Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
64.exe

Overview

General Information

Sample name:64.exe
Analysis ID:1585179
MD5:43f0b9f0058030153d6114309d953fb3
SHA1:cd093efca6d56f51a28b6b32d0c492aa655671ae
SHA256:cf30c55ec1f1083d8cc3fb4204e29ec50b39788a3c7c561d8d0ab2a9cba86336
Tags:exemalwaretrojanuser-Joker
Infos:

Detection

Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal saved passwords of Firefox
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
Program does not show much activity (idle)
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 64.exe (PID: 3852 cmdline: "C:\Users\user\Desktop\64.exe" MD5: 43F0B9F0058030153D6114309D953FB3)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
64.exeOlympicDestroyer_1OlympicDestroyer Payloadkevoreilly
  • 0xd5ee8:$string1: SELECT origin_url, username_value, password_value FROM logins
  • 0xd6148:$string1: SELECT origin_url, username_value, password_value FROM logins
  • 0xd63a8:$string1: SELECT origin_url, username_value, password_value FROM logins
  • 0xd6618:$string1: SELECT origin_url, username_value, password_value FROM logins
  • 0xd6fb8:$string1: SELECT origin_url, username_value, password_value FROM logins
  • 0xe85a8:$string2: API call with %s database connection pointer
  • 0xe9c60:$string3: os_win.c:%d: (%lu) %s(%s) - %s

Unpacked PEs

SourceRuleDescriptionAuthorStrings
0.2.64.exe.7ff763e20000.0.unpackOlympicDestroyer_1OlympicDestroyer Payloadkevoreilly
  • 0xd5ee8:$string1: SELECT origin_url, username_value, password_value FROM logins
  • 0xd6148:$string1: SELECT origin_url, username_value, password_value FROM logins
  • 0xd63a8:$string1: SELECT origin_url, username_value, password_value FROM logins
  • 0xd6618:$string1: SELECT origin_url, username_value, password_value FROM logins
  • 0xd6fb8:$string1: SELECT origin_url, username_value, password_value FROM logins
  • 0xe85a8:$string2: API call with %s database connection pointer
  • 0xe9c60:$string3: os_win.c:%d: (%lu) %s(%s) - %s
0.0.64.exe.7ff763e20000.0.unpackOlympicDestroyer_1OlympicDestroyer Payloadkevoreilly
  • 0xd5ee8:$string1: SELECT origin_url, username_value, password_value FROM logins
  • 0xd6148:$string1: SELECT origin_url, username_value, password_value FROM logins
  • 0xd63a8:$string1: SELECT origin_url, username_value, password_value FROM logins
  • 0xd6618:$string1: SELECT origin_url, username_value, password_value FROM logins
  • 0xd6fb8:$string1: SELECT origin_url, username_value, password_value FROM logins
  • 0xe85a8:$string2: API call with %s database connection pointer
  • 0xe9c60:$string3: os_win.c:%d: (%lu) %s(%s) - %s

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: 64.exeReversingLabs: Detection: 31%
Source: 64.exeVirustotal: Detection: 43%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 87.4% probability
Source: C:\Users\user\Desktop\64.exeCode function: 0_2_00007FF763E2A4A0 LocalAlloc,CreateFileW,GetFileSize,LocalAlloc,ReadFile,type_info::_name_internal_method,type_info::_name_internal_method,CryptUnprotectData,free,LocalFree,LocalFree,CoTaskMemFree,CloseHandle,LocalFree,CloseHandle,LocalFree,CoTaskMemFree,0_2_00007FF763E2A4A0
Source: C:\Users\user\Desktop\64.exeCode function: 0_2_00007FF763E252D0 SHGetKnownFolderPath,LocalAlloc,CreateFileW,GetFileSize,LocalAlloc,ReadFile,type_info::_name_internal_method,type_info::_name_internal_method,CryptUnprotectData,free,LocalFree,LocalFree,CoTaskMemFree,CloseHandle,LocalFree,CloseHandle,LocalFree,CoTaskMemFree,0_2_00007FF763E252D0
Source: C:\Users\user\Desktop\64.exeCode function: 0_2_00007FF763E2A7A0 LocalAlloc,wsprintfW,_snprintf,wsprintfW,wsprintfW,wsprintfW,CryptUnprotectData,wsprintfW,MultiByteToWideChar,wsprintfW,LocalFree,wsprintfW,wsprintfW,__ExceptionPtrDestroy,wsprintfW,LocalFree,LocalFree,LocalFree,0_2_00007FF763E2A7A0
Source: C:\Users\user\Desktop\64.exeCode function: 0_2_00007FF763E26640 LocalAlloc,wsprintfW,_snprintf,wsprintfW,wsprintfW,wsprintfW,CryptUnprotectData,wsprintfW,MultiByteToWideChar,wsprintfW,LocalFree,wsprintfW,wsprintfW,__ExceptionPtrDestroy,wsprintfW,LocalFree,LocalFree,lstrlenW,LocalFree,0_2_00007FF763E26640
Source: C:\Users\user\Desktop\64.exeCode function: 0_2_00007FF763E255D0 LocalAlloc,wsprintfW,_snprintf,wsprintfW,wsprintfW,wsprintfW,CryptUnprotectData,wsprintfW,MultiByteToWideChar,wsprintfW,LocalFree,wsprintfW,wsprintfW,__ExceptionPtrDestroy,wsprintfW,LocalFree,LocalFree,lstrlenW,LocalFree,0_2_00007FF763E255D0
Source: C:\Users\user\Desktop\64.exeCode function: 0_2_00007FF763E24CD0 SHGetKnownFolderPath,LocalAlloc,CreateFileW,GetFileSize,LocalAlloc,ReadFile,type_info::_name_internal_method,type_info::_name_internal_method,CryptUnprotectData,free,LocalFree,LocalFree,CoTaskMemFree,CloseHandle,LocalFree,CloseHandle,LocalFree,CoTaskMemFree,0_2_00007FF763E24CD0
Source: C:\Users\user\Desktop\64.exeCode function: 0_2_00007FF763E249D0 SHGetKnownFolderPath,LocalAlloc,CreateFileW,GetFileSize,LocalAlloc,ReadFile,type_info::_name_internal_method,type_info::_name_internal_method,CryptUnprotectData,free,LocalFree,LocalFree,CoTaskMemFree,CloseHandle,LocalFree,CloseHandle,LocalFree,CoTaskMemFree,0_2_00007FF763E249D0
Source: C:\Users\user\Desktop\64.exeCode function: 0_2_00007FF763E24FD0 SHGetKnownFolderPath,LocalAlloc,CreateFileW,GetFileSize,LocalAlloc,ReadFile,type_info::_name_internal_method,type_info::_name_internal_method,CryptUnprotectData,free,LocalFree,LocalFree,CoTaskMemFree,CloseHandle,LocalFree,CloseHandle,LocalFree,CoTaskMemFree,0_2_00007FF763E24FD0
Source: C:\Users\user\Desktop\64.exeCode function: 0_2_00007FF763E23E70 CryptStringToBinaryA,0_2_00007FF763E23E70
Source: C:\Users\user\Desktop\64.exeCode function: 0_2_00007FF763E26E70 LocalAlloc,wsprintfW,_snprintf,wsprintfW,wsprintfW,wsprintfW,CryptUnprotectData,wsprintfW,MultiByteToWideChar,wsprintfW,LocalFree,wsprintfW,wsprintfW,__ExceptionPtrDestroy,wsprintfW,LocalFree,lstrlenW,LocalFree,LocalFree,0_2_00007FF763E26E70
Source: C:\Users\user\Desktop\64.exeCode function: 0_2_00007FF763E25E10 LocalAlloc,wsprintfW,_snprintf,wsprintfW,wsprintfW,wsprintfW,CryptUnprotectData,wsprintfW,MultiByteToWideChar,wsprintfW,LocalFree,wsprintfW,wsprintfW,__ExceptionPtrDestroy,wsprintfW,LocalFree,LocalFree,lstrlenW,LocalFree,0_2_00007FF763E25E10
Source: 64.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\64.exeCode function: 0_2_00007FF763E27FB0 LocalAlloc,StrCmpNIW,LocalAlloc,LocalAlloc,LocalAlloc,FindFirstFileW,lstrcmpiW,lstrcmpiW,LocalAlloc,GetTempPathW,LocalAlloc,CopyFileW,CreateFileW,GetFileSize,LocalAlloc,ReadFile,CloseHandle,LocalFree,CloseHandle,DeleteFileW,LocalFree,LocalFree,FindNextFileW,FindClose,LocalFree,LocalFree,LocalFree,LocalFree,lstrlenW,0_2_00007FF763E27FB0
Source: 64.exe, 00000000.00000000.2246873517.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: ENCMARK RegisterRawInputDevicesmemstr_2bef3a66-8

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: 64.exe, type: SAMPLEMatched rule: OlympicDestroyer Payload Author: kevoreilly
Source: 0.2.64.exe.7ff763e20000.0.unpack, type: UNPACKEDPEMatched rule: OlympicDestroyer Payload Author: kevoreilly
Source: 0.0.64.exe.7ff763e20000.0.unpack, type: UNPACKEDPEMatched rule: OlympicDestroyer Payload Author: kevoreilly
Source: C:\Users\user\Desktop\64.exeCode function: 0_2_00007FF763E210000_2_00007FF763E21000
Source: C:\Users\user\Desktop\64.exeCode function: 0_2_00007FF763EA65100_2_00007FF763EA6510
Source: C:\Users\user\Desktop\64.exeCode function: 0_2_00007FF763EC84C00_2_00007FF763EC84C0
Source: C:\Users\user\Desktop\64.exeCode function: 0_2_00007FF763E234B00_2_00007FF763E234B0
Source: C:\Users\user\Desktop\64.exeCode function: 0_2_00007FF763EE14800_2_00007FF763EE1480
Source: C:\Users\user\Desktop\64.exeCode function: 0_2_00007FF763EAA4100_2_00007FF763EAA410
Source: C:\Users\user\Desktop\64.exeCode function: 0_2_00007FF763E293C00_2_00007FF763E293C0
Source: C:\Users\user\Desktop\64.exeCode function: 0_2_00007FF763EE02A00_2_00007FF763EE02A0
Source: C:\Users\user\Desktop\64.exeCode function: 0_2_00007FF763E362900_2_00007FF763E36290
Source: C:\Users\user\Desktop\64.exeCode function: 0_2_00007FF763EB81A00_2_00007FF763EB81A0
Source: C:\Users\user\Desktop\64.exeCode function: 0_2_00007FF763EE09000_2_00007FF763EE0900
Source: C:\Users\user\Desktop\64.exeCode function: 0_2_00007FF763EEB84C0_2_00007FF763EEB84C
Source: C:\Users\user\Desktop\64.exeCode function: 0_2_00007FF763EB282A0_2_00007FF763EB282A
Source: C:\Users\user\Desktop\64.exeCode function: 0_2_00007FF763E2A7A00_2_00007FF763E2A7A0
Source: C:\Users\user\Desktop\64.exeCode function: 0_2_00007FF763EED6B80_2_00007FF763EED6B8
Source: C:\Users\user\Desktop\64.exeCode function: 0_2_00007FF763EEA6740_2_00007FF763EEA674
Source: C:\Users\user\Desktop\64.exeCode function: 0_2_00007FF763E266400_2_00007FF763E26640
Source: C:\Users\user\Desktop\64.exeCode function: 0_2_00007FF763E255D00_2_00007FF763E255D0
Source: C:\Users\user\Desktop\64.exeCode function: 0_2_00007FF763E505A00_2_00007FF763E505A0
Source: C:\Users\user\Desktop\64.exeCode function: 0_2_00007FF763E3DC500_2_00007FF763E3DC50
Source: C:\Users\user\Desktop\64.exeCode function: 0_2_00007FF763EEAAF40_2_00007FF763EEAAF4
Source: C:\Users\user\Desktop\64.exeCode function: 0_2_00007FF763EE1A900_2_00007FF763EE1A90
Source: C:\Users\user\Desktop\64.exeCode function: 0_2_00007FF763EEB0E00_2_00007FF763EEB0E0
Source: C:\Users\user\Desktop\64.exeCode function: 0_2_00007FF763EE0FC00_2_00007FF763EE0FC0
Source: C:\Users\user\Desktop\64.exeCode function: 0_2_00007FF763EB1F8F0_2_00007FF763EB1F8F
Source: C:\Users\user\Desktop\64.exeCode function: 0_2_00007FF763E2AF000_2_00007FF763E2AF00
Source: C:\Users\user\Desktop\64.exeCode function: 0_2_00007FF763EAEEC00_2_00007FF763EAEEC0
Source: C:\Users\user\Desktop\64.exeCode function: 0_2_00007FF763E53EC00_2_00007FF763E53EC0
Source: C:\Users\user\Desktop\64.exeCode function: 0_2_00007FF763EE3EB00_2_00007FF763EE3EB0
Source: C:\Users\user\Desktop\64.exeCode function: 0_2_00007FF763EBFE700_2_00007FF763EBFE70
Source: C:\Users\user\Desktop\64.exeCode function: 0_2_00007FF763E26E700_2_00007FF763E26E70
Source: C:\Users\user\Desktop\64.exeCode function: 0_2_00007FF763E25E100_2_00007FF763E25E10
Source: C:\Users\user\Desktop\64.exeCode function: 0_2_00007FF763EE5DF00_2_00007FF763EE5DF0
Source: C:\Users\user\Desktop\64.exeCode function: 0_2_00007FF763EDFDF00_2_00007FF763EDFDF0
Source: C:\Users\user\Desktop\64.exeCode function: 0_2_00007FF763EE4D940_2_00007FF763EE4D94
Source: C:\Users\user\Desktop\64.exeCode function: String function: 00007FF763E73CE0 appears 137 times
Source: C:\Users\user\Desktop\64.exeCode function: String function: 00007FF763E53030 appears 48 times
Source: C:\Users\user\Desktop\64.exeCode function: String function: 00007FF763E35C20 appears 59 times
Source: 64.exe, type: SAMPLEMatched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload
Source: 0.2.64.exe.7ff763e20000.0.unpack, type: UNPACKEDPEMatched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload
Source: 0.0.64.exe.7ff763e20000.0.unpack, type: UNPACKEDPEMatched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload
Source: classification engineClassification label: mal68.spyw.winEXE@1/0@0/0
Source: 64.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: 64.exe, 64.exe, 00000000.00000000.2246898075.00007FF763F08000.00000008.00000001.01000000.00000003.sdmp, 64.exe, 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 64.exe, 64.exe, 00000000.00000000.2246898075.00007FF763F08000.00000008.00000001.01000000.00000003.sdmp, 64.exe, 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: 64.exe, 64.exe, 00000000.00000000.2246898075.00007FF763F08000.00000008.00000001.01000000.00000003.sdmp, 64.exe, 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: 64.exe, 00000000.00000000.2246898075.00007FF763F08000.00000008.00000001.01000000.00000003.sdmp, 64.exe, 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: 64.exeReversingLabs: Detection: 31%
Source: 64.exeVirustotal: Detection: 43%
Source: C:\Users\user\Desktop\64.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_0-61287
Source: C:\Users\user\Desktop\64.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\64.exeSection loaded: wlanapi.dllJump to behavior
Source: C:\Users\user\Desktop\64.exeSection loaded: profapi.dllJump to behavior
Source: 64.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: 64.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\64.exeCode function: 0_2_00007FF763EE439C DecodePointer,_errno,_invalid_parameter_noinfo,LoadLibraryW,GetProcAddress,_errno,GetLastError,_invalid_parameter_noinfo,GetLastError,EncodePointer,FreeLibrary,_errno,_errno,0_2_00007FF763EE439C
Source: C:\Users\user\Desktop\64.exeCode function: 0_2_00007FF763E8D150 push rbp; retf 0_2_00007FF763E8D151
Source: C:\Users\user\Desktop\64.exeCode function: 0_2_00007FF763E234B0 LocalAlloc,LocalAlloc,LocalAlloc,SHGetKnownFolderPath,LocalAlloc,LocalAlloc,GetPrivateProfileStringW,LocalAlloc,_snprintf,LocalAlloc,_snprintf,CreateFileA,GetFileSize,LocalAlloc,ReadFile,type_info::_name_internal_method,wsprintfW,wsprintfW,wsprintfW,wsprintfW,MultiByteToWideChar,wsprintfW,LocalFree,MultiByteToWideChar,wsprintfW,LocalFree,LocalFree,LocalFree,LocalFree,CloseHandle,LocalFree,LocalFree,LocalFree,CoTaskMemFree,LocalFree,LocalFree,LocalFree,0_2_00007FF763E234B0
Source: C:\Users\user\Desktop\64.exeCode function: 0_2_00007FF763E2AF00 LocalAlloc,LocalAlloc,LocalAlloc,SHGetKnownFolderPath,LocalAlloc,LocalAlloc,GetPrivateProfileStringW,LocalAlloc,_snprintf,LocalAlloc,_snprintf,CreateFileA,GetFileSize,LocalAlloc,ReadFile,type_info::_name_internal_method,wsprintfW,type_info::_name_internal_method,wsprintfW,type_info::_name_internal_method,type_info::_name_internal_method,MultiByteToWideChar,wsprintfW,type_info::_name_internal_method,type_info::_name_internal_method,MultiByteToWideChar,wsprintfW,LocalFree,CloseHandle,LocalFree,LocalFree,LocalFree,LocalFree,CoTaskMemFree,LocalFree,LocalFree,LocalFree,0_2_00007FF763E2AF00
Source: C:\Users\user\Desktop\64.exeCode function: 0_2_00007FF763E2C960 LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,0_2_00007FF763E2C960
Source: C:\Users\user\Desktop\64.exeAPI coverage: 0.3 %
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\64.exeCode function: 0_2_00007FF763E27FB0 LocalAlloc,StrCmpNIW,LocalAlloc,LocalAlloc,LocalAlloc,FindFirstFileW,lstrcmpiW,lstrcmpiW,LocalAlloc,GetTempPathW,LocalAlloc,CopyFileW,CreateFileW,GetFileSize,LocalAlloc,ReadFile,CloseHandle,LocalFree,CloseHandle,DeleteFileW,LocalFree,LocalFree,FindNextFileW,FindClose,LocalFree,LocalFree,LocalFree,LocalFree,lstrlenW,0_2_00007FF763E27FB0
Source: C:\Users\user\Desktop\64.exeAPI call chain: ExitProcess graph end nodegraph_0-61293
Source: C:\Users\user\Desktop\64.exeAPI call chain: ExitProcess graph end nodegraph_0-61294
Source: C:\Users\user\Desktop\64.exeCode function: 0_2_00007FF763EE5890 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF763EE5890
Source: C:\Users\user\Desktop\64.exeCode function: 0_2_00007FF763EE439C DecodePointer,_errno,_invalid_parameter_noinfo,LoadLibraryW,GetProcAddress,_errno,GetLastError,_invalid_parameter_noinfo,GetLastError,EncodePointer,FreeLibrary,_errno,_errno,0_2_00007FF763EE439C
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\64.exeCode function: 0_2_00007FF763EE5890 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF763EE5890
Source: C:\Users\user\Desktop\64.exeCode function: 0_2_00007FF763EE2A80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF763EE2A80
Source: C:\Users\user\Desktop\64.exeCode function: 0_2_00007FF763EED488 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_00007FF763EED488
Source: C:\Users\user\Desktop\64.exeCode function: 0_2_00007FF763EEA674 _lock,_get_daylight,_get_daylight,_get_daylight,___lc_codepage_func,free,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00007FF763EEA674

