6671efe296c51e034d66cb670de73021a91e97d9637f46114e702
Opcode Fuzzy Hash: 2342a98d587305c75595a5a8e27ecac8302f5e4652545be2ed60fb522ddf9d52
Instruction Fuzzy Hash: 1C216D32A082062EE701899EFE40BB6779CEF9533CF141629E97D8A2D1E731E841D352

Uniqueness

Uniqueness Score: -1.00%

Function 6E01C010 Relevance: 6.1, APIs: 4, Instructions: 80memoryCOMMON

Download Yara Rule

APIs

PORT_SetError_Util.NSSUTIL3(FFFFE012,00000000,00000000,6E01D5E8,00000000,?,?), ref: 6E01C021
PORT_ArenaAlloc_Util.NSSUTIL3(00000001,?,00000000,00000000,6E01D5E8,00000000,?,?), ref: 6E01C064
PORT_SetError_Util.NSSUTIL3(FFFFE013,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6E01C07A

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Util$Error_$Alloc_Arena
String ID:
API String ID: 760868617-0
Opcode ID: 6301c915a2007ead4360c490ae939feab89820d1837cbf7d42efc994fcc58eef
Instruction ID: 0125bc540a2055a7ae767a0fbf2be6d9e9ce78254f109df510877d6a48faffc4
Opcode Fuzzy Hash: 6301c915a2007ead4360c490ae939feab89820d1837cbf7d42efc994fcc58eef
Instruction Fuzzy Hash: FB2138351086025FDB098FE8E8507AAB7F1AF81324308877DD4668F655D332E952CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 6E0129B0 Relevance: 6.1, APIs: 4, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

PORT_SetError_Util.NSSUTIL3(FFFFE012,?,?,?,?,?,00000000), ref: 6E0129BF
PORT_NewArena_Util.NSSUTIL3(00000800,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6E0129F8
PORT_ArenaZAlloc_Util.NSSUTIL3(00000000,00000024), ref: 6E012A0A
PORT_FreeArena_Util.NSSUTIL3(00000000,00000001), ref: 6E012A57

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Util$Arena_$Alloc_ArenaError_Free
String ID:
API String ID: 3977766762-0
Opcode ID: 01aff45c1f6d380ea9e4fb130c9efe9790aaa633044f7c2750d85cb699df6316
Instruction ID: 1e02eace5ef0c2ea3125c98cf5c61e39620d5487189a8d969696dcba604497e0
Opcode Fuzzy Hash: 01aff45c1f6d380ea9e4fb130c9efe9790aaa633044f7c2750d85cb699df6316
Instruction Fuzzy Hash: C21135729083015FDB108AD49C81BABB2E8AF95729F44073DF8685B380E375C909CBD3

Uniqueness

Uniqueness Score: -1.00%

Function 6E01E3E0 Relevance: 6.1, APIs: 4, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSSUTIL3(00000800,00000000,00000000), ref: 6E01E3EA
PORT_ArenaAlloc_Util.NSSUTIL3(00000000,?,00000000), ref: 6E01E40C
PORT_FreeArena_Util.NSSUTIL3(00000000,00000000,?,?,00000000), ref: 6E01E481

Part of subcall function 6E01CC90: PORT_ArenaAlloc_Util.NSSUTIL3(00000000,?,00000000,00000000,6E01C833,?,00000000,?), ref: 6E01CCBB

Part of subcall function 6E01E320: PR_Lock.NSPR4(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,6E020156,?), ref: 6E01E371
Part of subcall function 6E01E320: PR_Unlock.NSPR4(?,?,?,?,?,?,?,?,6E020156,?,00000000,?,?), ref: 6E01E391
Part of subcall function 6E01E320: PR_Lock.NSPR4 ref: 6E01E3A6
Part of subcall function 6E01E320: PR_Unlock.NSPR4 ref: 6E01E3BC

PORT_FreeArena_Util.NSSUTIL3(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6E01E46E

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Util$Arena_$Alloc_ArenaFreeLockUnlock
String ID:
API String ID: 717150457-0
Opcode ID: ff6542ba981ba860cc9f5c098fbc925b494dca160ea79a43096f78de948cb61b
Instruction ID: dfdf85e9046b3b47d506304b64e38196febc8ef19ee6b10dba07124c0ab2356e
Opcode Fuzzy Hash: ff6542ba981ba860cc9f5c098fbc925b494dca160ea79a43096f78de948cb61b
Instruction Fuzzy Hash: 621108758146026BD3009BE88C41EDBBBECFF80254F488B29F9444B251F731D55687E2

Uniqueness

Uniqueness Score: -1.00%

Function 6E029EB0 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91bec970b4bce63e337627e3010dd1fbbec054c5caccec23476b4515fa13bad1
Instruction ID: 92e5c0c290451c4ccb5782304b603a80a08df046f847412660e35c78f10c7c44
Opcode Fuzzy Hash: 91bec970b4bce63e337627e3010dd1fbbec054c5caccec23476b4515fa13bad1
Instruction Fuzzy Hash: FA0184B2A096167EFA9006F96CC0F6B22DDDB427B8B710736B934A61C4DB61CD0041A4

Uniqueness

Uniqueness Score: -1.00%

Function 6E01E320 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

APIs

PR_Lock.NSPR4(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,6E020156,?), ref: 6E01E371
PR_Unlock.NSPR4(?,?,?,?,?,?,?,?,6E020156,?,00000000,?,?), ref: 6E01E391
PR_Lock.NSPR4 ref: 6E01E3A6
PR_Unlock.NSPR4 ref: 6E01E3BC

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: LockUnlock
String ID:
API String ID: 4018760208-0
Opcode ID: 885e5e6a766014b4d548321224deff5a6bc547dd6ea3ad58ea701bcfca944f4f
Instruction ID: 293744c6ab12b9b6322313c2aa1083378043008aa9fa83718f93a4960eafb8e5
Opcode Fuzzy Hash: 885e5e6a766014b4d548321224deff5a6bc547dd6ea3ad58ea701bcfca944f4f
Instruction Fuzzy Hash: BC2181354097519FC711DF68C84496ABFF1BF8A210F08499AF99487362D331D945DF92

Uniqueness

Uniqueness Score: -1.00%

Function 6E01C8F0 Relevance: 6.1, APIs: 4, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSSUTIL3(00000800,00000000,?,?,6E02014F,?,?,?,?,?,00000000,?,?,00000000,?,?), ref: 6E01C8FB
PORT_ArenaAlloc_Util.NSSUTIL3(00000000,00000001,?,6E02014F,?,?,?,?,?,00000000,?,?,00000000,?,?), ref: 6E01C91E

Part of subcall function 6E01C750: PR_Lock.NSPR4(?,00000000,00000006,?,?,?,?,00000000,6E01FE8F,?,?), ref: 6E01C779
Part of subcall function 6E01C750: PR_Unlock.NSPR4(?,?,?,00000000,6E01FE8F,?,?), ref: 6E01C794
Part of subcall function 6E01C750: PR_Lock.NSPR4(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6E01C7B1
Part of subcall function 6E01C750: PR_Unlock.NSPR4(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6E01C7C7
Part of subcall function 6E01C750: PORT_SetError_Util.NSSUTIL3(FFFFE012), ref: 6E01C7D9

PORT_FreeArena_Util.NSSUTIL3(00000000,00000000,?,?,?,?,?,?,?,?,?,6E02014F,?,?), ref: 6E01C95D
PORT_FreeArena_Util.NSSUTIL3(00000000,00000000,?,6E02014F,?,?,?,?,?,00000000,?,?,00000000,?,?), ref: 6E01C971

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Util$Arena_$FreeLockUnlock$Alloc_ArenaError_
String ID:
API String ID: 2046866332-0
Opcode ID: 9a2c120e01a8d729a0c5167755497e8e55a983b185a438c17d4885954dd3545d
Instruction ID: 6c65b23be0e25ca7a44f2f6747aaf5ee4528dc4c3078a967711c9cf59f63c530
Opcode Fuzzy Hash: 9a2c120e01a8d729a0c5167755497e8e55a983b185a438c17d4885954dd3545d
Instruction Fuzzy Hash: D10122758043126AC7019AE4AC81FDE77CCEF80A75F440A31FD189E2C4E729C61A82F3

Uniqueness

Uniqueness Score: -1.00%

Function 6E017F30 Relevance: 6.1, APIs: 4, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

PORT_Alloc_Util.NSSUTIL3(00000010), ref: 6E017F3F
PORT_Alloc_Util.NSSUTIL3(00000028), ref: 6E017F5A
PORT_Free_Util.NSSUTIL3(00000000), ref: 6E017FA4
PORT_Free_Util.NSSUTIL3(00000000), ref: 6E017FAD

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Util$Alloc_Free_
String ID:
API String ID: 3970827069-0
Opcode ID: 6e5d9e9ca668a461cb697fa6688c517596e3bda1682ebd15b8ffd7a178390d98
Instruction ID: df99214f59a2d3e9b7dc8a9298b6d7bb4797a5bbffd740a51a52bef21815f9ec
Opcode Fuzzy Hash: 6e5d9e9ca668a461cb697fa6688c517596e3bda1682ebd15b8ffd7a178390d98
Instruction Fuzzy Hash: 4A01C0B66083124FD7204FD9DC45BC7BAE59F81365F180839F9489B280E375D41987A2

Uniqueness

Uniqueness Score: -1.00%

Function 6DFB9BC0 Relevance: 6.1, APIs: 4, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

PR_Read.NSPR4(?,?,00000004,?,6DFB999C,00000000,?), ref: 6DFB9BCC
PORT_Alloc_Util.NSSUTIL3(?,00000000,?,?,?), ref: 6DFB9C0A
PR_Read.NSPR4(?,00000000,?,00000000,?,?,?), ref: 6DFB9C21
PORT_Free_Util.NSSUTIL3(?), ref: 6DFB9C32