Stealing of Sensitive Information

barindex
Contains functionality to steal Chrome passwords or cookies
Source: C:\Users\user\Desktop\64.exeCode function: ENCWCHAR \Google\Chrome\User Data\Default\Login Data0_2_00007FF763E240D0
Contains functionality to steal saved passwords of Firefox
Source: C:\Users\user\Desktop\64.exeCode function: LocalAlloc,LocalAlloc,LocalAlloc,SHGetKnownFolderPath,LocalAlloc,LocalAlloc,GetPrivateProfileStringW,LocalAlloc,_snprintf,LocalAlloc,_snprintf,CreateFileA,GetFileSize,LocalAlloc,ReadFile,type_info::_name_internal_method,wsprintfW,type_info::_name_internal_method,wsprintfW,type_info::_name_internal_method,type_info::_name_internal_method,MultiByteToWideChar,wsprintfW,type_info::_name_internal_method,type_info::_name_internal_method,MultiByteToWideChar,wsprintfW,LocalFree,CloseHandle,LocalFree,LocalFree,LocalFree,LocalFree,CoTaskMemFree,LocalFree,LocalFree,LocalFree, encryptedPassword0_2_00007FF763E2AF00
Source: C:\Users\user\Desktop\64.exeCode function: LocalAlloc,LocalAlloc,LocalAlloc,SHGetKnownFolderPath,LocalAlloc,LocalAlloc,GetPrivateProfileStringW,LocalAlloc,_snprintf,LocalAlloc,_snprintf,CreateFileA,GetFileSize,LocalAlloc,ReadFile,type_info::_name_internal_method,wsprintfW,type_info::_name_internal_method,wsprintfW,type_info::_name_internal_method,type_info::_name_internal_method,MultiByteToWideChar,wsprintfW,type_info::_name_internal_method,type_info::_name_internal_method,MultiByteToWideChar,wsprintfW,LocalFree,CloseHandle,LocalFree,LocalFree,LocalFree,LocalFree,CoTaskMemFree,LocalFree,LocalFree,LocalFree, encryptedPassword0_2_00007FF763E2AF00
Source: C:\Users\user\Desktop\64.exeCode function: LocalAlloc,LocalAlloc,LocalAlloc,SHGetKnownFolderPath,LocalAlloc,LocalAlloc,GetPrivateProfileStringW,LocalAlloc,_snprintf,LocalAlloc,_snprintf,CreateFileA,GetFileSize,LocalAlloc,ReadFile,type_info::_name_internal_method,wsprintfW,type_info::_name_internal_method,wsprintfW,type_info::_name_internal_method,type_info::_name_internal_method,MultiByteToWideChar,wsprintfW,type_info::_name_internal_method,type_info::_name_internal_method,MultiByteToWideChar,wsprintfW,LocalFree,CloseHandle,LocalFree,LocalFree,LocalFree,LocalFree,CoTaskMemFree,LocalFree,LocalFree,LocalFree, encryptedPassword0_2_00007FF763E2AF00

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		1
OS Credential Dumping		2
System Time Discovery		Remote Services11
Input Capture		2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts11
Native API		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts2
Obfuscated Files or Information		11
Input Capture		1
Security Software Discovery		Remote Desktop Protocol1
Archive Collected Data		Junk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		2
Credentials In Files		1
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDS2
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
64.exe32%ReversingLabsWin64.Trojan.Generic
64.exe43%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
s-part-0017.t-0009.t-msedge.net
13.107.246.45
truefalse
    		high

    World Map of Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox version:41.0.0 Charoite
    Analysis ID:1585179
    Start date and time:2025-01-07 09:12:08 +01:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 2m 31s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:2
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:64.exe
    Detection:MAL
    Classification:mal68.spyw.winEXE@1/0@0/0
    EGA Information:
    • Successful, ratio: 100%
    HCA Information:Failed
    Cookbook Comments:
    • Found application associated with file extension: .exe
    • Stop behavior analysis, all processes terminated

    Warnings

    • Exclude process from analysis (whitelisted): dllhost.exe
    • Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.45
    • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, otelrules.afd.azureedge.net, sls.update.microsoft.com, azureedge-t-prod.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    s-part-0017.t-0009.t-msedge.netiy1.dat.exeGet hashmaliciousUnknownBrowse
    • 13.107.246.45
    BXOZIGZEUa.exeGet hashmaliciousBdaejecBrowse
    • 13.107.246.45
    w3245.exeGet hashmaliciousUnknownBrowse
    • 13.107.246.45
    w3245.exeGet hashmaliciousUnknownBrowse
    • 13.107.246.45
    https://app.saner.ai/shared/notes/7353e5ae-dd5f-410b-92c3-210c9e88052aGet hashmaliciousHTMLPhisherBrowse
    • 13.107.246.45
    Jeffparish.docxGet hashmaliciousUnknownBrowse
    • 13.107.246.45
    AllItems.htmGet hashmaliciousHTMLPhisherBrowse
    • 13.107.246.45
    Vernales Restaurant-encrypted.pdfGet hashmaliciousHTMLPhisherBrowse
    • 13.107.246.45
    https://sign.zoho.com/zsguest?locale=en&sign_id=234b4d535f4956235d3ed2bb80da1204238e412cdfe561cf1e7cff409a79a97da8a2d431ccef9065ebae57f03416d61f0971abb897fde199a21f0da5d9085251df31eb6747d99920190103a51a045e3e309308fa5f3a1ca3&action_type=SIGNGet hashmaliciousHTMLPhisherBrowse
    • 13.107.246.45
    https://scales.mn/file/one-drv11.htmlGet hashmaliciousUnknownBrowse
    • 13.107.246.45

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:PE32+ executable (GUI) x86-64, for MS Windows
    Entropy (8bit):5.772282846568756
    TrID:
    • Win64 Executable GUI (202006/5) 87.40%
    • Windows Screen Saver (13104/52) 5.67%
    • Win64 Executable (generic) (12005/4) 5.19%
    • Generic Win/DOS Executable (2004/3) 0.87%
    • DOS Executable Generic (2002/1) 0.87%
    File name:64.exe
    File size:1'021'952 bytes
    MD5:43f0b9f0058030153d6114309d953fb3
    SHA1:cd093efca6d56f51a28b6b32d0c492aa655671ae
    SHA256:cf30c55ec1f1083d8cc3fb4204e29ec50b39788a3c7c561d8d0ab2a9cba86336
    SHA512:3009e1054373b876f5542d84c784a50440c69c1555182cc405b1e9395e0b928f26ad408cb627eb8f0b663ad124f979b6677a89b5eb73d04a13c981a5e93106e0
    SSDEEP:12288:fEUEK/alBxScnB04n9Cf8gzLRrtB25JsGW2EEYGVp3Am:OK/alBxFB0FUgzLRrtUJFW
    TLSH:14259257E6B691E4D8B6D0389662722BBC713859833897D79B809B074B71FF0E93E340
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........H.u.).&.).&.).&..w&.).&.Qn&.).&.Qz&.).&.).&O).&..B&.).&..C&.).&..t&.).&Rich.).&................PE..d.....6g.........."......F.

    File Icon

    Icon Hash:00928e8e8686b000

    Static PE Info

    General

    Entrypoint:0x1400c4ac8
    Entrypoint Section:.text
    Digitally signed:false
    Imagebase:0x140000000
    Subsystem:windows gui
    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Time Stamp:0x6736E3EA [Fri Nov 15 06:02:18 2024 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:5
    OS Version Minor:2
    File Version Major:5
    File Version Minor:2
    Subsystem Version Major:5
    Subsystem Version Minor:2
    Import Hash:e84d11c378c8e8f83080cc0f510539d2

    Entrypoint Preview

    Instruction
    dec eax
    sub esp, 28h
    call 00007FA1546E93CCh
    dec eax
    add esp, 28h
    jmp 00007FA1546E0867h
    int3
    int3
    dec eax
    mov eax, esp
    dec eax
    mov dword ptr [eax+10h], ebx
    dec eax
    mov dword ptr [eax+18h], ebp
    dec eax
    mov dword ptr [eax+20h], esi
    mov dword ptr [eax+08h], ecx
    push edi
    dec eax
    sub esp, 20h
    dec eax
    mov ecx, edx
    dec eax
    mov ebx, edx
    call 00007FA1546EA0D7h
    mov ecx, dword ptr [ebx+18h]
    dec eax
    arpl ax, si
    test cl, FFFFFF82h
    jne 00007FA1546E0A29h
    call 00007FA1546E19EFh
    mov dword ptr [eax], 00000009h
    or dword ptr [ebx+18h], 20h
    or eax, FFFFFFFFh
    jmp 00007FA1546E0B49h
    test cl, 00000040h
    je 00007FA1546E0A1Fh
    call 00007FA1546E19D3h
    mov dword ptr [eax], 00000022h
    jmp 00007FA1546E09F4h
    xor edi, edi
    test cl, 00000001h
    je 00007FA1546E0A2Bh
    mov dword ptr [ebx+08h], edi
    test cl, 00000010h
    je 00007FA1546E0A9Fh
    dec eax
    mov eax, dword ptr [ebx+10h]
    and ecx, FFFFFFFEh
    dec eax
    mov dword ptr [ebx], eax
    mov dword ptr [ebx+18h], ecx
    mov eax, dword ptr [ebx+18h]
    mov dword ptr [ebx+08h], edi
    and eax, FFFFFFEFh
    or eax, 02h
    mov dword ptr [ebx+18h], eax
    test eax, 0000010Ch
    jne 00007FA1546E0A41h
    call 00007FA1546E9E54h
    dec eax
    add eax, 30h
    dec eax
    cmp ebx, eax
    je 00007FA1546E0A20h
    call 00007FA1546E9E46h
    dec eax
    add eax, 60h
    dec eax
    cmp ebx, eax
    jne 00007FA1546E0A1Dh
    mov ecx, esi
    call 00007FA1546E9DD6h
    test eax, eax
    jne 00007FA1546E0A1Ah

    Rich Headers

    Programming Language:
    • [ASM] VS2010 SP1 build 40219
    • [IMP] VS2008 SP1 build 30729
    • [C++] VS2010 SP1 build 40219
    • [ C ] VS2010 SP1 build 40219
    • [LNK] VS2010 SP1 build 40219

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0xe6f040xb4.rdata
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0xfa0000x654c.pdata
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x1010000x1004.reloc
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0xd60000x510.rdata
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000xd440a0xd46000368dfd044ab2d5f4fa05e78905b0888False0.3942714464390818data5.61843896377423IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    .rdata0xd60000x11fec0x12000981389091fb9f8c2e50ddf1acdc046b4False0.3441297743055556DIY-Thermocam raw data (Lepton 2.x), scale 9472-29440, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 39614081257132168796771975168.000000, slope 4503583248285072024404605534208.0000005.271103778790476IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .data0xe80000x113100xac004dbbdef79fd7f1aa21fe58aae2582295False0.31018350290697677COM executable for DOS4.703260377877969IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .pdata0xfa0000x654c0x6600bb52357a3ae264208681dde94b3157f8False0.5178079044117647data5.937374784127747IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .reloc0x1010000x1a9a0x1c0051773b5929950467e765aea61a578906False0.21819196428571427data3.975109668791781IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

    Imports

    DLLImport
    KERNEL32.dllCreateFileW, FreeLibrary, GetProcAddress, LoadLibraryW, SetCurrentDirectoryW, GetCurrentDirectoryW, lstrlenA, MultiByteToWideChar, GetFileSize, CreateFileA, GetPrivateProfileStringW, CopyFileW, GetTempPathW, lstrlenW, lstrcmpiW, FindClose, FindNextFileW, DeleteFileW, FindFirstFileW, lstrcpyW, lstrcpyA, FlushViewOfFile, GetProcessHeap, OutputDebugStringW, OutputDebugStringA, WaitForSingleObjectEx, WaitForSingleObject, WriteFile, WideCharToMultiByte, UnmapViewOfFile, UnlockFileEx, UnlockFile, SystemTimeToFileTime, Sleep, SetFilePointer, SetEndOfFile, QueryPerformanceCounter, MapViewOfFile, LockFileEx, LockFile, LoadLibraryA, HeapCompact, HeapValidate, HeapSize, HeapReAlloc, HeapFree, ReadFile, HeapCreate, HeapAlloc, GetVersionExW, GetVersionExA, GetTickCount, GetTempPathA, GetSystemTimeAsFileTime, GetSystemTime, GetSystemInfo, GetLastError, GetFullPathNameW, GetFullPathNameA, GetFileAttributesExW, GetFileAttributesW, GetFileAttributesA, GetDiskFreeSpaceW, GetDiskFreeSpaceA, GetCurrentProcessId, FormatMessageW, FormatMessageA, FlushFileBuffers, DeleteFileA, CreateMutexW, CreateFileMappingW, CreateFileMappingA, AreFileApisANSI, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, TryEnterCriticalSection, LeaveCriticalSection, GetCurrentThreadId, CompareStringW, WriteConsoleW, SetStdHandle, LCMapStringW, GetStringTypeW, GetConsoleMode, GetConsoleCP, LocalAlloc, LocalFree, GetCommandLineW, ExitProcess, OpenEventW, SetEvent, HeapDestroy, CloseHandle, GetFileType, InitializeCriticalSectionAndSpinCount, SetHandleCount, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetModuleFileNameA, RtlLookupFunctionEntry, RtlUnwindEx, RaiseException, RtlPcToFileHeader, EncodePointer, DecodePointer, ExitThread, CreateThread, GetCommandLineA, GetStartupInfoW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, RtlVirtualUnwind, RtlCaptureContext, TerminateProcess, GetCurrentProcess, HeapSetInformation, GetVersion, FlsGetValue, FlsSetValue, FlsFree, SetLastError, FlsAlloc, GetTimeZoneInformation, GetModuleHandleW, GetStdHandle, GetModuleFileNameW, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, SetEnvironmentVariableA
    USER32.dllwsprintfW
    SHELL32.dllSHGetKnownFolderPath, CommandLineToArgvW
    SHLWAPI.dllStrCmpNIW, StrStrIW
    ole32.dllStringFromGUID2, CoCreateGuid, CoInitialize, CoUninitialize, CoTaskMemFree
    ADVAPI32.dllRegCloseKey, RegCreateKeyExW, RegSetValueExW, RegGetValueW
    CRYPT32.dllCryptStringToBinaryA, CryptUnprotectData
    Wlanapi.dllWlanGetProfileList, WlanEnumInterfaces, WlanOpenHandle, WlanGetProfile, WlanCloseHandle