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: ReadUtil$Alloc_Free_
String ID:
API String ID: 1296218028-0
Opcode ID: 986def266a4e3157807a6f1b40576ce8713f1ea561fab3b167f431cb3dfa1b02
Instruction ID: 2145705fad5096521cf026e5874267d8f68d8bcd94269e862a562629f10a0644
Opcode Fuzzy Hash: 986def266a4e3157807a6f1b40576ce8713f1ea561fab3b167f431cb3dfa1b02
Instruction Fuzzy Hash: F401D2B05186116BEB188B2DDC0563BBBE0EF41312F10492EF5BBC25E0DB35E814EB22

Uniqueness

Uniqueness Score: -1.00%

Function 6E01E700 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

PR_EnterMonitor.NSPR4(?,?,00000000,6E016688,00000000,00000000,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6E01E709
PR_Lock.NSPR4(?,?,?,?,?,?,?,00000000,00000000,?,?,?,?,?,6E0160BC,00000000), ref: 6E01E715
PR_Unlock.NSPR4(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,?), ref: 6E01E777
PR_ExitMonitor.NSPR4(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,?), ref: 6E01E780

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Monitor$EnterExitLockUnlock
String ID:
API String ID: 3508852795-0
Opcode ID: 3ac9e538907d75c019975a9678f2f76175bf72ebe66f8bc396df515e2dfbfe0b
Instruction ID: 453d3a331c835100627606fe1464ad318ae30d1373b291a53853ef5fece326c0
Opcode Fuzzy Hash: 3ac9e538907d75c019975a9678f2f76175bf72ebe66f8bc396df515e2dfbfe0b
Instruction Fuzzy Hash: 72114579A046029FCB10CFA8D844A4AFBF1BF4A3147248669E808CB322D331EC52CFC0

Uniqueness

Uniqueness Score: -1.00%

Function 6E019440 Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 6E019A70: PL_HashTableEnumerateEntries.PLDS4(00000000,6E019CF0,00000000,?,?,00000000,6E01944E,?,?,00000000,6E0192AD,00000000), ref: 6E019A89

PR_DestroyLock.NSPR4(?), ref: 6E01947B
PL_HashTableDestroy.PLDS4(?), ref: 6E01948C
PORT_Free_Util.NSSUTIL3(00000000), ref: 6E019495

Part of subcall function 6E01E790: PR_Lock.NSPR4(?,00000000,6E019461,00000000), ref: 6E01E7A6
Part of subcall function 6E01E790: PR_Unlock.NSPR4 ref: 6E01E7B8
Part of subcall function 6E01E790: PR_DestroyMonitor.NSPR4(74C08504,00000000,6E019461,00000000), ref: 6E01E7D0
Part of subcall function 6E01E790: PORT_Free_Util.NSSUTIL3(6E019461,00000000,6E019461,00000000), ref: 6E01E7E1

PORT_Free_Util.NSSUTIL3(?), ref: 6E01949E

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: DestroyFree_Util$HashLockTable$EntriesEnumerateMonitorUnlock
String ID:
API String ID: 697751125-0
Opcode ID: aeb074aad0b92f04a98f522efe245cb3997a5a6c4b86be85e401d9d23114f41a
Instruction ID: 7bac63a2986bbace0faeb26e7d0e0a6e157173a836054c294196077e6438089d
Opcode Fuzzy Hash: aeb074aad0b92f04a98f522efe245cb3997a5a6c4b86be85e401d9d23114f41a
Instruction Fuzzy Hash: 34F0C2F5E082525BEA509AF5AC45FCB73DC9F415587444C38F85ADB200EB30E90482A3

Uniqueness

Uniqueness Score: -1.00%

Function 6E01F3F0 Relevance: 6.0, APIs: 4, Instructions: 35COMMON

Download Yara Rule

APIs

PR_NewLock.NSPR4(6E019223,00000000,?,?,?,6E0195B0,?,00000000), ref: 6E01F3F9
PR_NewMonitor.NSPR4(CE534351,6E019223,00000000,?,?,?,6E0195B0,?,00000000), ref: 6E01F409
PR_DestroyMonitor.NSPR4(?), ref: 6E01F442
PORT_SetError_Util.NSSUTIL3(FFFFE012), ref: 6E01F457

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Monitor$DestroyError_LockUtil
String ID:
API String ID: 2079995614-0
Opcode ID: ac22ece94abf222a564ab028ef38c9c75109f35e3a9e95f1a711d6765a4d15a7
Instruction ID: 8377ff2186e676c221f328500b393f9dab86d3b47cb41d1092740bd8927ca266
Opcode Fuzzy Hash: ac22ece94abf222a564ab028ef38c9c75109f35e3a9e95f1a711d6765a4d15a7
Instruction Fuzzy Hash: C4F0C275409B02DFEF209FA4DC0479BBBEAEF82314F10882DF86986260D730D419EB52

Uniqueness

Uniqueness Score: -1.00%

Function 6E01E790 Relevance: 6.0, APIs: 4, Instructions: 30COMMON

Download Yara Rule

APIs

PR_Lock.NSPR4(?,00000000,6E019461,00000000), ref: 6E01E7A6
PR_Unlock.NSPR4 ref: 6E01E7B8
PR_DestroyMonitor.NSPR4(74C08504,00000000,6E019461,00000000), ref: 6E01E7D0
PORT_Free_Util.NSSUTIL3(6E019461,00000000,6E019461,00000000), ref: 6E01E7E1

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: DestroyFree_LockMonitorUnlockUtil
String ID:
API String ID: 4171523166-0
Opcode ID: c7ee8231f55f9f7da7fdbf2def4c3d29489340fc16169f7ffbefc3e0def37d98
Instruction ID: 69e1a3a547ae07057925a55fe6f7e061ed727c5f78930430f9c0a4a03a93ad30
Opcode Fuzzy Hash: c7ee8231f55f9f7da7fdbf2def4c3d29489340fc16169f7ffbefc3e0def37d98
Instruction Fuzzy Hash: B9F0A07A401E139BEB214FA8DD45B6BB7FAAF82B40F080429F8559B210D771E811DB96

Uniqueness

Uniqueness Score: -1.00%

Function 6E032BC8 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(000004D2,00000001,00000010,00000000,000004D2,?,6E0309B5,000004D2,00000001,000004D2,?,?,6E02BE10,?,?,?), ref: 6E032BDF
GetLastError.KERNEL32(?,6E0309B5,000004D2,00000001,000004D2,?,?,6E02BE10,?,?,?,?,?,?,6E02C38F,?), ref: 6E032BEB

Part of subcall function 6E032BB1: CloseHandle.KERNEL32(FFFFFFFE,6E032BFB,?,6E0309B5,000004D2,00000001,000004D2,?,?,6E02BE10,?,?,?,?,?), ref: 6E032BC1

___initconout.LIBCMT ref: 6E032BFB

Part of subcall function 6E032B73: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6E032BA2,6E03099B,?,?,6E02BE10,?,?,?,?), ref: 6E032B86

WriteConsoleW.KERNEL32(000004D2,00000001,00000010,00000000,?,6E0309B5,000004D2,00000001,000004D2,?,?,6E02BE10,?,?,?,?), ref: 6E032C10

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 07d08f8ec2935aaf46562379006892ce21bfafb2444019db0663bea61a47363e
Instruction ID: c9b44e1a5419ee1c75b066f4e568972c969951b64a3766c4241a0b181bc5f943
Opcode Fuzzy Hash: 07d08f8ec2935aaf46562379006892ce21bfafb2444019db0663bea61a47363e
Instruction Fuzzy Hash: DBF0393A02452ABBCF221FD5DC08A8A3F6AFF4A7A0B114020FE0C87120C73288709BD0

Uniqueness

Uniqueness Score: -1.00%

Function 6DFE06A2 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,0000002C,00000000,?,?,6DFE040A,?,00000001,?,00000001,?,6DFDF0F5,00000020,00000000,00000001), ref: 6DFE06B9
GetLastError.KERNEL32(?,6DFE040A,?,00000001,?,00000001,?,6DFDF0F5,00000020,00000000,00000001,00000020,00000001,?,6DFDF674,00000008), ref: 6DFE06C5

Part of subcall function 6DFE068B: CloseHandle.KERNEL32(FFFFFFFE,6DFE06D5,?,6DFE040A,?,00000001,?,00000001,?,6DFDF0F5,00000020,00000000,00000001,00000020,00000001), ref: 6DFE069B

___initconout.LIBCMT ref: 6DFE06D5

Part of subcall function 6DFE064D: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6DFE067C,6DFE03F0,00000001,?,6DFDF0F5,00000020,00000000,00000001,00000020), ref: 6DFE0660

WriteConsoleW.KERNEL32(?,?,0000002C,00000000,?,6DFE040A,?,00000001,?,00000001,?,6DFDF0F5,00000020,00000000,00000001,00000020), ref: 6DFE06EA

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: cf2a069172e52870a4d19819a5461d7078bdbd35c5c5b089e694059ab1c99b68
Instruction ID: f29ca24b06b52b35060e360da55ecc5e54d5402625ee2e58e5acc3f60abcd6e7
Opcode Fuzzy Hash: cf2a069172e52870a4d19819a5461d7078bdbd35c5c5b089e694059ab1c99b68
Instruction Fuzzy Hash: 76F01C36410129BBCF125F9ACC09B9A3F7AFB493A5B064010FB1C86120CB728960EF91

Uniqueness

Uniqueness Score: -1.00%

Function 6E01DAD0 Relevance: 6.0, APIs: 4, Instructions: 27COMMON

Download Yara Rule

APIs

PR_NewMonitor.NSPR4(?,?,6E02045D,?,00000000,?,?,?,00000000), ref: 6E01DADC
PR_EnterMonitor.NSPR4 ref: 6E01DAF7

Part of subcall function 6E01D6F0: PR_Lock.NSPR4(00000000,?,00000000), ref: 6E01D704
Part of subcall function 6E01D6F0: PR_Unlock.NSPR4 ref: 6E01D724

PR_ExitMonitor.NSPR4(?,?,6E020520,?), ref: 6E01DB14
PR_DestroyMonitor.NSPR4(?), ref: 6E01DB1E