    Network Behavior

    DNS Answers

    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
    Jan 7, 2025 09:13:09.204920053 CET1.1.1.1192.168.2.60x9b7dNo error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
    Jan 7, 2025 09:13:09.204920053 CET1.1.1.1192.168.2.60x9b7dNo error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    System Behavior

    General

    Target ID:0
    Start time:03:13:10
    Start date:07/01/2025
    Path:C:\Users\user\Desktop\64.exe
    Wow64 process (32bit):false
    Commandline:"C:\Users\user\Desktop\64.exe"
    Imagebase:0x7ff763e20000
    File size:1'021'952 bytes
    MD5 hash:43F0B9F0058030153D6114309D953FB3
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:low
    Has exited:true

    Disassembly

    Reset < >

      Execution Graph

      Execution Coverage:0%
      Dynamic/Decrypted Code Coverage:0%
      Signature Coverage:95.2%
      Total number of Nodes:21
      Total number of Limit Nodes:1
      execution_graph 61287 7ff763e21000 GetCommandLineW CommandLineToArgvW 61288 7ff763e21088 char_traits 61287->61288 61289 7ff763e21080 ExitProcess 61287->61289 61309 7ff763ee2880 89 API calls 4 library calls 61288->61309 61291 7ff763e210d1 RegGetValueW 61292 7ff763e21129 OpenEventW 61291->61292 61293 7ff763e21121 ExitProcess 61291->61293 61294 7ff763e2114e ExitProcess 61292->61294 61295 7ff763e21156 SetEvent CloseHandle 61292->61295 61310 7ff763e2c960 62 API calls write_char 61295->61310 61297 7ff763e2117b 61298 7ff763e21187 61297->61298 61299 7ff763e2117f ExitProcess 61297->61299 61300 7ff763e211ac ExitProcess 61298->61300 61301 7ff763e211b4 61298->61301 61302 7ff763e211dc ExitProcess 61301->61302 61303 7ff763e211e4 61301->61303 61304 7ff763e21209 ExitProcess 61303->61304 61305 7ff763e21211 61303->61305 61306 7ff763e21247 ExitProcess 61305->61306 61307 7ff763e2124f ExitProcess 61305->61307 61309->61291 61310->61297

      Executed Functions

      Function 00007FF763E21000 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 129registryCOMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: CommandExitLineProcess$ArgvValue
      • String ID: SOFTWARE\%s
      • API String ID: 4147859340-297323700
      • Opcode ID: b327c25b4de35ec7b5daf3ba511b6eb557ebb26faf60c48c29414e916f93f17c
      • Instruction ID: 6ad0e71882e232498988aeb7aa8cdc35774744a1fe5dac5abc75c561770fe1cc
      • Opcode Fuzzy Hash: b327c25b4de35ec7b5daf3ba511b6eb557ebb26faf60c48c29414e916f93f17c
      • Instruction Fuzzy Hash: 0B710C35A19B46D2EBE5AB60F8547AAB3A0FF84754FC0013AD54E627A4CF7DE148C720