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: Monitor$DestroyEnterExitLockUnlock
String ID:
API String ID: 2140428822-0
Opcode ID: 208d7720388c1da5a12e6bd251613265cf903613f7b60203319095556f1f28c6
Instruction ID: 384604fe29ab92f1c866be570503b83849851d50f98bc041fc4136847f2a9fdf
Opcode Fuzzy Hash: 208d7720388c1da5a12e6bd251613265cf903613f7b60203319095556f1f28c6
Instruction Fuzzy Hash: 32F0FE75408712AFDB10EFA4C81868FBBE5FF89304F408819F59892222D77595198FD7

Uniqueness

Uniqueness Score: -1.00%

Function 6E02601D Relevance: 6.0, APIs: 4, Instructions: 26timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 6E02602F
GetCurrentThreadId.KERNEL32 ref: 6E02603E
GetCurrentProcessId.KERNEL32 ref: 6E026047
QueryPerformanceCounter.KERNEL32(?), ref: 6E026054

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 8b1235b5f9643c3903948b4fd68e6be598181f23ff4942180562284f651c3984
Instruction ID: 4c9a9db5c637542b25f2186bbd14d13fc9db9a91fd96d9b04a689fe923c356e7
Opcode Fuzzy Hash: 8b1235b5f9643c3903948b4fd68e6be598181f23ff4942180562284f651c3984
Instruction Fuzzy Hash: 7EF0AF74C2060DEBCF10DBF4C54AA9EBBF8EF19301F918896E901E7111E734AB049B61

Uniqueness

Uniqueness Score: -1.00%

Function 6DFB0D10 Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

PORT_FreeArena_Util.NSSUTIL3(?,00000000), ref: 6DFB0D22
SECITEM_FreeItem_Util.NSSUTIL3(?,00000000), ref: 6DFB0D30
SECITEM_FreeItem_Util.NSSUTIL3(?,00000000,?,00000000), ref: 6DFB0D3B
PORT_Free_Util.NSSUTIL3(?,?,00000000,?,00000000), ref: 6DFB0D41

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: Util$Free$Item_$Arena_Free_
String ID:
API String ID: 2810683504-0
Opcode ID: a3cf921f87b0e8a4c622c7167d12b6d4c1f843bc330bad27bea9cf553f7f75f9
Instruction ID: 44a79aa33d529e88549c0a3143395768b3b9fcf2be2d79590b0b55d3ee5289aa
Opcode Fuzzy Hash: a3cf921f87b0e8a4c622c7167d12b6d4c1f843bc330bad27bea9cf553f7f75f9
Instruction Fuzzy Hash: C4E0867290471556DB50A6AEFC40FCB739C5F08600F5A1825FA4497180EB64FD40C6E1

Uniqueness

Uniqueness Score: -1.00%

Function 6E02A258 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6E02A261

Part of subcall function 6E02C4BF: HeapFree.KERNEL32(00000000,00000000,?,6E03109E,?,00000000,?,00000000,?,6E0310C5,?,00000007,?,?,6E030D6A,?), ref: 6E02C4D5
Part of subcall function 6E02C4BF: GetLastError.KERNEL32(?,?,6E03109E,?,00000000,?,00000000,?,6E0310C5,?,00000007,?,?,6E030D6A,?,?), ref: 6E02C4E7

_free.LIBCMT ref: 6E02A274
_free.LIBCMT ref: 6E02A285
_free.LIBCMT ref: 6E02A296

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7bbb54cc39fc6eb0323b7f1c939172310e4837a29222f229bce41f8cd7dcea9e
Instruction ID: 4ad90915d186f338ffc16430e93ac7826ac6383ef90d332693cfc36b2de9b9b4
Opcode Fuzzy Hash: 7bbb54cc39fc6eb0323b7f1c939172310e4837a29222f229bce41f8cd7dcea9e
Instruction Fuzzy Hash: 29E04F74C00F22AEAF211F6088884DABAE5F70AA083044717F8140B210C7368C57DF81

Uniqueness

Uniqueness Score: -1.00%

Function 6DFDB650 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6DFDB659

Part of subcall function 6DFDB7C7: HeapFree.KERNEL32(00000000,00000000,?,6DFDEBEF,?,00000000,?,00000000,?,6DFDEC16,?,00000007,?,?,6DFDE7DE,?), ref: 6DFDB7DD
Part of subcall function 6DFDB7C7: GetLastError.KERNEL32(?,?,6DFDEBEF,?,00000000,?,00000000,?,6DFDEC16,?,00000007,?,?,6DFDE7DE,?,?), ref: 6DFDB7EF

_free.LIBCMT ref: 6DFDB66C
_free.LIBCMT ref: 6DFDB67D
_free.LIBCMT ref: 6DFDB68E

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 4fc77de8cf46fc8501ed21dd6df0752cceb9d99e99d1042e3c5d70cb6dae0023
Instruction ID: 471bbdcdc8599d2df83da19b211f822ced5cef22ae395588c8247c9798414dbe
Opcode Fuzzy Hash: 4fc77de8cf46fc8501ed21dd6df0752cceb9d99e99d1042e3c5d70cb6dae0023
Instruction Fuzzy Hash: 1AE0EC718391309B9F52AF1CBCC876D3E7DFF5AB18707140AE50C52220DB321A569F81

Uniqueness

Uniqueness Score: -1.00%

Function 6E0B8C20 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 295COMMON

Download Yara Rule

Strings

recovered %d frames from WAL file %s, xrefs: 6E0B8F77
, xrefs: 6E0B8CB0

Memory Dump Source

Source File: 00000011.00000002.1303092111.000000006E051000.00000020.00000001.01000000.00000016.sdmp, Offset: 6E050000, based on PE: true

Associated: 00000011.00000002.1303052213.000000006E050000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303638387.000000006E0CF000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303739246.000000006E0DF000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303779693.000000006E0E0000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303823917.000000006E0E2000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e050000_certutil.jbxd

Similarity

API ID:
String ID: $recovered %d frames from WAL file %s
API String ID: 0-3175670447
Opcode ID: 02e328ae47de918af1fae3c48210458a13031ecb283c7210cb45f8a9fbb6cb51
Instruction ID: 04f10270927faf7d69ca635b794d3ef49b7517c01596c13a1bdba13e7763a2a3
Opcode Fuzzy Hash: 02e328ae47de918af1fae3c48210458a13031ecb283c7210cb45f8a9fbb6cb51
Instruction Fuzzy Hash: 2EB157B0608706DFD350DF99C880B5AB7F9FB88348F00492DF58A97661E776E941CB62

Uniqueness

Uniqueness Score: -1.00%

Function 6E013030 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

PR_Lock.NSPR4(?), ref: 6E01305B
PR_Unlock.NSPR4(?), ref: 6E013076

Strings

Version, xrefs: 6E013039

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: LockUnlock
String ID: Version
API String ID: 4018760208-1889659487
Opcode ID: 3fa6bde51dbe21b25f6fbaf9360316e59cf7edd89dc8bed26ccbddc001684e92
Instruction ID: fff8f4e9db75633c7611d80ecc4ca0f5a54ecbe35dd6a2fcfad982cd331ba127
Opcode Fuzzy Hash: 3fa6bde51dbe21b25f6fbaf9360316e59cf7edd89dc8bed26ccbddc001684e92
Instruction Fuzzy Hash: FDF0F4374046215BC701EFDCC844BCF77E8EFC9224F89084EE99887212D738A4499BD2

Uniqueness

Uniqueness Score: -1.00%

Function 6E011ED0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

PR_Lock.NSPR4 ref: 6E011F05
PR_Unlock.NSPR4(?), ref: 6E011F20

Strings

Version, xrefs: 6E011EF5

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: LockUnlock
String ID: Version
API String ID: 4018760208-1889659487
Opcode ID: 165ad401c3c1dc33e525212dad0bff6b7266b10b8e57f9e4e95f0d93fe052ec7
Instruction ID: 61a8916fa6695090ba6bf1da569cc3ea19113f717741b3d3f2c8040a0b7e8da7
Opcode Fuzzy Hash: 165ad401c3c1dc33e525212dad0bff6b7266b10b8e57f9e4e95f0d93fe052ec7
Instruction Fuzzy Hash: CB0144764087119BC700DFA9C88478BFBE8EF85624F44495EF998D7252D378E5098BE3

Uniqueness

Uniqueness Score: -1.00%

Function 6E011E50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 6E021890: PR_CallOnce.NSPR4(6E03D9A0,6E021950,6E011E8C), ref: 6E0218A3

PR_Lock.NSPR4(?), ref: 6E011E92
PR_Unlock.NSPR4(?), ref: 6E011EAD

Strings

global-salt, xrefs: 6E011E6B, 6E011E9E

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: CallLockOnceUnlock
String ID: global-salt
API String ID: 2491243522-230581044
Opcode ID: 6468edf46c65e924893e91b05c3b23b00438ad7951e85cb78146824ea42d9277
Instruction ID: af6b3586359dab424258f28cc06ca022a6be47e0e126ab37a51eac68d959fb23
Opcode Fuzzy Hash: 6468edf46c65e924893e91b05c3b23b00438ad7951e85cb78146824ea42d9277
Instruction Fuzzy Hash: B2011A715043119FC720CF99C845B5BB7E8AF89704F040D1EF995D7250D770AA498BD2

Uniqueness

Uniqueness Score: -1.00%

Function 6E0116E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

PR_Lock.NSPR4 ref: 6E0116FF
PR_Unlock.NSPR4(?), ref: 6E01171A

Strings

global-salt, xrefs: 6E0116E9

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: LockUnlock
String ID: global-salt
API String ID: 4018760208-230581044
Opcode ID: 0c92adbeb10c7ae944701190a7bbb1453c2e85f666e106716ba446134509d3a4
Instruction ID: d1d39bb990526b9e68f2e142644d456841aed65c7a9658e8e36661379c1a7912
Opcode Fuzzy Hash: 0c92adbeb10c7ae944701190a7bbb1453c2e85f666e106716ba446134509d3a4
Instruction Fuzzy Hash: 43F090B68046116BC700DFD8C804B8BB7FCEF95650F440859FA04C7221E374EA0987E3