      Non-executed Functions

      Function 00007FF763E2C960 Relevance: 127.0, APIs: 54, Strings: 18, Instructions: 968libraryloaderCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: AddressLibraryLoadProc
      • String ID: ADVAPI32.DLL$CRYPT32.DLL$DBGHELP.DLL$GDI32.DLL$GDIPLUS.DLL$KERNEL32.DLL$MSI.DLL$NTDLL.DLL$OLE32.DLL$SECUR32.DLL$SHELL32.DLL$SHLWAPI.DLL$USER32.DLL$WINHTTP.DLL$WINMM.DLL$WLANAPI.DLL$WS2_32.DLL$WTSAPI32.DLL
      • API String ID: 2574300362-3515397064
      • Opcode ID: 38ae5404e5fab38f92f3a3b4f9f2e904d54a72b19ce1d338a704d6fbe4184a7f
      • Instruction ID: a097067bd110fa12d0211aa917f995f671bdc3999f15a69ba043ff571eb59198
      • Opcode Fuzzy Hash: 38ae5404e5fab38f92f3a3b4f9f2e904d54a72b19ce1d338a704d6fbe4184a7f
      • Instruction Fuzzy Hash: 45C2EA35A1CB86C5EBB0AB04E4947BAB360FF94744F900039D69E62BA8DF7CD545CB60
      Function 00007FF763E2AF00 Relevance: 93.1, APIs: 37, Strings: 16, Instructions: 327memoryfileCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 443 7ff763e2af00-7ff763e2af44 444 7ff763e2af56-7ff763e2af62 443->444 445 7ff763e2afa1-7ff763e2afd8 LocalAlloc 444->445 446 7ff763e2af64-7ff763e2af9f call 7ff763e2e6a0 444->446 448 7ff763e2afde-7ff763e2b00b LocalAlloc 445->448 449 7ff763e2b674-7ff763e2b6a1 call 7ff763ee2a80 445->449 446->444 448->449 452 7ff763e2b011-7ff763e2b03e LocalAlloc 448->452 455 7ff763e2b666-7ff763e2b66e LocalFree 452->455 456 7ff763e2b044-7ff763e2b05f SHGetKnownFolderPath 452->456 455->449 457 7ff763e2b632-7ff763e2b63a 456->457 458 7ff763e2b065-7ff763e2b086 LocalAlloc 456->458 461 7ff763e2b658-7ff763e2b660 LocalFree 457->461 462 7ff763e2b63c-7ff763e2b650 LocalFree 457->462 459 7ff763e2b08c-7ff763e2b0ce call 7ff763ee2880 LocalAlloc 458->459 460 7ff763e2b624-7ff763e2b62c CoTaskMemFree 458->460 465 7ff763e2b616-7ff763e2b61e LocalFree 459->465 466 7ff763e2b0d4-7ff763e2b116 GetPrivateProfileStringW 459->466 460->457 461->455 462->461 465->460 467 7ff763e2b608-7ff763e2b610 LocalFree 466->467 468 7ff763e2b11c-7ff763e2b13d LocalAlloc 466->468 467->465 468->467 469 7ff763e2b143-7ff763e2b181 call 7ff763ee2f70 468->469 473 7ff763e2b187-7ff763e2b1a8 LocalAlloc 469->473 474 7ff763e2b5ef-7ff763e2b5f8 469->474 476 7ff763e2b5e9 473->476 477 7ff763e2b1ae-7ff763e2b226 call 7ff763ee2f70 CreateFileA 473->477 474->467 475 7ff763e2b5fa-7ff763e2b602 LocalFree 474->475 475->467 476->474 480 7ff763e2b5db-7ff763e2b5e3 LocalFree 477->480 481 7ff763e2b22c-7ff763e2b24b GetFileSize 477->481 480->476 482 7ff763e2b5cd-7ff763e2b5d5 CloseHandle 481->482 483 7ff763e2b251-7ff763e2b27a LocalAlloc 481->483 482->480 483->482 484 7ff763e2b280-7ff763e2b2cd ReadFile 483->484 485 7ff763e2b5bf-7ff763e2b5c7 LocalFree 484->485 486 7ff763e2b2d3-7ff763e2b2f8 call 7ff763e2b6b0 484->486 485->482 486->485 489 7ff763e2b2fe-7ff763e2b5ba wsprintfW call 7ff763ee3040 call 7ff763e2b6b0 wsprintfW call 7ff763e2b6b0 call 7ff763ee3040 call 7ff763e2b6b0 call 7ff763e23e70 call 7ff763ee2980 MultiByteToWideChar wsprintfW call 7ff763e2b6b0 call 7ff763ee3040 call 7ff763e2b6b0 call 7ff763e23e70 call 7ff763ee2980 MultiByteToWideChar wsprintfW 486->489 489->486
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: Local$Free$Alloc$type_info::_name_internal_method$wsprintf$File$ByteCharMultiStringWide_snprintf$BinaryCloseCreateCryptFolderHandleKnownPathPrivateProfileReadSizeTasklstrlen
      • String ID: %S\Thunderbird\%S$%s\Thunderbird\profiles.ini$Account: %s$ENCCHAR %s\logins.json$IMAP Server: %S$Password: %s$Path$encryptedPassword$encryptedPassword$encryptedPassword$encryptedUsername$encryptedUsername$guid$hostname":"imap://$hostname":"imap://$httpRealm
      • API String ID: 3482632610-1050660175
      • Opcode ID: 309a902061a88d1d181ba5561d2f56fc5bd904b00d80d1f4afec6273f15da363
      • Instruction ID: 16d9d19f0cff9ca02c925b6be73ae028e85164c91c3c94c0fcccfa467d217ad3
      • Opcode Fuzzy Hash: 309a902061a88d1d181ba5561d2f56fc5bd904b00d80d1f4afec6273f15da363
      • Instruction Fuzzy Hash: FF12D832608AC6C6E7B1AB15E8547EAB3A1FBC8744F840139E68D57B68DF7CD445CB20
      Function 00007FF763E234B0 Relevance: 82.6, APIs: 37, Strings: 10, Instructions: 392memoryfileCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 514 7ff763e234b0-7ff763e234fa 515 7ff763e2350c-7ff763e23518 514->515 516 7ff763e2351a-7ff763e2355b call 7ff763e2e1b0 515->516 517 7ff763e2355d-7ff763e235a6 515->517 516->515 519 7ff763e235b8-7ff763e235c4 517->519 521 7ff763e23609-7ff763e2364c LocalAlloc 519->521 522 7ff763e235c6-7ff763e23607 call 7ff763e2e6a0 519->522 525 7ff763e23e29-7ff763e23e5c call 7ff763ee2a80 521->525 526 7ff763e23652-7ff763e2367f LocalAlloc 521->526 522->519 526->525 529 7ff763e23685-7ff763e236b2 LocalAlloc 526->529 532 7ff763e236b8-7ff763e236d3 SHGetKnownFolderPath 529->532 533 7ff763e23e1b-7ff763e23e23 LocalFree 529->533 534 7ff763e236d9-7ff763e236fa LocalAlloc 532->534 535 7ff763e23dde-7ff763e23de6 532->535 533->525 538 7ff763e23dd0-7ff763e23dd8 CoTaskMemFree 534->538 539 7ff763e23700-7ff763e23740 call 7ff763ee2880 LocalAlloc 534->539 536 7ff763e23de8-7ff763e23e02 LocalFree 535->536 537 7ff763e23e0d-7ff763e23e15 LocalFree 535->537 536->537 537->533 538->535 542 7ff763e23dc2-7ff763e23dca LocalFree 539->542 543 7ff763e23746-7ff763e23788 GetPrivateProfileStringW 539->543 542->538 544 7ff763e2378e-7ff763e237af LocalAlloc 543->544 545 7ff763e23db4-7ff763e23dbc LocalFree 543->545 544->545 546 7ff763e237b5-7ff763e237f4 call 7ff763ee2f70 544->546 545->542 546->545 550 7ff763e237fa-7ff763e2381b LocalAlloc 546->550 551 7ff763e23dae 550->551 552 7ff763e23821-7ff763e238a8 call 7ff763ee2f70 CreateFileA 550->552 551->545 555 7ff763e238ae-7ff763e238cd GetFileSize 552->555 556 7ff763e23da0-7ff763e23da8 LocalFree 552->556 557 7ff763e23d92-7ff763e23d9a CloseHandle 555->557 558 7ff763e238d3-7ff763e238fc LocalAlloc 555->558 556->551 557->556 558->557 559 7ff763e23902-7ff763e2396f ReadFile 558->559 559->557 560 7ff763e23975-7ff763e2399a call 7ff763e2b6b0 559->560 560->557 563 7ff763e239a0-7ff763e23a3e wsprintfW call 7ff763e22940 call 7ff763e22b90 call 7ff763e22df0 560->563 570 7ff763e23a8a-7ff763e23a93 563->570 571 7ff763e23a40-7ff763e23a88 wsprintfW 563->571 572 7ff763e23add-7ff763e23ae6 570->572 573 7ff763e23a95-7ff763e23ad2 wsprintfW 570->573 571->572 574 7ff763e23ae8-7ff763e23b1e wsprintfW 572->574 575 7ff763e23b25-7ff763e23b43 call 7ff763e23050 572->575 573->572 574->575 578 7ff763e23c08-7ff763e23c26 call 7ff763e23280 575->578 579 7ff763e23b49-7ff763e23b67 call 7ff763e23e70 575->579 586 7ff763e23c2c-7ff763e23c4a call 7ff763e23e70 578->586 587 7ff763e23ceb-7ff763e23cf4 578->587 584 7ff763e23bfa-7ff763e23c02 LocalFree 579->584 585 7ff763e23b6d-7ff763e23bef call 7ff763ee2980 MultiByteToWideChar wsprintfW 579->585 584->578 585->584 598 7ff763e23cdd-7ff763e23ce5 LocalFree 586->598 599 7ff763e23c50-7ff763e23cd2 call 7ff763ee2980 MultiByteToWideChar wsprintfW 586->599 588 7ff763e23d04-7ff763e23d0d 587->588 589 7ff763e23cf6-7ff763e23cfe LocalFree 587->589 592 7ff763e23d1d-7ff763e23d26 588->592 593 7ff763e23d0f-7ff763e23d17 LocalFree 588->593 589->588 596 7ff763e23d28-7ff763e23d30 LocalFree 592->596 597 7ff763e23d36-7ff763e23d3e 592->597 593->592 596->597 600 7ff763e23d40-7ff763e23d48 597->600 601 7ff763e23d54 597->601 598->587 599->598 600->601 604 7ff763e23d4a-7ff763e23d52 600->604 601->557 604->601 605 7ff763e23d56-7ff763e23d89 604->605 606 7ff763e23d8b 605->606 607 7ff763e23d8d 605->607 606->557 607->560
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: Local$Free$Alloc$type_info::_name_internal_method$wsprintf$lstrlen$File$ByteCharMultiWide_snprintf$CloseCreateFolderHandleKnownPathPrivateProfileReadSizeStringTask_errno_invalid_parameter_noinfo
      • String ID: ENCCHAR %S\Mozilla\Firefox\%S$ENCCHAR %s\logins.json$ENCWCHAR %s\Mozilla\Firefox\profiles.ini$Password: %s$Path$Realm: %S$Username: %s$Website: %S$Website: %S$hostname
      • API String ID: 4273229671-342706749
      • Opcode ID: 6c1daf74aff8e0065f25972113452b6d1bee0a77bca05798e71b209dd5fd70e1
      • Instruction ID: 255c1905f19c82c06aebb1c1fd2adc09485c5a15221ac34be7c4423d20660e35
      • Opcode Fuzzy Hash: 6c1daf74aff8e0065f25972113452b6d1bee0a77bca05798e71b209dd5fd70e1
      • Instruction Fuzzy Hash: 0532EA3260CBC6C6E7B5AB14E4547AAB3A4FB88744F800139E68D57B98DF7DD644CB20
      Function 00007FF763E27FB0 Relevance: 63.2, APIs: 29, Strings: 7, Instructions: 222memoryfilestringCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 608 7ff763e27fb0-7ff763e27ffa LocalAlloc 609 7ff763e28000-7ff763e28024 call 7ff763e27f20 StrCmpNIW 608->609 610 7ff763e284c3 608->610 615 7ff763e28479-7ff763e284a3 call 7ff763ee2880 609->615 616 7ff763e2802a-7ff763e2804b call 7ff763e27e30 609->616 612 7ff763e284c5-7ff763e284dc call 7ff763ee2a80 610->612 622 7ff763e284a7-7ff763e284c1 lstrlenW 615->622 623 7ff763e28477 616->623 624 7ff763e28051-7ff763e28075 LocalAlloc 616->624 622->612 623->622 625 7ff763e2807b-7ff763e28096 LocalAlloc 624->625 626 7ff763e2846c-7ff763e28471 LocalFree 624->626 627 7ff763e2809c-7ff763e280db call 7ff763ee2880 LocalAlloc 625->627 628 7ff763e28461-7ff763e28466 LocalFree 625->628 626->623 631 7ff763e280e1-7ff763e2812c call 7ff763ee2880 FindFirstFileW 627->631 632 7ff763e28456-7ff763e2845b LocalFree 627->632 628->626 635 7ff763e2844b-7ff763e28450 LocalFree 631->635 636 7ff763e28132-7ff763e2813e 631->636 632->628 635->632 637 7ff763e2841f-7ff763e28437 FindNextFileW 636->637 638 7ff763e28144-7ff763e2815b lstrcmpiW 636->638 637->636 639 7ff763e2843d-7ff763e28445 FindClose 637->639 640 7ff763e2815d-7ff763e28174 lstrcmpiW 638->640 641 7ff763e28176 638->641 639->635 640->641 642 7ff763e2817b-7ff763e281d0 call 7ff763ee2880 LocalAlloc 640->642 641->637 642->637 645 7ff763e281d6-7ff763e281eb GetTempPathW 642->645 646 7ff763e28411-7ff763e28419 LocalFree 645->646 647 7ff763e281f1-7ff763e2821e LocalAlloc 645->647 646->637 647->646 648 7ff763e28224-7ff763e28299 call 7ff763ee2880 * 2 CopyFileW 647->648 654 7ff763e2829f-7ff763e282ee CreateFileW 648->654 655 7ff763e28403-7ff763e2840b LocalFree 648->655 656 7ff763e283f5-7ff763e283fd DeleteFileW 654->656 657 7ff763e282f4-7ff763e28313 GetFileSize 654->657 655->646 656->655 658 7ff763e28319-7ff763e28321 657->658 659 7ff763e283dc-7ff763e283e5 657->659 658->659 660 7ff763e28327-7ff763e2834c LocalAlloc 658->660 659->656 661 7ff763e283e7-7ff763e283ef CloseHandle 659->661 660->659 662 7ff763e28352-7ff763e28383 ReadFile 660->662 661->656 663 7ff763e283ce-7ff763e283d6 LocalFree 662->663 664 7ff763e28385-7ff763e28393 662->664 663->659 664->663 665 7ff763e28395-7ff763e283c9 CloseHandle call 7ff763e284f0 664->665 665->663
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: Local$Alloc$FileFree$CloseFindlstrcmpi$HandleValuelstrlen$CopyCreateDeleteDintFirstNextPathReadSizeTemp_errno_invalid_parameter_noinfo
      • String ID: %s%s$%s\%s\Accounts\Account.rec0$%s\*.*$%s\storage$7.2$Current version supports FoxMail 7.2 which was not found.$d
      • API String ID: 3896797888-2119546309
      • Opcode ID: 59aed33026e364f9855d28b70640512683848f083b2857af47eba99498d13acc
      • Instruction ID: 36a29be6be6e7f2817547c9434466da7705df2efa1f27f19f801a1a58f4b1c54
      • Opcode Fuzzy Hash: 59aed33026e364f9855d28b70640512683848f083b2857af47eba99498d13acc
      • Instruction Fuzzy Hash: EBD10F31608AC2C3E7B4AB14F8547AAB3A4FB84754F940239E69D53BA8CF7CD445CB20
      Function 00007FF763E255D0 Relevance: 47.6, APIs: 19, Strings: 8, Instructions: 369memoryencryptionstringCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 667 7ff763e255d0-7ff763e2563b call 7ff763ee2ab0 670 7ff763e2564d-7ff763e25659 667->670 671 7ff763e2565b-7ff763e2569c call 7ff763e2e1b0 670->671 672 7ff763e2569e-7ff763e256c8 670->672 671->670 674 7ff763e256da-7ff763e256e6 672->674 676 7ff763e256e8-7ff763e25729 call 7ff763e2e6a0 674->676 677 7ff763e2572b-7ff763e25791 call 7ff763e249d0 LocalAlloc 674->677 676->674 684 7ff763e25797-7ff763e257ad call 7ff763e240d0 677->684 685 7ff763e25dd6-7ff763e25ddf 677->685 691 7ff763e25d94-7ff763e25d9d 684->691 692 7ff763e257b3-7ff763e25821 wsprintfW call 7ff763ee2f70 call 7ff763edd020 684->692 686 7ff763e25def 685->686 687 7ff763e25de1-7ff763e25de9 LocalFree 685->687 690 7ff763e25df1-7ff763e25e09 call 7ff763ee2a80 686->690 687->686 695 7ff763e25dad-7ff763e25dd4 lstrlenW 691->695 696 7ff763e25d9f-7ff763e25da7 LocalFree 691->696 701 7ff763e25827-7ff763e25855 call 7ff763e83f20 692->701 702 7ff763e25d52-7ff763e25d7f wsprintfW 692->702 695->690 696->695 706 7ff763e25d0c-7ff763e25d3c wsprintfW 701->706 707 7ff763e2585b-7ff763e2586b call 7ff763e55dc0 701->707 703 7ff763e25d86-7ff763e25d8e LocalFree 702->703 703->691 709 7ff763e25d43-7ff763e25d50 call 7ff763eda5d0 706->709 713 7ff763e25cfd-7ff763e25d0a call 7ff763e501d0 707->713 714 7ff763e25871-7ff763e2597c wsprintfW call 7ff763e578f0 wsprintfW call 7ff763e578f0 wsprintfW call 7ff763e57820 707->714 709->703 713->709 723 7ff763e25982-7ff763e259e8 call 7ff763ee2980 CryptUnprotectData 714->723 724 7ff763e25ac3-7ff763e25ad1 714->724 730 7ff763e259ea-7ff763e25a20 wsprintfW 723->730 731 7ff763e25a25-7ff763e25aba MultiByteToWideChar wsprintfW LocalFree 723->731 726 7ff763e25cf8 724->726 727 7ff763e25ad7-7ff763e25ae0 724->727 726->707 727->726 729 7ff763e25ae6-7ff763e25b53 call 7ff763ee2980 call 7ff763ee2b10 call 7ff763ee2980 call 7ff763e576c0 727->729 741 7ff763e25b5a-7ff763e25be0 call 7ff763ee2b10 call 7ff763edfa50 call 7ff763edfa70 729->741 742 7ff763e25b55 729->742 733 7ff763e25abe 730->733 731->733 733->726 749 7ff763e25be7-7ff763e25c18 call 7ff763edfdf0 741->749 750 7ff763e25be2 741->750 742->707 753 7ff763e25c1a 749->753 754 7ff763e25c1f-7ff763e25c5e call 7ff763ee2980 call 7ff763ee05b0 749->754 750->707 753->707 759 7ff763e25c60 754->759 760 7ff763e25c65-7ff763e25cf4 call 7ff763ee0900 wsprintfW 754->760 759->707 760->726
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: wsprintf$Local$Free$lstrlen$AllocByteCharCryptDataDestroyExceptionMultiUnprotectWide_snprintf
      • String ID: ENCCHAR SELECT origin_url, username_value, password_value FROM logins$ENCWCHAR sqlite3_open() failed. The database might be busy. Try closing the browser.$ENCWCHAR sqlite3_prepare_v2() failed. The database might be busy. Try closing the browser.$Password: %S$Password: %s$Password: N/A$Username: %s$Website: %s
      • API String ID: 1956991067-1677157919
      • Opcode ID: 4640c1223d0e84e8e7d32fa57a06742cd5f8412b50bc100e343f1a69850222a3
      • Instruction ID: 6d77984c80148c2793c5368c4d016991e9df0c8ae9d7998efd449629aff0a390
      • Opcode Fuzzy Hash: 4640c1223d0e84e8e7d32fa57a06742cd5f8412b50bc100e343f1a69850222a3
      • Instruction Fuzzy Hash: 1612FB72608AC2DADBB5EB14E4507AAB3A4FB85744F80413AE6CD53B98DF7CD505CB20
      Function 00007FF763E26640 Relevance: 47.6, APIs: 19, Strings: 8, Instructions: 365memoryencryptionstringCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 857 7ff763e26640-7ff763e266ab call 7ff763ee2ab0 860 7ff763e266bd-7ff763e266c9 857->860 861 7ff763e266cb-7ff763e2670c call 7ff763e2e1b0 860->861 862 7ff763e2670e-7ff763e26738 860->862 861->860 864 7ff763e2674a-7ff763e26756 862->864 866 7ff763e26758-7ff763e26799 call 7ff763e2e6a0 864->866 867 7ff763e2679b-7ff763e26801 call 7ff763e24fd0 LocalAlloc 864->867 866->864 873 7ff763e26807-7ff763e2681d call 7ff763e246f0 867->873 874 7ff763e26e31-7ff763e26e3a 867->874 881 7ff763e26def-7ff763e26df8 873->881 882 7ff763e26823-7ff763e26891 wsprintfW call 7ff763ee2f70 call 7ff763edd020 873->882 877 7ff763e26e4a 874->877 878 7ff763e26e3c-7ff763e26e44 LocalFree 874->878 880 7ff763e26e4c-7ff763e26e64 call 7ff763ee2a80 877->880 878->877 885 7ff763e26e08-7ff763e26e2f lstrlenW 881->885 886 7ff763e26dfa-7ff763e26e02 LocalFree 881->886 891 7ff763e26897-7ff763e268c5 call 7ff763e83f20 882->891 892 7ff763e26dad-7ff763e26dda wsprintfW 882->892 885->880 886->885 896 7ff763e26d67-7ff763e26d97 wsprintfW 891->896 897 7ff763e268cb-7ff763e268db call 7ff763e55dc0 891->897 893 7ff763e26de1-7ff763e26de9 LocalFree 892->893 893->881 898 7ff763e26d9e-7ff763e26dab call 7ff763eda5d0 896->898 902 7ff763e26d58-7ff763e26d65 call 7ff763e501d0 897->902 903 7ff763e268e1-7ff763e269ec wsprintfW call 7ff763e578f0 wsprintfW call 7ff763e578f0 wsprintfW call 7ff763e57820 897->903 898->893 902->898 913 7ff763e26b1e-7ff763e26b2c 903->913 914 7ff763e269f2-7ff763e26a43 CryptUnprotectData 903->914 917 7ff763e26b32-7ff763e26b3b 913->917 918 7ff763e26d53 913->918 915 7ff763e26a80-7ff763e26b15 MultiByteToWideChar wsprintfW LocalFree 914->915 916 7ff763e26a45-7ff763e26a7b wsprintfW 914->916 919 7ff763e26b19 915->919 916->919 917->918 920 7ff763e26b41-7ff763e26bae call 7ff763ee2980 call 7ff763ee2b10 call 7ff763ee2980 call 7ff763e576c0 917->920 918->897 919->918 929 7ff763e26bb0 920->929 930 7ff763e26bb5-7ff763e26c3b call 7ff763ee2b10 call 7ff763edfa50 call 7ff763edfa70 920->930 929->897 937 7ff763e26c3d 930->937 938 7ff763e26c42-7ff763e26c73 call 7ff763edfdf0 930->938 937->897 941 7ff763e26c7a-7ff763e26cb9 call 7ff763ee2980 call 7ff763ee05b0 938->941 942 7ff763e26c75 938->942 947 7ff763e26cbb 941->947 948 7ff763e26cc0-7ff763e26d4f call 7ff763ee0900 wsprintfW 941->948 942->897 947->897 948->918
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: wsprintf$Local$Free$lstrlen$AllocByteCharCryptDataDestroyExceptionMultiUnprotectWide_snprintf
      • String ID: ENCCHAR SELECT origin_url, username_value, password_value FROM logins$ENCWCHAR sqlite3_open() failed. The database might be busy. Try closing the browser.$ENCWCHAR sqlite3_prepare_v2() failed. The database might be busy. Try closing the browser.$Password: %S$Password: %s$Password: N/A$Username: %s$Website: %s
      • API String ID: 1956991067-1677157919
      • Opcode ID: c9331615a7477c3f5e2628c8448e642329c3c29d879f5545de104b9f1720e66d
      • Instruction ID: 1cbdfa2f9a7359e83957fa5cc9c1c8c0d19f5b11cdd524f2cd00fd2744f352a6
      • Opcode Fuzzy Hash: c9331615a7477c3f5e2628c8448e642329c3c29d879f5545de104b9f1720e66d
      • Instruction Fuzzy Hash: 4E120C72608AC2DADBB5EB14E4907AAB3A4FB84744F80413AE6CD53B58DF7CD505CB60
      Function 00007FF763E25E10 Relevance: 47.6, APIs: 19, Strings: 8, Instructions: 365memoryencryptionstringCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 763 7ff763e25e10-7ff763e25e7b call 7ff763ee2ab0 766 7ff763e25e8d-7ff763e25e99 763->766 767 7ff763e25e9b-7ff763e25edc call 7ff763e2e1b0 766->767 768 7ff763e25ede-7ff763e25f08 766->768 767->766 770 7ff763e25f1a-7ff763e25f26 768->770 771 7ff763e25f28-7ff763e25f69 call 7ff763e2e6a0 770->771 772 7ff763e25f6b-7ff763e25fd1 call 7ff763e24cd0 LocalAlloc 770->772 771->770 780 7ff763e25fd7-7ff763e25fed call 7ff763e24350 772->780 781 7ff763e26601-7ff763e2660a 772->781 788 7ff763e265bf-7ff763e265c8 780->788 789 7ff763e25ff3-7ff763e26061 wsprintfW call 7ff763ee2f70 call 7ff763edd020 780->789 783 7ff763e2661a 781->783 784 7ff763e2660c-7ff763e26614 LocalFree 781->784 785 7ff763e2661c-7ff763e26634 call 7ff763ee2a80 783->785 784->783 792 7ff763e265d8-7ff763e265ff lstrlenW 788->792 793 7ff763e265ca-7ff763e265d2 LocalFree 788->793 797 7ff763e26067-7ff763e26095 call 7ff763e83f20 789->797 798 7ff763e2657d-7ff763e265aa wsprintfW 789->798 792->785 793->792 802 7ff763e26537-7ff763e26567 wsprintfW 797->802 803 7ff763e2609b-7ff763e260ab call 7ff763e55dc0 797->803 800 7ff763e265b1-7ff763e265b9 LocalFree 798->800 800->788 805 7ff763e2656e-7ff763e2657b call 7ff763eda5d0 802->805 808 7ff763e26528-7ff763e26535 call 7ff763e501d0 803->808 809 7ff763e260b1-7ff763e261bc wsprintfW call 7ff763e578f0 wsprintfW call 7ff763e578f0 wsprintfW call 7ff763e57820 803->809 805->800 808->805 819 7ff763e262ee-7ff763e262fc 809->819 820 7ff763e261c2-7ff763e26213 CryptUnprotectData 809->820 821 7ff763e26302-7ff763e2630b 819->821 822 7ff763e26523 819->822 823 7ff763e26250-7ff763e262e5 MultiByteToWideChar wsprintfW LocalFree 820->823 824 7ff763e26215-7ff763e2624b wsprintfW 820->824 821->822 825 7ff763e26311-7ff763e2637e call 7ff763ee2980 call 7ff763ee2b10 call 7ff763ee2980 call 7ff763e576c0 821->825 822->803 826 7ff763e262e9 823->826 824->826 835 7ff763e26380 825->835 836 7ff763e26385-7ff763e2640b call 7ff763ee2b10 call 7ff763edfa50 call 7ff763edfa70 825->836 826->822 835->803 843 7ff763e2640d 836->843 844 7ff763e26412-7ff763e26443 call 7ff763edfdf0 836->844 843->803 847 7ff763e2644a-7ff763e26489 call 7ff763ee2980 call 7ff763ee05b0 844->847 848 7ff763e26445 844->848 853 7ff763e2648b 847->853 854 7ff763e26490-7ff763e2651f call 7ff763ee0900 wsprintfW 847->854 848->803 853->803 854->822
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: wsprintf$Local$Free$lstrlen$AllocByteCharCryptDataDestroyExceptionMultiUnprotectWide_snprintf
      • String ID: ENCCHAR SELECT origin_url, username_value, password_value FROM logins$ENCWCHAR sqlite3_open() failed. The database might be busy. Try closing the browser.$ENCWCHAR sqlite3_prepare_v2() failed. The database might be busy. Try closing the browser.$Password: %S$Password: %s$Password: N/A$Username: %s$Website: %s
      • API String ID: 1956991067-1677157919
      • Opcode ID: d0002f308ad90d4393f6e9a2d4e6437d3c911025b90d727dfbb12a4187c7696f
      • Instruction ID: b6771a276bbc41d9ec705e6d8929efe490439e63eb5745ac8a5d75bb8e74b194
      • Opcode Fuzzy Hash: d0002f308ad90d4393f6e9a2d4e6437d3c911025b90d727dfbb12a4187c7696f
      • Instruction Fuzzy Hash: C612FC72608AC2DADBB5EB14E4507AAB3A4FB85744F80413AE6CD93B58DF7CD505CB20
      Function 00007FF763E26E70 Relevance: 47.6, APIs: 19, Strings: 8, Instructions: 363memoryencryptionstringCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 951 7ff763e26e70-7ff763e26ed5 952 7ff763e26ee7-7ff763e26ef3 951->952 953 7ff763e26f38-7ff763e26f62 952->953 954 7ff763e26ef5-7ff763e26f36 call 7ff763e2e1b0 952->954 956 7ff763e26f74-7ff763e26f80 953->956 954->952 958 7ff763e26f82-7ff763e26fc3 call 7ff763e2e6a0 956->958 959 7ff763e26fc5-7ff763e2702b call 7ff763e252d0 LocalAlloc 956->959 958->956 966 7ff763e27659-7ff763e27662 959->966 967 7ff763e27031-7ff763e27047 call 7ff763e24860 959->967 968 7ff763e27672 966->968 969 7ff763e27664-7ff763e2766c LocalFree 966->969 973 7ff763e27617-7ff763e2763f lstrlenW 967->973 974 7ff763e2704d-7ff763e270b9 wsprintfW call 7ff763ee2f70 call 7ff763edd020 967->974 971 7ff763e27674-7ff763e2768c call 7ff763ee2a80 968->971 969->968 977 7ff763e2764f-7ff763e27657 973->977 978 7ff763e27641-7ff763e27649 LocalFree 973->978 983 7ff763e270bf-7ff763e270ed call 7ff763e83f20 974->983 984 7ff763e275d5-7ff763e27602 wsprintfW 974->984 977->971 978->977 988 7ff763e2758f-7ff763e275bf wsprintfW 983->988 989 7ff763e270f3-7ff763e27103 call 7ff763e55dc0 983->989 985 7ff763e27609-7ff763e27611 LocalFree 984->985 985->973 991 7ff763e275c6-7ff763e275d3 call 7ff763eda5d0 988->991 994 7ff763e27109-7ff763e27214 wsprintfW call 7ff763e578f0 wsprintfW call 7ff763e578f0 wsprintfW call 7ff763e57820 989->994 995 7ff763e27580-7ff763e2758d call 7ff763e501d0 989->995 991->985 1005 7ff763e2721a-7ff763e2726b CryptUnprotectData 994->1005 1006 7ff763e27346-7ff763e27354 994->1006 995->991 1007 7ff763e272a8-7ff763e2733d MultiByteToWideChar wsprintfW LocalFree 1005->1007 1008 7ff763e2726d-7ff763e272a3 wsprintfW 1005->1008 1009 7ff763e2735a-7ff763e27363 1006->1009 1010 7ff763e2757b 1006->1010 1011 7ff763e27341 1007->1011 1008->1011 1009->1010 1012 7ff763e27369-7ff763e273d6 call 7ff763ee2980 call 7ff763ee2b10 call 7ff763ee2980 call 7ff763e576c0 1009->1012 1010->989 1011->1010 1021 7ff763e273d8 1012->1021 1022 7ff763e273dd-7ff763e27463 call 7ff763ee2b10 call 7ff763edfa50 call 7ff763edfa70 1012->1022 1021->989 1029 7ff763e2746a-7ff763e2749b call 7ff763edfdf0 1022->1029 1030 7ff763e27465 1022->1030 1033 7ff763e2749d 1029->1033 1034 7ff763e274a2-7ff763e274e1 call 7ff763ee2980 call 7ff763ee05b0 1029->1034 1030->989 1033->989 1039 7ff763e274e8-7ff763e27577 call 7ff763ee0900 wsprintfW 1034->1039 1040 7ff763e274e3 1034->1040 1039->1010 1040->989
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: wsprintf$Local$Free$lstrlen$AllocByteCharCryptDataDestroyExceptionMultiUnprotectWide_snprintf
      • String ID: ENCCHAR SELECT origin_url, username_value, password_value FROM logins$ENCWCHAR sqlite3_open() failed. The database might be busy. Try closing the browser.$ENCWCHAR sqlite3_prepare_v2() failed. The database might be busy. Try closing the browser.$Password: %S$Password: %s$Password: N/A$Username: %s$Website: %s
      • API String ID: 1956991067-1677157919
      • Opcode ID: 67390fbf8c4f8f9be52a04927e2c56793e30778da39bb260b22979a3c7bd24ce
      • Instruction ID: 39fc3e946c553e18eb45c811ffff52693c7e5ef7f5c138b084c92bd534322ce6
      • Opcode Fuzzy Hash: 67390fbf8c4f8f9be52a04927e2c56793e30778da39bb260b22979a3c7bd24ce
      • Instruction Fuzzy Hash: B9122C72608BC2DAEBB5EB14E4507AAB3A4FB85744F80013AE68D53B59DF7CD144CB60
      Function 00007FF763E2A7A0 Relevance: 45.8, APIs: 18, Strings: 8, Instructions: 333memoryencryptionCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 1043 7ff763e2a7a0-7ff763e2a7e5 call 7ff763ee2ab0 1046 7ff763e2a7f7-7ff763e2a803 1043->1046 1047 7ff763e2a842-7ff763e2a89d call 7ff763e2a4a0 LocalAlloc 1046->1047 1048 7ff763e2a805-7ff763e2a840 call 7ff763e2e6a0 1046->1048 1054 7ff763e2a8a3-7ff763e2a8b9 call 7ff763e2a330 1047->1054 1055 7ff763e2ae34-7ff763e2ae3a 1047->1055 1048->1046 1061 7ff763e2ae1a-7ff763e2ae20 1054->1061 1062 7ff763e2a8bf-7ff763e2a921 wsprintfW call 7ff763ee2f70 call 7ff763edd020 1054->1062 1056 7ff763e2ae47 1055->1056 1057 7ff763e2ae3c-7ff763e2ae41 LocalFree 1055->1057 1060 7ff763e2ae49-7ff763e2ae61 call 7ff763ee2a80 1056->1060 1057->1056 1065 7ff763e2ae2d-7ff763e2ae32 1061->1065 1066 7ff763e2ae22-7ff763e2ae27 LocalFree 1061->1066 1071 7ff763e2a927-7ff763e2a955 call 7ff763e83f20 1062->1071 1072 7ff763e2ade2-7ff763e2ae08 wsprintfW 1062->1072 1065->1060 1066->1065 1076 7ff763e2ada9-7ff763e2adcf wsprintfW 1071->1076 1077 7ff763e2a95b-7ff763e2a96b call 7ff763e55dc0 1071->1077 1073 7ff763e2ae0c-7ff763e2ae14 LocalFree 1072->1073 1073->1061 1079 7ff763e2add3-7ff763e2ade0 call 7ff763eda5d0 1076->1079 1082 7ff763e2ad9a-7ff763e2ada7 call 7ff763e501d0 1077->1082 1083 7ff763e2a971-7ff763e2aa58 wsprintfW call 7ff763e578f0 wsprintfW call 7ff763e578f0 wsprintfW call 7ff763e57820 1077->1083 1079->1073 1082->1079 1093 7ff763e2aa5e-7ff763e2aaaf CryptUnprotectData 1083->1093 1094 7ff763e2ab72-7ff763e2ab80 1083->1094 1095 7ff763e2aab1-7ff763e2aadb wsprintfW 1093->1095 1096 7ff763e2aae0-7ff763e2ab69 MultiByteToWideChar wsprintfW LocalFree 1093->1096 1097 7ff763e2ad95 1094->1097 1098 7ff763e2ab86-7ff763e2ab8c 1094->1098 1099 7ff763e2ab6d 1095->1099 1096->1099 1097->1077 1098->1097 1100 7ff763e2ab92-7ff763e2abff call 7ff763ee2980 call 7ff763ee2b10 call 7ff763ee2980 call 7ff763e576c0 1098->1100 1099->1097 1109 7ff763e2ac01 1100->1109 1110 7ff763e2ac06-7ff763e2ac89 call 7ff763ee2b10 call 7ff763edfa50 call 7ff763edfa70 1100->1110 1109->1077 1117 7ff763e2ac8b 1110->1117 1118 7ff763e2ac90-7ff763e2acc1 call 7ff763edfdf0 1110->1118 1117->1077 1121 7ff763e2acc8-7ff763e2ad07 call 7ff763ee2980 call 7ff763ee05b0 1118->1121 1122 7ff763e2acc3 1118->1122 1127 7ff763e2ad09 1121->1127 1128 7ff763e2ad0e-7ff763e2ad91 call 7ff763ee0900 wsprintfW 1121->1128 1122->1077 1127->1077 1128->1097
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: wsprintf$Local$Free$AllocByteCharCryptDataDestroyExceptionMultiUnprotectWide_snprintflstrlen
      • String ID: ENCCHAR SELECT origin_url, username_value, password_value FROM logins$Password: %S$Password: %s$Password: N/A$Username: %s$Website: %s$sqlite3_open() failed. The database might be busy. Try closing the browser.$sqlite3_prepare_v2() failed. The database might be busy. Try closing the browser.
      • API String ID: 2546006042-1076678555
      • Opcode ID: 8ccc162c367cc1c6e0688ab8871224dbfb26631b463ee6e63f7471951a063a49
      • Instruction ID: 6ea7ad5808615ae75f2e0c2fa9f2f6d8857ee598420e9f9276de329a60f3087e
      • Opcode Fuzzy Hash: 8ccc162c367cc1c6e0688ab8871224dbfb26631b463ee6e63f7471951a063a49
      • Instruction Fuzzy Hash: 78021E3260CB86C6DB60EB15E4947AAB3A1FBC4744F84413AE68D97B68DF7DD405CB20
      Function 00007FF763EED6B8 Relevance: 40.7, APIs: 22, Strings: 1, Instructions: 465COMMONLIBRARYCODE
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 1176 7ff763eed6b8-7ff763eed700 call 7ff763ee2ab0 1179 7ff763eed702-7ff763eed704 1176->1179 1180 7ff763eed709-7ff763eed70c 1176->1180 1181 7ff763eeddee-7ff763eede17 call 7ff763ee2a80 1179->1181 1182 7ff763eed72d-7ff763eed763 1180->1182 1183 7ff763eed70e-7ff763eed720 call 7ff763ee5b08 call 7ff763ee5ae8 call 7ff763ee5a80 1180->1183 1184 7ff763eed765-7ff763eed769 1182->1184 1185 7ff763eed76b-7ff763eed772 1182->1185 1199 7ff763eed725-7ff763eed728 1183->1199 1184->1185 1188 7ff763eed774-7ff763eed77a 1184->1188 1185->1183 1185->1188 1191 7ff763eed77c-7ff763eed784 call 7ff763eed53c 1188->1191 1192 7ff763eed789-7ff763eed792 call 7ff763eedf4c 1188->1192 1191->1192 1200 7ff763eeda62-7ff763eeda73 1192->1200 1201 7ff763eed798-7ff763eed7a9 1192->1201 1199->1181 1203 7ff763eeda79-7ff763eeda81 1200->1203 1204 7ff763eedd77-7ff763eedd93 WriteFile 1200->1204 1201->1200 1202 7ff763eed7af-7ff763eed7df call 7ff763ee7ed4 GetConsoleMode 1201->1202 1202->1200 1223 7ff763eed7e5-7ff763eed7e7 1202->1223 1208 7ff763eedb52-7ff763eedb56 1203->1208 1209 7ff763eeda87-7ff763eeda8a 1203->1209 1205 7ff763eeda4c-7ff763eeda54 GetLastError 1204->1205 1206 7ff763eedd99-7ff763eedd9f 1204->1206 1212 7ff763eedd45-7ff763eedd47 1205->1212 1206->1212 1213 7ff763eedc34-7ff763eedc37 1208->1213 1214 7ff763eedb5c-7ff763eedb5f 1208->1214 1210 7ff763eeda90 1209->1210 1211 7ff763eeddad-7ff763eeddc3 1209->1211 1216 7ff763eeda93-7ff763eeda9f 1210->1216 1217 7ff763eeddc5-7ff763eeddca 1211->1217 1218 7ff763eeddd0-7ff763eedde3 call 7ff763ee5ae8 call 7ff763ee5b08 1211->1218 1219 7ff763eedd4d-7ff763eedd4f 1212->1219 1220 7ff763eedde8-7ff763eeddec 1212->1220 1213->1211 1221 7ff763eedc3d 1213->1221 1214->1211 1222 7ff763eedb65 1214->1222 1226 7ff763eedaa1-7ff763eedaaa 1216->1226 1217->1179 1217->1218 1218->1199 1219->1211 1228 7ff763eedd51-7ff763eedd54 1219->1228 1220->1181 1229 7ff763eedc43-7ff763eedc48 1221->1229 1230 7ff763eedb6a-7ff763eedb76 1222->1230 1224 7ff763eed7f2-7ff763eed806 GetConsoleCP 1223->1224 1225 7ff763eed7e9-7ff763eed7ec 1223->1225 1231 7ff763eed80c-7ff763eed80f 1224->1231 1232 7ff763eeda59-7ff763eeda5d 1224->1232 1225->1200 1225->1224 1233 7ff763eedad3-7ff763eedb17 WriteFile 1226->1233 1234 7ff763eedaac-7ff763eedab5 1226->1234 1236 7ff763eedd56-7ff763eedd68 call 7ff763ee5ae8 call 7ff763ee5b08 1228->1236 1237 7ff763eedda1-7ff763eedda8 call 7ff763ee5b28 1228->1237 1238 7ff763eedc4a-7ff763eedc53 1229->1238 1239 7ff763eedb78-7ff763eedb81 1230->1239 1241 7ff763eed815-7ff763eed834 1231->1241 1242 7ff763eed999-7ff763eed99d 1231->1242 1232->1219 1233->1205 1245 7ff763eedb1d-7ff763eedb33 1233->1245 1243 7ff763eedac2-7ff763eedad1 1234->1243 1244 7ff763eedab7-7ff763eedabf 1234->1244 1236->1199 1237->1199 1248 7ff763eedc55-7ff763eedc62 1238->1248 1249 7ff763eedc84-7ff763eedccc WideCharToMultiByte 1238->1249 1250 7ff763eedbb5-7ff763eedbf9 WriteFile 1239->1250 1251 7ff763eedb83-7ff763eedb90 1239->1251 1256 7ff763eed856-7ff763eed860 call 7ff763eee5c8 1241->1256 1257 7ff763eed836-7ff763eed854 1241->1257 1259 7ff763eed9a5-7ff763eed9c1 1242->1259 1260 7ff763eed99f-7ff763eed9a3 1242->1260 1243->1226 1243->1233 1244->1243 1245->1212 1258 7ff763eedb39-7ff763eedb47 1245->1258 1263 7ff763eedc64-7ff763eedc6c 1248->1263 1264 7ff763eedc70-7ff763eedc82 1248->1264 1265 7ff763eedcd2 1249->1265 1266 7ff763eedd6d-7ff763eedd75 GetLastError 1249->1266 1250->1205 1255 7ff763eedbff-7ff763eedc15 1250->1255 1252 7ff763eedba1-7ff763eedbb3 1251->1252 1253 7ff763eedb92-7ff763eedb9d 1251->1253 1252->1239 1252->1250 1253->1252 1255->1212 1267 7ff763eedc1b-7ff763eedc29 1255->1267 1284 7ff763eed896-7ff763eed89c 1256->1284 1285 7ff763eed862-7ff763eed86f 1256->1285 1268 7ff763eed89f-7ff763eed8ac call 7ff763eee578 1257->1268 1258->1216 1271 7ff763eedb4d 1258->1271 1273 7ff763eed9c8-7ff763eed9cc 1259->1273 1260->1259 1272 7ff763eed9c3 1260->1272 1263->1264 1264->1238 1264->1249 1270 7ff763eedcd4-7ff763eedd11 WriteFile 1265->1270 1275 7ff763eedd40 1266->1275 1267->1230 1278 7ff763eedc2f 1267->1278 1292 7ff763eeda43-7ff763eeda47 1268->1292 1293 7ff763eed8b2-7ff763eed8ef WideCharToMultiByte 1268->1293 1276 7ff763eedd13-7ff763eedd1a 1270->1276 1277 7ff763eedd1e-7ff763eedd24 GetLastError 1270->1277 1271->1212 1272->1273 1280 7ff763eed9d4-7ff763eed9e3 call 7ff763ef0d10 1273->1280 1281 7ff763eed9ce-7ff763eed9d2 1273->1281 1275->1212 1276->1270 1287 7ff763eedd1c 1276->1287 1288 7ff763eedd26-7ff763eedd29 1277->1288 1278->1212 1280->1205 1298 7ff763eed9e5-7ff763eed9eb 1280->1298 1281->1280 1289 7ff763eeda0e 1281->1289 1284->1268 1296 7ff763eed875-7ff763eed88b call 7ff763eee578 1285->1296 1297 7ff763eeda22-7ff763eeda3a 1285->1297 1287->1288 1288->1275 1294 7ff763eedd2b-7ff763eedd3a 1288->1294 1295 7ff763eeda13-7ff763eeda1b 1289->1295 1292->1212 1293->1292 1301 7ff763eed8f5-7ff763eed924 WriteFile 1293->1301 1294->1229 1294->1275 1295->1292 1299 7ff763eeda1d 1295->1299 1296->1292 1306 7ff763eed891-7ff763eed894 1296->1306 1297->1292 1298->1289 1302 7ff763eed9ed-7ff763eeda06 call 7ff763ef0d10 1298->1302 1299->1231 1301->1205 1303 7ff763eed92a-7ff763eed938 1301->1303 1302->1205 1310 7ff763eeda08-7ff763eeda0a 1302->1310 1303->1292 1307 7ff763eed93e-7ff763eed948 1303->1307 1306->1293 1307->1295 1309 7ff763eed94e-7ff763eed980 WriteFile 1307->1309 1309->1205 1311 7ff763eed986-7ff763eed98b 1309->1311 1310->1289 1311->1292 1312 7ff763eed991-7ff763eed997 1311->1312 1312->1295
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: __doserrno_errno_invalid_parameter_noinfo
      • String ID: U
      • API String ID: 3902385426-4171548499
      • Opcode ID: f099567d3685c6dfc8924743a84220f7a19d61402e7f8674a70f40c4c2d72514
      • Instruction ID: e376426739e580a9c7dcb90b0f6016ce5c1104f965708b160b5f43268780cdad
      • Opcode Fuzzy Hash: f099567d3685c6dfc8924743a84220f7a19d61402e7f8674a70f40c4c2d72514
      • Instruction Fuzzy Hash: B912CF36A0C642CAEBA0AF29E4443BAA3A0FFC4744F944235EA4D66794DF7DE545C730
      Function 00007FF763E252D0 Relevance: 38.6, APIs: 18, Strings: 4, Instructions: 134memoryfileencryptionCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: FreeLocal$File$AllocCloseHandleTasktype_info::_name_internal_method$CreateCryptDataFolderKnownPathReadSizeUnprotect_errno_invalid_parameter_noinfofree
      • String ID: "encrypted_key"$%s%s$\Microsoft\edge\User Data\Local State$os_crypt
      • API String ID: 4274687654-2937217789
      • Opcode ID: d05ee43657104a51a207e4575482fec12dba5d9ac8e88f636bd1d844b45e1123
      • Instruction ID: cb148b2604b06446b6a71c0994592c5acbbe2ced7f9d3c322b0a7383ac4f10bb
      • Opcode Fuzzy Hash: d05ee43657104a51a207e4575482fec12dba5d9ac8e88f636bd1d844b45e1123
      • Instruction Fuzzy Hash: 8471E832608B82C6E7A0EB15E45476AF7A1FBC4750F904139EA8D92BA8DF7CD445CB60
      Function 00007FF763E24CD0 Relevance: 38.6, APIs: 18, Strings: 4, Instructions: 134memoryfileencryptionCOMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: FreeLocal$File$AllocCloseHandleTasktype_info::_name_internal_method$CreateCryptDataFolderKnownPathReadSizeUnprotect_errno_invalid_parameter_noinfofree
      • String ID: "encrypted_key"$%s%s$\Opera Software\Opera Stable\Local State$os_crypt
      • API String ID: 4274687654-2183644451
      • Opcode ID: 8aaddce05b246a2046b14fdd026aefe01a2a9ac6cb7c264bc37829aec9b6648b
      • Instruction ID: 10e054cc8d62f4a2e3d36a274dbf490374d51f50660e3478cb3ee7cef866ad52
      • Opcode Fuzzy Hash: 8aaddce05b246a2046b14fdd026aefe01a2a9ac6cb7c264bc37829aec9b6648b
      • Instruction Fuzzy Hash: C071E832608A81C6E7A0EB15F44476AF7A1FBC4750F94413AEA8D92B68DF7CD445CB20
      Function 00007FF763E249D0 Relevance: 38.6, APIs: 18, Strings: 4, Instructions: 134memoryfileencryptionCOMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: FreeLocal$File$AllocCloseHandleTasktype_info::_name_internal_method$CreateCryptDataFolderKnownPathReadSizeUnprotect_errno_invalid_parameter_noinfofree
      • String ID: "encrypted_key"$%s%s$\Google\Chrome\User Data\Local State$os_crypt
      • API String ID: 4274687654-1017928681
      • Opcode ID: 30d096f34657783b1cefae60c6d2ee9f5a9a85a0937028e02213efea15342976
      • Instruction ID: 6e0b66afea2962b3dc9a78ad639b9c2bd58d1eb8ddd69516b0c6ea72d0f2521b
      • Opcode Fuzzy Hash: 30d096f34657783b1cefae60c6d2ee9f5a9a85a0937028e02213efea15342976
      • Instruction Fuzzy Hash: 8971E936608B81C6E7A0EB15F45576AB7A0FBC4750F904139EA8D93B68DF7CD449CB20
      Function 00007FF763E24FD0 Relevance: 38.6, APIs: 18, Strings: 4, Instructions: 134memoryfileencryptionCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: FreeLocal$File$AllocCloseHandleTasktype_info::_name_internal_method$CreateCryptDataFolderKnownPathReadSizeUnprotect_errno_invalid_parameter_noinfofree
      • String ID: "encrypted_key"$%s%s$\BraveSoftware\Brave-Browser\User Data\Local State$os_crypt
      • API String ID: 4274687654-3829228442
      • Opcode ID: 0408da01f6c9f721955fd7f975c65a804f54e87f8646c7dedcdb143afea7888a
      • Instruction ID: 949b49b00e0d8d70e4790ac220db9826fdfe3e43738a2bd2f44b410538fd8236
      • Opcode Fuzzy Hash: 0408da01f6c9f721955fd7f975c65a804f54e87f8646c7dedcdb143afea7888a
      • Instruction Fuzzy Hash: 7171D736608B81C6E7A0EB15E45476AF7A0FBC4750F944139EA8D92BA8DF7CD449CB20
      Function 00007FF763E2A4A0 Relevance: 36.9, APIs: 17, Strings: 4, Instructions: 134memoryfileencryptionCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: FreeLocal$File$AllocCloseHandleTasktype_info::_name_internal_method$CreateCryptDataReadSizeUnprotect_errno_invalid_parameter_noinfofree
      • String ID: "encrypted_key"$%s%s$\Vivaldi\User Data\Local State$os_crypt
      • API String ID: 2937220710-3516988811
      • Opcode ID: 5ec7509ecd4b8031c812adadc7084b1e8f455f4f55790920f0c75db8c38099f2
      • Instruction ID: a244f17611cdc9f9566a84fae77db294e0c2350a1059a99a539965795fce7782
      • Opcode Fuzzy Hash: 5ec7509ecd4b8031c812adadc7084b1e8f455f4f55790920f0c75db8c38099f2
      • Instruction Fuzzy Hash: EC71E736608B82C6E7A0EB15F45476AB7A0FBC4750F944139EA8D93B68DF7CD449CB20
      Function 00007FF763EE5DF0 Relevance: 34.0, APIs: 17, Strings: 2, Instructions: 723COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Strings
      • , xrefs: 00007FF763EE64D7
      • --partContent-Type: text/plain; charset="UTF-8"Content-Disposition: form-data; name="hwid"%S--partContent-Type: text/plain; charset="UTF-8"Content-Disposition: form-data; name="logfoldername"%S--partContent-Type: application/octet-stream, xrefs: 00007FF763EE5DF6
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: _errnowrite_multi_char$_invalid_parameter_noinfowrite_char$_fileno_getptdfree
      • String ID: $--partContent-Type: text/plain; charset="UTF-8"Content-Disposition: form-data; name="hwid"%S--partContent-Type: text/plain; charset="UTF-8"Content-Disposition: form-data; name="logfoldername"%S--partContent-Type: application/octet-stream
      • API String ID: 920461082-3586589083
      • Opcode ID: 6fc77ca0534d19131eede728d8049889bbcf1f2595fe4514a2bef9c2850e3922
      • Instruction ID: ddd87f5903fc4636fc7c5a2a745db419c98eb98b2d8fb202ea0f49434ddef759
      • Opcode Fuzzy Hash: 6fc77ca0534d19131eede728d8049889bbcf1f2595fe4514a2bef9c2850e3922
      • Instruction Fuzzy Hash: 9052CE7290C686C6FBA4AB54944427EEBA0BB85748F940635FB4D677E5CE3CE840CB70
      Function 00007FF763E240D0 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 102memoryfileCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: Local$Free$Alloc$PathTask$CopyFileFolderKnownTemplstrlen
      • String ID: %s%s$ENCWCHAR %sDATABASE$ENCWCHAR \Google\Chrome\User Data\Default\Login Data
      • API String ID: 2243084133-698333642
      • Opcode ID: de81e21226bc3a416391d566b779c1e02ec7b5abcba7b404894c759c98d00ecb
      • Instruction ID: 2fedf657a9046c00e44e1b1d3d5c131c7fe311084208e24b22f15b6edcbd254b
      • Opcode Fuzzy Hash: de81e21226bc3a416391d566b779c1e02ec7b5abcba7b404894c759c98d00ecb
      • Instruction Fuzzy Hash: 1D51BD36619AC2C2E7B0AB11E4987AEB361FB85740FD4013AD68D62B68DF7CD445CB20
      Function 00007FF763EE439C Relevance: 26.3, APIs: 13, Strings: 2, Instructions: 68libraryloaderCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: ErrorLast_errno_invalid_parameter_noinfo$AddressDecodeLibraryLoadPointerProc
      • String ID: ADVAPI32.DLL$SystemFunction036
      • API String ID: 3960458323-1064046199
      • Opcode ID: 788ce4e6524c4ecaab954aa50b71af4880e75796c969cd6f86d2effbe2e579c7
      • Instruction ID: 37221f4b7aef11d758101fdec4cafcbd9e962759d956fd1e83b7f59bb037a621
      • Opcode Fuzzy Hash: 788ce4e6524c4ecaab954aa50b71af4880e75796c969cd6f86d2effbe2e579c7
      • Instruction Fuzzy Hash: 7B21EE31B09743C6FBD1BB61A444279A2A0AF48B84FD84639F90E67796EE7CE445C730
      Function 00007FF763EE4D94 Relevance: 23.5, APIs: 12, Strings: 1, Instructions: 731COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: DecodePointerwrite_multi_char$_errno$_getptd_invalid_parameter_noinfofreewrite_char
      • String ID: SOFTWARE\%s
      • API String ID: 1806013980-297323700
      • Opcode ID: 46cd8c3363cc20b8f00d6e7b8cadefafb9a5c956439d70f6cbac0ba624e002af
      • Instruction ID: 04a100256e4316b1e5fea960068221f81a836a6de011c7db4f7c3eec0bf3df0a
      • Opcode Fuzzy Hash: 46cd8c3363cc20b8f00d6e7b8cadefafb9a5c956439d70f6cbac0ba624e002af
      • Instruction Fuzzy Hash: 2A52C272A0C692C6FBA4AB15944027EA7A1BB81744F940236FA4E677D4DF7DE840CB70
      Function 00007FF763EEB84C Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 159fileCOMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: File_set_error_mode$CurrentHandleModuleNameProcessWrite
      • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
      • API String ID: 2183313154-4022980321
      • Opcode ID: 8cac3533d72549cb5a4cab9cf7a9144fa2a7d015d1eb2c12c692b9fda5de16d7
      • Instruction ID: 4ca1f68753dd501a8eaf0b66fccc620f9e782f5d0e5b66e92aaa58b0defdab67
      • Opcode Fuzzy Hash: 8cac3533d72549cb5a4cab9cf7a9144fa2a7d015d1eb2c12c692b9fda5de16d7
      • Instruction Fuzzy Hash: 8E51B031A0C783C2EBA4BB25A4116BAA391EF89784FD40235EE5D62B95DF3CE505C334
      Function 00007FF763EEA674 Relevance: 15.3, APIs: 10, Instructions: 292timeCOMMONLIBRARYCODE
      Download Yara Rule
      APIs
      • _lock.LIBCMT ref: 00007FF763EEA69F
        • Part of subcall function 00007FF763EEEE5C: _amsg_exit.LIBCMT ref: 00007FF763EEEE86
      • _get_daylight.LIBCMT ref: 00007FF763EEA6B5
        • Part of subcall function 00007FF763EEB410: _errno.LIBCMT ref: 00007FF763EEB419
        • Part of subcall function 00007FF763EEB410: _invalid_parameter_noinfo.LIBCMT ref: 00007FF763EEB424
      • _get_daylight.LIBCMT ref: 00007FF763EEA6CA
        • Part of subcall function 00007FF763EEB3B0: _errno.LIBCMT ref: 00007FF763EEB3B9
        • Part of subcall function 00007FF763EEB3B0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF763EEB3C4
      • _get_daylight.LIBCMT ref: 00007FF763EEA6DF
        • Part of subcall function 00007FF763EEB3E0: _errno.LIBCMT ref: 00007FF763EEB3E9
        • Part of subcall function 00007FF763EEB3E0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF763EEB3F4
      • ___lc_codepage_func.LIBCMT ref: 00007FF763EEA6EC
        • Part of subcall function 00007FF763EEF750: __wtomb_environ.LIBCMT ref: 00007FF763EEF780
      • free.LIBCMT ref: 00007FF763EEA75D
        • Part of subcall function 00007FF763EE30E8: HeapFree.KERNEL32(?,?,00000000,00007FF763EE7EBC,?,?,00000000,00007FF763EE7EDF,?,?,?,00007FF763EE467B,?,?,00000000,00007FF763EE4E03), ref: 00007FF763EE30FE
        • Part of subcall function 00007FF763EE30E8: _errno.LIBCMT ref: 00007FF763EE3108
        • Part of subcall function 00007FF763EE30E8: GetLastError.KERNEL32(?,?,00000000,00007FF763EE7EBC,?,?,00000000,00007FF763EE7EDF,?,?,?,00007FF763EE467B,?,?,00000000,00007FF763EE4E03), ref: 00007FF763EE3110
      • free.LIBCMT ref: 00007FF763EEA7C6
      • GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF763EEB09A,?,?,?,?,00007FF763EE3F2A), ref: 00007FF763EEA7D9
      • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF763EEB09A,?,?,?,?,00007FF763EE3F2A), ref: 00007FF763EEA88F
      • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF763EEB09A,?,?,?,?,00007FF763EE3F2A), ref: 00007FF763EEA8E2
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: _errno$_get_daylight_invalid_parameter_noinfo$ByteCharMultiWidefree$ErrorFreeHeapInformationLastTimeZone___lc_codepage_func__wtomb_environ_amsg_exit_getptd_lock
      • String ID:
      • API String ID: 2532449802-0
      • Opcode ID: 9ddf517e15406f773492a0ced693e32c7d4cf0a5b80db68cf47e97ae1f67bc95
      • Instruction ID: 279e515037144e8c57ee9c90ad5b54af6a27af4a07625d0a583a8714ec34b09d
      • Opcode Fuzzy Hash: 9ddf517e15406f773492a0ced693e32c7d4cf0a5b80db68cf47e97ae1f67bc95
      • Instruction Fuzzy Hash: 1CC17232A08682C5E7A1BB25E5517BAB7A5AF85740F804239EA8D63796DF3CD811C730
      Function 00007FF763EE3EB0 Relevance: 13.7, APIs: 9, Instructions: 234COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: _get_daylight$_errno_isindst$__tzset_invalid_parameter_noinfo
      • String ID:
      • API String ID: 2215209938-0
      • Opcode ID: 01afbceb5c7b7009fab4223a6f402c6bd4c13691dd326d603d59c28524f51a54
      • Instruction ID: 8c6aaccdda840a1e53832db171fe3d12a2f8608734267aea89eb33419605883f
      • Opcode Fuzzy Hash: 01afbceb5c7b7009fab4223a6f402c6bd4c13691dd326d603d59c28524f51a54
      • Instruction Fuzzy Hash: 4681C972F04747C7EB98AF65C8513B9A2A1EB54788F848136FA0D9A795EF3CE500C720
      Function 00007FF763EC84C0 Relevance: 12.6, APIs: 2, Strings: 4, Instructions: 2063COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID:
      • String ID: &$)$9$F
      • API String ID: 0-189807352
      • Opcode ID: 229a14f4742077aa25b43cd6e6130a9ccf089be6e0d5e4e0baf21781f1f39017
      • Instruction ID: 8a5eba121b9f6104ab9d298ff63ce01c138c6dbdd64ee660f2ffc8cb81c13355
      • Opcode Fuzzy Hash: 229a14f4742077aa25b43cd6e6130a9ccf089be6e0d5e4e0baf21781f1f39017
      • Instruction Fuzzy Hash: B34394766087C5CAD7B09B19E4907AEB7A0F788B84F404126EA9D97B69DF3CD440CF60
      Function 00007FF763E293C0 Relevance: 12.3, APIs: 2, Strings: 6, Instructions: 300COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID:
      • String ID: --part--$--partContent-Type: text/plain; charset="UTF-8"Content-Disposition: form-data; name="hwid"%S--partContent-Type: text/plain; charset="UTF-8"Content-Disposition: form-data; name="logfoldername"%S--partContent-Type: application/octet-stream$Content-Type: multipart/form-data; boundary=part$Host: %s$POST$h
      • API String ID: 0-1863478720
      • Opcode ID: 5726904526b7a2ebd9bf5e062158f7fc28daf20a61d138ed9fcd3e60bda2481f
      • Instruction ID: 65d405d51661798e3062eeca41a56fba0b5f19278b96f1934eecc306ca423eff
      • Opcode Fuzzy Hash: 5726904526b7a2ebd9bf5e062158f7fc28daf20a61d138ed9fcd3e60bda2481f
      • Instruction Fuzzy Hash: 0CF1D272A18BC1C6E7B0AB15E854BABB3A1FB85745F801135E68D93B98DF7CD444CB20
      Function 00007FF763EE2A80 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual
      • String ID:
      • API String ID: 3778485334-0
      • Opcode ID: e04429dfc31eefd30264442366f0d8c6ac8de0813945fddd64a861ebf87583cb
      • Instruction ID: 632a3e327f4ba46b34747bb52b72c54a6a448ee6e28207dc76974f5238651f74
      • Opcode Fuzzy Hash: e04429dfc31eefd30264442366f0d8c6ac8de0813945fddd64a861ebf87583cb
      • Instruction Fuzzy Hash: 1031EB35909B46C5EB91AB14F8503A9F3A4FB84744FD0413AE98D627A5DF7CE058CB20
      Function 00007FF763EB282A Relevance: 10.7, Strings: 8, Instructions: 745COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID:
      • String ID: missing from index $*** in database %s ***$NULL value in %s.%s$d$integrity_check$non-unique entry in index $row $wrong # of entries in index
      • API String ID: 0-2060411160
      • Opcode ID: 2f27bba2526d61d46e31c8b1517888bf299261873c52d6917cf2e34ad3c308d8
      • Instruction ID: 445b8fa3b05860425137a04d243b7c8665d8d0e733aeede499deab30b3b9d35e
      • Opcode Fuzzy Hash: 2f27bba2526d61d46e31c8b1517888bf299261873c52d6917cf2e34ad3c308d8
      • Instruction Fuzzy Hash: 119218326186C1C7E7B1AB15E4807AAA7A4F7C4B84F500126EA8D57BA9CF3DD941CF60
      Function 00007FF763E3DC50 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 452memoryCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: DebugDeleteHeap$Handle
      • String ID: e
      • API String ID: 2112437963-4024072794
      • Opcode ID: 14955e522e7a1dd48a6821206422944229213e1f908617e43784e27853a23c28
      • Instruction ID: 03c8d79ee98e4d4e0e39682324689f0274cb725dccaef21581a4591f48ffdccf
      • Opcode Fuzzy Hash: 14955e522e7a1dd48a6821206422944229213e1f908617e43784e27853a23c28
      • Instruction Fuzzy Hash: FA32BC36909A86CAE7B0EB15E44036AB7A0FBC8B44F405135EA8D57B69DF3CD845CF60
      Function 00007FF763EB81A0 Relevance: 9.1, Strings: 6, Instructions: 1589COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID:
      • String ID: DISTINCT$DISTINCT$GROUP BY$ORDER BY$RIGHT PART OF ORDER BY$expected %d columns for '%s' but got %d
      • API String ID: 0-2800172641
      • Opcode ID: c6e963d3ba451b1629bac5cb8641eff2ebf4d04af8faadfa8e17959f1521563b
      • Instruction ID: 4ac5ac4b0ce314cf2e8b93178ddf4fb1d95009379dc5bfbe732dc8707e2ff93b
      • Opcode Fuzzy Hash: c6e963d3ba451b1629bac5cb8641eff2ebf4d04af8faadfa8e17959f1521563b
      • Instruction Fuzzy Hash: D913B6366196C5CAD7B1DB16E4907AAB7A0F7C8B84F404126EA8D97B69CF3CD540CF20
      Function 00007FF763EE5890 Relevance: 9.1, APIs: 6, Instructions: 80COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
      • String ID:
      • API String ID: 1239891234-0
      • Opcode ID: aece92f53072f0c2ab1157861b18e66df56d2162d4c361a5a7022f554215889a
      • Instruction ID: 3be705db393cb9ab090074c86a6460afdce7fac5e86c216eaaefd693d9ab4002
      • Opcode Fuzzy Hash: aece92f53072f0c2ab1157861b18e66df56d2162d4c361a5a7022f554215889a
      • Instruction Fuzzy Hash: 2F315432608B82C6DBA0DF25E4402AEB3A4FB84754F940135FA9D57B99DF78D545CB20
      Function 00007FF763EED488 Relevance: 7.5, APIs: 5, Instructions: 39timethreadCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
      • String ID:
      • API String ID: 1445889803-0
      • Opcode ID: 724c0a8b5a5504214ee77ba4df5a92d6f20a059e65090fddd3025e65d4568c87
      • Instruction ID: 45f5b12d6846be465cd193feb354545a2ecf81ef445215f28c2becaf82d37dee
      • Opcode Fuzzy Hash: 724c0a8b5a5504214ee77ba4df5a92d6f20a059e65090fddd3025e65d4568c87
      • Instruction Fuzzy Hash: 6B01A131628A49C2E7C1AF25F850265F360FB59B90FC82234EE9E577A4DE7CD884C320
      Function 00007FF763E23E70 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 77encryptionCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: BinaryCryptString
      • String ID: PKllAuthenticate() error$PKllGetInternalKeySlot() error$PKllSDRDecrypt() error
      • API String ID: 80407269-2900511693
      • Opcode ID: 4137bd69002066b2660599944dccd99c28372c6d8bdc388328d5faa902cdfef1
      • Instruction ID: 1bb03088be2e3c9781b8c731ee4efd9a3997542100578047fd90a0dc289f72a4
      • Opcode Fuzzy Hash: 4137bd69002066b2660599944dccd99c28372c6d8bdc388328d5faa902cdfef1
      • Instruction Fuzzy Hash: F741EC36918B85C5E7A0EB10F4487AAF3A5FB98784F804136EA8D52B59DF7DD148CB20
      Function 00007FF763EAA410 Relevance: 5.4, Strings: 4, Instructions: 444COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID:
      • String ID: FOREIGN KEY constraint failed$m$new$old
      • API String ID: 0-3033275495
      • Opcode ID: 014c2362228bb6d2d5c5031494277f8330c6fea53dd84a71dc111689836277bb
      • Instruction ID: 5b55c7ed6e944336b65646b46169f6d97140659368c56231ab3d3ee330450d4b
      • Opcode Fuzzy Hash: 014c2362228bb6d2d5c5031494277f8330c6fea53dd84a71dc111689836277bb
      • Instruction Fuzzy Hash: 8B42D236A08BC1C5EBB0AB55E4907ABB3A0F7C9B94F504026EA8D57B59CF7CD444CB60
      Function 00007FF763EEB0E0 Relevance: 4.7, APIs: 3, Instructions: 207COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: _errno$_invalid_parameter_noinfo
      • String ID:
      • API String ID: 2819658684-0
      • Opcode ID: aaa44bc1bcc7804c9203a75f994c271b77bd4b713063d509c4c5f0ce79ee1d52
      • Instruction ID: b192f62a421e40e2e18f0c90453508cafa6963ced2d0b0e63998d6284d6a684b
      • Opcode Fuzzy Hash: aaa44bc1bcc7804c9203a75f994c271b77bd4b713063d509c4c5f0ce79ee1d52
      • Instruction Fuzzy Hash: 55614DB2F1960787DB5C9B189851378A256EB98744F48C236FA0E9F7D8FA3CF5018750
      Function 00007FF763EEAAF4 Relevance: 3.2, APIs: 2, Instructions: 235COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: _get_daylight$_errno_invalid_parameter_noinfo
      • String ID:
      • API String ID: 3559991230-0
      • Opcode ID: 4c51910749c9a8b7a827a345b0a9de6e32ea957ab7de9f1b4c609dc63f3b20ff
      • Instruction ID: db0be0d6f3631f98703085148d3acfb90e9b958e20492acda016e27668f5e277
      • Opcode Fuzzy Hash: 4c51910749c9a8b7a827a345b0a9de6e32ea957ab7de9f1b4c609dc63f3b20ff
      • Instruction Fuzzy Hash: 0F913E72F18613C7D39DDB18D951AB4B7A6E7A4704F948139E9099BB94DE3CF900C720
      Function 00007FF763EAEEC0 Relevance: 3.2, Strings: 2, Instructions: 678COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID:
      • String ID: BINARY$h
      • API String ID: 0-1059121772
      • Opcode ID: dbac26c4c4a7f8640f02a170014ecec41aa380d40c5edc8b3a3420973a76eebc
      • Instruction ID: a0e55b89af6107dd6e3976a5242a77305ce0ed173480a6fa89cea5e67fc0ed8d
      • Opcode Fuzzy Hash: dbac26c4c4a7f8640f02a170014ecec41aa380d40c5edc8b3a3420973a76eebc
      • Instruction Fuzzy Hash: 5E72C83661C6C6C5E7B09B16E4403AAB7A0E7C5B84F504032EA9D97F99DF3DE841CB60
      Function 00007FF763EA6510 Relevance: 2.0, Strings: 1, Instructions: 763COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID:
      • String ID: rows deleted
      • API String ID: 0-571615504
      • Opcode ID: 9170b85c5d254037b8be76ad0482d0adc7e3f3a3909d293f1bc3ace2e39d676b
      • Instruction ID: 5eeb01ec9808eb1d5a767c698ab8c0a1cd2528f51fc31ff1c22ee841b818211a
      • Opcode Fuzzy Hash: 9170b85c5d254037b8be76ad0482d0adc7e3f3a3909d293f1bc3ace2e39d676b
      • Instruction Fuzzy Hash: B192A2366086C5CAD7B1DB19E4907AAB7A0F7C9784F504026EA9D97B99DF3CD840CF20
      Function 00007FF763EB1F8F Relevance: 1.6, Strings: 1, Instructions: 374COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID:
      • String ID: h
      • API String ID: 0-2439710439
      • Opcode ID: 5cb5e5f89a115ddeceb935bdf27d0518c7121e6ebfccd04e64152ce6619e3e82
      • Instruction ID: a86104766e0d11d9ac2f9d49c844c8dca74875a9eaee8f05b6ed260a537d3a5d
      • Opcode Fuzzy Hash: 5cb5e5f89a115ddeceb935bdf27d0518c7121e6ebfccd04e64152ce6619e3e82
      • Instruction Fuzzy Hash: 3622C3766186C5CAD7B0DB19E4847AAB7A0F7C8784F505126EA8D93B69CF3CD841CF20
      Function 00007FF763EE1A90 Relevance: .7, Instructions: 695COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: a07029526c9d606ef69827bb8f49a86dd0d43a7b8a9133beac5314156958ee05
      • Instruction ID: a8f5ead0f48ba0a3196c86fc47d9ef3c699167ef2c6f9030371ec54182fb1b30
      • Opcode Fuzzy Hash: a07029526c9d606ef69827bb8f49a86dd0d43a7b8a9133beac5314156958ee05
      • Instruction Fuzzy Hash: A4622C73708A818ADB59CB1CE4A067AB7A1F7C8784F84453AE78FC7B59CA2DD544CB10
      Function 00007FF763E53EC0 Relevance: .7, Instructions: 679COMMONLIBRARYCODE
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: d9ad2fa6c76d28763152f519c92bee418d2d470df886e78abb55b30e8594308c
      • Instruction ID: 8fb29d15c144d085bde203fc58191ce716b5ab3fbd0d13535f546745a0404262
      • Opcode Fuzzy Hash: d9ad2fa6c76d28763152f519c92bee418d2d470df886e78abb55b30e8594308c
      • Instruction Fuzzy Hash: 2562E333519A84CAD7A1CB19E88022ABBB0F399794F540526F7CEC7B69DB2DC551CF20
      Function 00007FF763EBFE70 Relevance: .6, Instructions: 646COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: e038f68fdee178bc00b66af77ff66b7f887e0d0fcbea6ee17b37ce9ef9de2057
      • Instruction ID: 47d7dd50067b18a6b7dcba0a0e8e78267f83a96f17fb5417970e100335750ea4
      • Opcode Fuzzy Hash: e038f68fdee178bc00b66af77ff66b7f887e0d0fcbea6ee17b37ce9ef9de2057
      • Instruction Fuzzy Hash: F372FF76608B85C5DBA0DB19E4803AEB7A0F7C9B94F504125EB8D93B64DF3DD884CB20
      Function 00007FF763E36290 Relevance: .5, Instructions: 468COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 40e177b45e4da728355ab9d2c8ab07bec5e628c8c44598c92bf3b7b74e59fd1e
      • Instruction ID: 80214f1abc867194291011a12a36917cc116e7047a5dd8c9fe78a70eb83a4b13
      • Opcode Fuzzy Hash: 40e177b45e4da728355ab9d2c8ab07bec5e628c8c44598c92bf3b7b74e59fd1e
      • Instruction Fuzzy Hash: 5F32EC3291CA85CAE7A1DB29E49036AF7A4FB85B44F508525F6CE96B58DF7CD040CF20
      Function 00007FF763EE1480 Relevance: .3, Instructions: 345COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 017f9a4300566e5bc4c4d2e3591f7107a0cb17a787beef7514c76a44ea637175
      • Instruction ID: 12ebe47122a0951c7a5e7061789ed8e4a0ac70d7a99bc2bb21630bf6bc369afd
      • Opcode Fuzzy Hash: 017f9a4300566e5bc4c4d2e3591f7107a0cb17a787beef7514c76a44ea637175
      • Instruction Fuzzy Hash: 4EF1F876608941CADB49DB1DE4A053DB7A1F3D8B84F50862AE68FC3BA4DE2ED541CF10
      Function 00007FF763E505A0 Relevance: .3, Instructions: 310COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: e7004a089c2c2d96f9b3425ff52318f450f30ca4e7cb4196a6ae603d583de884
      • Instruction ID: 57696608dfe10a17250d72cb012ca41d256ecd9a225824ead6ba352e3c4ef425
      • Opcode Fuzzy Hash: e7004a089c2c2d96f9b3425ff52318f450f30ca4e7cb4196a6ae603d583de884
      • Instruction Fuzzy Hash: 0BF11D32518789C6E7A0AB16D08436EB7A1F7C4B58F440136FA8D57BA5CB7DE944CF20
      Function 00007FF763EDFDF0 Relevance: .2, Instructions: 229COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: c7ad7251130f1fcff69324fe98ef734f9e84b06fce481b974c2d29eef07316cd
      • Instruction ID: c0601caf0ad3d793fbde54673bcad8071d47f1483594d83f2f7d2cc34dbabddd
      • Opcode Fuzzy Hash: c7ad7251130f1fcff69324fe98ef734f9e84b06fce481b974c2d29eef07316cd
      • Instruction Fuzzy Hash: 2FC1097660DBC586DAA0DB1AF4903AAB7A0FBC9B84F504425EACD57B5ACF3DC450CB10
      Function 00007FF763EE0FC0 Relevance: .2, Instructions: 215COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: c3b7fe6fcffe67051d31dfb17cfd3ae7d35f455423290e3bee04e5a4674a67d0
      • Instruction ID: 7dc20a8ff207409b14076d7eb939040439ff8cfd9fa2275b1a9523940c675302
      • Opcode Fuzzy Hash: c3b7fe6fcffe67051d31dfb17cfd3ae7d35f455423290e3bee04e5a4674a67d0
      • Instruction Fuzzy Hash: F6C1F9B26085C9CAE774DB18E4907EAB7A0F7C8304F408139D78987B49DA7DD584CFA8
      Function 00007FF763EE02A0 Relevance: .2, Instructions: 175COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 1b3b68bb6fc86fcb025ff7a1b3573563d20c5b3e363a43d4edbe75d8258008e8
      • Instruction ID: 2a2026b9a0b896722f8e16f654e1c4501cfbe0219af16dac2411586e29054166
      • Opcode Fuzzy Hash: 1b3b68bb6fc86fcb025ff7a1b3573563d20c5b3e363a43d4edbe75d8258008e8
      • Instruction Fuzzy Hash: 7B81C82721DBC885DB01CB5EE49012EFBA0E3E9BC4B54845AEACD47B2ACE6DC145CB50
      Function 00007FF763EE0900 Relevance: .1, Instructions: 145COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 38642317c03b4730d10063eec1c90397017cb9f27778047c65d79311af45d9fe
      • Instruction ID: fdba3f2df064ba21764af420a4df0de0e2e1b281e90ccb17a32c8fbb097874fe
      • Opcode Fuzzy Hash: 38642317c03b4730d10063eec1c90397017cb9f27778047c65d79311af45d9fe
      • Instruction Fuzzy Hash: C1611C2261DB8886DB51CB5EE48036EBBB0E7D6784F54112AFBCD47B6ACE2DC544CB10
      Function 00007FF763EF0528 Relevance: 107.7, APIs: 86, Instructions: 180COMMONLIBRARYCODE
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 268 7ff763ef0528-7ff763ef052b 269 7ff763ef0915 268->269 270 7ff763ef0531-7ff763ef0914 call 7ff763ee30e8 * 86 268->270 270->269
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: free$ErrorFreeHeapLast_errno
      • String ID:
      • API String ID: 1012874770-0
      • Opcode ID: 845b22ba3c249d233effdc49008f2e37c68713154a64e4c254d07ea85a2ad4ea
      • Instruction ID: 20d11450bb2d53ac262240673290e132f049861cad028f1aea229de798406ef4
      • Opcode Fuzzy Hash: 845b22ba3c249d233effdc49008f2e37c68713154a64e4c254d07ea85a2ad4ea
      • Instruction Fuzzy Hash: A5A16332719546D1EA81FAA2C8953FC5320AF86F45F848236E98D6A276CE16D849C370
      Function 00007FF763E224F0 Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 178memoryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 1131 7ff763e224f0-7ff763e225ac 1132 7ff763e225be-7ff763e225ca 1131->1132 1133 7ff763e225cc-7ff763e2260d call 7ff763e2e1b0 1132->1133 1134 7ff763e2260f-7ff763e2263c LocalAlloc 1132->1134 1133->1132 1136 7ff763e22920 1134->1136 1137 7ff763e22642-7ff763e22656 call 7ff763e21fc0 1134->1137 1140 7ff763e22922-7ff763e22939 call 7ff763ee2a80 1136->1140 1144 7ff763e2265c-7ff763e2267d call 7ff763e21e70 1137->1144 1145 7ff763e22916-7ff763e2291e 1137->1145 1149 7ff763e228df-7ff763e2290f wsprintfW 1144->1149 1150 7ff763e22683-7ff763e226a4 LocalAlloc 1144->1150 1145->1140 1149->1145 1151 7ff763e226aa-7ff763e226e9 wsprintfW LocalAlloc 1150->1151 1152 7ff763e2289b-7ff763e228c8 wsprintfW 1150->1152 1154 7ff763e2288b-7ff763e22899 LocalFree 1151->1154 1155 7ff763e226ef-7ff763e22704 GetCurrentDirectoryW 1151->1155 1153 7ff763e228cf-7ff763e228dd LocalFree 1152->1153 1153->1145 1154->1153 1156 7ff763e2270a-7ff763e2271b SetCurrentDirectoryW 1155->1156 1157 7ff763e2287d-7ff763e22885 LocalFree 1155->1157 1156->1157 1158 7ff763e22721-7ff763e22731 call 7ff763e222a0 1156->1158 1157->1154 1161 7ff763e22838-7ff763e22868 wsprintfW 1158->1161 1162 7ff763e22737-7ff763e22758 LocalAlloc 1158->1162 1163 7ff763e2286f-7ff763e22877 SetCurrentDirectoryW 1161->1163 1164 7ff763e2275e-7ff763e22769 1162->1164 1165 7ff763e22836 1162->1165 1163->1157 1166 7ff763e2277b-7ff763e22783 1164->1166 1165->1163 1167 7ff763e22828-7ff763e22830 LocalFree 1166->1167 1168 7ff763e22789-7ff763e227cd wsprintfW call 7ff763e234b0 1166->1168 1167->1165 1171 7ff763e227cf-7ff763e2281d call 7ff763ee2b10 LocalFree 1168->1171 1172 7ff763e22823 1168->1172 1171->1172 1172->1166
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: Local$Freewsprintf$Alloc$CurrentDirectory$lstrlen
      • String ID: @$ENCWCHAR %s\NSS3.DLL$ENCWCHAR GetFirefoxInstallDirectory() failed.$ENCWCHAR LocalAlloc() failed.$ENCWCHAR Profile%d$ENCWCHAR ResolveNSSFunctions() failed.$d
      • API String ID: 4041681773-2591646538
      • Opcode ID: 24c329edb53e0bf26020e2a0ebbfae6c3c563bdbc21f07ae59587a949c90bba4
      • Instruction ID: c18bccc78c33ef8298fab8b0f18ee42bca3d8589b9b6f4dd3ab7c84b3c660b70
      • Opcode Fuzzy Hash: 24c329edb53e0bf26020e2a0ebbfae6c3c563bdbc21f07ae59587a949c90bba4
      • Instruction Fuzzy Hash: F8B1C975609AC2C6EBF4AB04E4947AAB3A5FB84744F80013AD78E53B68DF7CD444CB24
      Function 00007FF763EEFA98 Relevance: 38.6, APIs: 16, Strings: 6, Instructions: 136libraryloaderCOMMONLIBRARYCODE
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 1313 7ff763eefa98-7ff763eefad0 call 7ff763ee7d48 1316 7ff763eefad6-7ff763eefae9 LoadLibraryW 1313->1316 1317 7ff763eefbab 1313->1317 1318 7ff763eefc82 1316->1318 1319 7ff763eefaef-7ff763eefb02 GetProcAddress 1316->1319 1320 7ff763eefbb2 1317->1320 1321 7ff763eefc84-7ff763eefc9f call 7ff763ee2a80 1318->1321 1319->1318 1322 7ff763eefb08-7ff763eefb7e EncodePointer GetProcAddress EncodePointer GetProcAddress EncodePointer GetProcAddress EncodePointer 1319->1322 1323 7ff763eefbb9-7ff763eefbbc 1320->1323 1325 7ff763eefba2-7ff763eefba9 1322->1325 1326 7ff763eefb80-7ff763eefba0 GetProcAddress EncodePointer 1322->1326 1327 7ff763eefc20-7ff763eefc2a 1323->1327 1328 7ff763eefbbe-7ff763eefbc1 1323->1328 1325->1323 1326->1320 1330 7ff763eefc60-7ff763eefc70 DecodePointer 1327->1330 1331 7ff763eefc2c-7ff763eefc35 DecodePointer 1327->1331 1328->1327 1332 7ff763eefbc3-7ff763eefbe2 DecodePointer * 2 1328->1332 1330->1318 1333 7ff763eefc72-7ff763eefc80 1330->1333 1331->1330 1334 7ff763eefc37-7ff763eefc3f 1331->1334 1332->1327 1335 7ff763eefbe4-7ff763eefbe7 1332->1335 1333->1321 1334->1330 1340 7ff763eefc41-7ff763eefc4b 1334->1340 1335->1327 1336 7ff763eefbe9-7ff763eefbee 1335->1336 1341 7ff763eefbf0-7ff763eefc11 1336->1341 1342 7ff763eefc1a-7ff763eefc1e 1336->1342 1340->1330 1343 7ff763eefc4d-7ff763eefc56 DecodePointer 1340->1343 1341->1342 1346 7ff763eefc13-7ff763eefc18 1341->1346 1342->1330 1343->1330 1344 7ff763eefc58-7ff763eefc5d 1343->1344 1344->1330 1346->1327 1346->1342
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: Pointer$AddressDecodeEncodeProc$LibraryLoad
      • String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationW$MessageBoxW$USER32.DLL
      • API String ID: 2643518689-564504941
      • Opcode ID: 3a0804869892ba8d289fbc540af91b418a7dfb6fc09ec86b382e46333b6932df
      • Instruction ID: 5d11cd8884c0dd20f027d7e31bc5053d04a1541beea5361257b40edb1e725b5d
      • Opcode Fuzzy Hash: 3a0804869892ba8d289fbc540af91b418a7dfb6fc09ec86b382e46333b6932df
      • Instruction Fuzzy Hash: B651FC35A0AB17C1FAD5BB51B8545B4A3A0AF85B84FD90139EC0E27360EF7CA546C334
      Function 00007FF763E24350 Relevance: 33.4, APIs: 13, Strings: 6, Instructions: 153memoryfileCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: Local$AllocFree$Path$CopyFileFolderKnownTaskTemplstrlen
      • String ID: %s%s$%s%s$%s%s$ENCWCHAR %sDATABASE$ENCWCHAR \Opera Software\Opera Stable\Default\Login Data$ENCWCHAR \Opera Software\Opera Stable\Login Data
      • API String ID: 1449970929-1283949869
      • Opcode ID: bae2cc9d7d844a7e3456e4cbd68dd3e3526526634176f4380fb9fa70b0b11cb9
      • Instruction ID: 9cd3111e92706846bef9bb823ac7ec8d2638c15b79e44601abdc3a322e56fb56
      • Opcode Fuzzy Hash: bae2cc9d7d844a7e3456e4cbd68dd3e3526526634176f4380fb9fa70b0b11cb9
      • Instruction Fuzzy Hash: 2791FA72618AC6C1E7B0AB10E4547EAB3A5FB84744FD0013AE68D53BA8DF7CD584CB64
      Function 00007FF763E284F0 Relevance: 31.8, APIs: 9, Strings: 9, Instructions: 333COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: Affinity::operator!=Concurrency::details::Hardwaretype_info::_name_internal_method
      • String ID: <blank>$Account$Account: %S$IncomingServer$Password$Password: %S$Server: %S$gmail$gmail
      • API String ID: 1927102706-1566107505
      • Opcode ID: 47328a8a96919d207b2ed659ca42f48abfa7ef16adfa53b5e6a9e6690430b62c
      • Instruction ID: c01348a8bd3112a3ab08631da5854a26d3056f8bf07ed58d2124665821932782
      • Opcode Fuzzy Hash: 47328a8a96919d207b2ed659ca42f48abfa7ef16adfa53b5e6a9e6690430b62c
      • Instruction Fuzzy Hash: 15021072A0C6C6C6DAB4EB15E4507FAB3A0FB84344F80413AE68D96B99DF7CD505CB60
      Function 00007FF763E2A330 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 71memoryfileCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: Local$Free$Alloc$PathTask$CopyFileFolderKnownTemp_errno_invalid_parameter_noinfo
      • String ID: %s%s$%sDATABASE$\Vivaldi\User Data\Default\Login Data
      • API String ID: 125112979-2647127264
      • Opcode ID: 45690bc7ffd48abfb83a3eb4cee9093e4d87a19c479dc784fe4559c13111bf48
      • Instruction ID: 122051092a51961ae7c88e3ed83124e3cf6a519852733e3604c82879de8b4269
      • Opcode Fuzzy Hash: 45690bc7ffd48abfb83a3eb4cee9093e4d87a19c479dc784fe4559c13111bf48
      • Instruction Fuzzy Hash: 8931C935A18A82C2E790AB15E85477AA371FBC5780FD40139FA8E63B68DF7DD445C720
      Function 00007FF763E24860 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 71memoryfileCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: Local$Free$Alloc$PathTask$CopyFileFolderKnownTemp_errno_invalid_parameter_noinfo
      • String ID: %s%s$%sDATABASE$\Microsoft\Edge\User Data\Default\Login Data
      • API String ID: 125112979-2025688231
      • Opcode ID: d0817131679ac70aec9dffadf78e4a000d223432ef7d644a78d525b8734c8d2f
      • Instruction ID: ff81ef55e1d2f95b3816b142a446cc9608df7f80aa2fb2f1139691d2804297bb
      • Opcode Fuzzy Hash: d0817131679ac70aec9dffadf78e4a000d223432ef7d644a78d525b8734c8d2f
      • Instruction Fuzzy Hash: FC31A93561CA43C2E790AB15E85476AA3A1FBC5780FD41039FA8E63B68CF7DD445CB60
      Function 00007FF763E246F0 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 71memoryfileCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: Local$Free$Alloc$PathTask$CopyFileFolderKnownTemp_errno_invalid_parameter_noinfo
      • String ID: %s%s$%sDATABASE$\BraveSoftware\Brave-Browser\User Data\Default\Login Data
      • API String ID: 125112979-2231072359
      • Opcode ID: 9b2cfed6fe8d2f56c02c66262ea52f429ec775b7c877fa01145314d5d6c0143f
      • Instruction ID: 7c4b3e72561472d51b29c0fef8e5f83e11d44c12a126802f44de3ef4dd14a984
      • Opcode Fuzzy Hash: 9b2cfed6fe8d2f56c02c66262ea52f429ec775b7c877fa01145314d5d6c0143f
      • Instruction Fuzzy Hash: FB31CC35A28A82C2E794AB15E85476AA371FBC5780FD40039FA8E53B68CF7CD445CB20
      Function 00007FF763E213F0 Relevance: 24.9, APIs: 3, Strings: 11, Instructions: 405COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: lstrlen$ExitFreeLocalProcess
      • String ID: ENCWCHAR %s_%04d-%02d-%02d_%02d-%02d-%02d_(%05d).TXT$ENCWCHAR Brave$ENCWCHAR Chrome$ENCWCHAR Edge$ENCWCHAR Firefox$ENCWCHAR FoxMail$ENCWCHAR Opera$ENCWCHAR ThunderBird (IMAP)$ENCWCHAR Vivaldi$ENCWCHAR Wifi$d
      • API String ID: 2742116018-1050752689
      • Opcode ID: 608c6fa2b46d8588c097915e99825676fed031e1e9d0c6623f3c88a8848ad792
      • Instruction ID: b7c294e8dc4f60599937a574133ae5879020f801f2b2d29144c45cfe60a9bf79
      • Opcode Fuzzy Hash: 608c6fa2b46d8588c097915e99825676fed031e1e9d0c6623f3c88a8848ad792
      • Instruction