Uniqueness

Uniqueness Score: -1.00%

Function 6E011740 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

PR_Lock.NSPR4(?), ref: 6E011771
PR_Unlock.NSPR4(?,?,?,global-salt,00000000), ref: 6E01178C

Strings

global-salt, xrefs: 6E011749, 6E01177D

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: LockUnlock
String ID: global-salt
API String ID: 4018760208-230581044
Opcode ID: 1cee9889fc3432ea3ebd12f7d36a076aa5479e1ea708064fc57a4269d2371304
Instruction ID: 51856e21d4a540b0b2864fd9fd23d642fc0b2734d7dd2e429fd74cb1a31e5dfd
Opcode Fuzzy Hash: 1cee9889fc3432ea3ebd12f7d36a076aa5479e1ea708064fc57a4269d2371304
Instruction Fuzzy Hash: 0AF0E776504211AFC710DF58C884A5BBBF8EF89614F44895EF995C7211D371E90ACBE2

Uniqueness

Uniqueness Score: -1.00%

Function 6E0C7EA8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

sqlite3_thread_cleanup.SQLITE3(?,?,?), ref: 6E0C7EE3
InitializeCriticalSectionAndSpinCount.KERNEL32(?,?), ref: 6E0C7EF3

Strings

InitializeCriticalSectionEx, xrefs: 6E0C7EC3

Memory Dump Source

Source File: 00000011.00000002.1303092111.000000006E051000.00000020.00000001.01000000.00000016.sdmp, Offset: 6E050000, based on PE: true

Associated: 00000011.00000002.1303052213.000000006E050000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303638387.000000006E0CF000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303739246.000000006E0DF000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303779693.000000006E0E0000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303823917.000000006E0E2000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e050000_certutil.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpinsqlite3_thread_cleanup
String ID: InitializeCriticalSectionEx
API String ID: 1628364858-3084827643
Opcode ID: c560eddb48fb2b5d3bd72109d7e6fc8416b418b49de597fc7574b58db8278d32
Instruction ID: d50445554154e5cc9647d138e26cbaa7faa1b354f8acc99c2f77f70cbb2cc098
Opcode Fuzzy Hash: c560eddb48fb2b5d3bd72109d7e6fc8416b418b49de597fc7574b58db8278d32
Instruction Fuzzy Hash: F6F0BE36541208BBCF019FE5CC08FAE7FA9EF49B60F048165FC085A250DA318E20AB92

Uniqueness

Uniqueness Score: -1.00%

Function 6E0C7E4F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

sqlite3_thread_cleanup.SQLITE3(00000000,?), ref: 6E0C7E87
TlsSetValue.KERNEL32(00000000,?), ref: 6E0C7E91

Strings

FlsSetValue, xrefs: 6E0C7E6A

Memory Dump Source

Source File: 00000011.00000002.1303092111.000000006E051000.00000020.00000001.01000000.00000016.sdmp, Offset: 6E050000, based on PE: true

Associated: 00000011.00000002.1303052213.000000006E050000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303638387.000000006E0CF000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303739246.000000006E0DF000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303779693.000000006E0E0000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303823917.000000006E0E2000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e050000_certutil.jbxd

Similarity

API ID: Valuesqlite3_thread_cleanup
String ID: FlsSetValue
API String ID: 950420049-3750699315
Opcode ID: 3716ad3c3ddbe0ce4acea45c2fdd113b7f4ed66c1062229ad2b2278620971a19
Instruction ID: 3d9533ec4486a3d67a923fe245dd8dffdccc92db184a5b73c7865a4e5e8cdbfa
Opcode Fuzzy Hash: 3716ad3c3ddbe0ce4acea45c2fdd113b7f4ed66c1062229ad2b2278620971a19
Instruction Fuzzy Hash: 77F0A036A42618AB9B106BE5CC08FAE7BA9EF49F60B444158FD095B240DE314E1497A6

Uniqueness

Uniqueness Score: -1.00%

Function 6DFA2C20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

PORT_SetError_Util.NSSUTIL3(FFFFE00E), ref: 6DFA2C2C

Strings

, xrefs: 6DFA2C20

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: Error_Util
String ID:
API String ID: 1971245937-3916222277
Opcode ID: 5174eec52bf26b7facb099f17f18f0df60a6d69b80135346b01095d0e485b568
Instruction ID: e101e2a1c1aa9eba3415c14fdff65967c337938034efaa375f216f43faa0b9f9
Opcode Fuzzy Hash: 5174eec52bf26b7facb099f17f18f0df60a6d69b80135346b01095d0e485b568
Instruction Fuzzy Hash: 30E0E5656081006AEB00863DAC4040FB2817FD1630F5E9B69E568933D4D7B1D8059242

Uniqueness

Uniqueness Score: -1.00%

Function 6E02FEBD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON

Download Yara Rule

APIs

GetCommandLineA.KERNEL32 ref: 6E02FEBD
GetCommandLineW.KERNEL32 ref: 6E02FEC8

Strings

05, xrefs: 6E02FEC3

Memory Dump Source

Source File: 00000011.00000002.1302765981.000000006E011000.00000020.00000001.01000000.00000017.sdmp, Offset: 6E010000, based on PE: true

Associated: 00000011.00000002.1302734184.000000006E010000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302921056.000000006E035000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1302979562.000000006E03D000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000011.00000002.1303014528.000000006E03F000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e010000_certutil.jbxd

Similarity

API ID: CommandLine
String ID: 05
API String ID: 3253501508-3569724883
Opcode ID: cbe93210a49c5563f16ebe9f914650dd0d5cda33f7ec59bc8200ac52edf624d0
Instruction ID: f34f14912a81458217a17db7f27049803cc3006a6be499c4dd80c8bc34591698
Opcode Fuzzy Hash: cbe93210a49c5563f16ebe9f914650dd0d5cda33f7ec59bc8200ac52edf624d0
Instruction Fuzzy Hash: CCB0027C803B028FDF609FB4915D2447FB0B65A6523801699F519C6711D7764446DF51

Uniqueness

Uniqueness Score: -1.00%

Function 6E0C8F10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON

Download Yara Rule

APIs

GetCommandLineA.KERNEL32 ref: 6E0C8F10
GetCommandLineW.KERNEL32 ref: 6E0C8F1B

Strings

05, xrefs: 6E0C8F16

Memory Dump Source

Source File: 00000011.00000002.1303092111.000000006E051000.00000020.00000001.01000000.00000016.sdmp, Offset: 6E050000, based on PE: true

Associated: 00000011.00000002.1303052213.000000006E050000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303638387.000000006E0CF000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303739246.000000006E0DF000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303779693.000000006E0E0000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000011.00000002.1303823917.000000006E0E2000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6e050000_certutil.jbxd

Similarity

API ID: CommandLine
String ID: 05
API String ID: 3253501508-3569724883
Opcode ID: 315a27dcbf8b33f738c64e92087efad8e145419a33ac23d6ff7e7ee9b7880fcf
Instruction ID: 4b282c67146d2235c1cf9ced52ec23709c2d07709bc8ca893863bf38fa16d39a
Opcode Fuzzy Hash: 315a27dcbf8b33f738c64e92087efad8e145419a33ac23d6ff7e7ee9b7880fcf
Instruction Fuzzy Hash: 94B092BC802A019FDF008F31C00C0083BE4BA0AF123D445A5D819C2302D7380009EF01

Uniqueness

Uniqueness Score: -1.00%

Function 6DFDE19D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON

Download Yara Rule

APIs

GetCommandLineA.KERNEL32 ref: 6DFDE19D
GetCommandLineW.KERNEL32 ref: 6DFDE1A8

Strings

05, xrefs: 6DFDE1A3

Memory Dump Source

Source File: 00000011.00000002.1301791527.000000006DF91000.00000020.00000001.01000000.00000018.sdmp, Offset: 6DF90000, based on PE: true

Associated: 00000011.00000002.1301732357.000000006DF90000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302465249.000000006DFE3000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302625405.000000006DFF9000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302665989.000000006DFFC000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000011.00000002.1302692867.000000006DFFF000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6df90000_certutil.jbxd

Similarity

API ID: CommandLine
String ID: 05
API String ID: 3253501508-3569724883
Opcode ID: 38435a2134e593b502e1ee6f355bee07fe7b842803334e21e8de7e1768f41801
Instruction ID: 0fbe6211e9fd92066d558ec848ef679196b21e280295c56fdbc21e4afd607baf
Opcode Fuzzy Hash: 38435a2134e593b502e1ee6f355bee07fe7b842803334e21e8de7e1768f41801
Instruction Fuzzy Hash: 80B092B8824210AFCF008F34E08C3043BF4B20AB173872956D609C2710D7394104CF00

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate. Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Digital certificate logs, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report magicline4nx_setup.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\DreamSecurity\MagicLine4NX\CertManager.dll

C:\Program Files (x86)\DreamSecurity\MagicLine4NX\DSCToolkitV30-v3.4.2.20.dll

C:\Program Files (x86)\DreamSecurity\MagicLine4NX\ENG.ini

C:\Program Files (x86)\DreamSecurity\MagicLine4NX\Images\Logo.bmp

C:\Program Files (x86)\DreamSecurity\MagicLine4NX\IssuerOid.conf

C:\Program Files (x86)\DreamSecurity\MagicLine4NX\IssuerOid_Eng.conf

C:\Program Files (x86)\DreamSecurity\MagicLine4NX\KOR.ini

C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicCrypto32V21.dll

C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe

C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe.hmac

C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe

Windows Analysis Report
magicline4nx_setup.exe

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries can take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify behavior, and intercept information as part of various man in the browser techniques.
Tactics:	Collection
Data Sources:	API monitoring, Authentication logs, Packet capture, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre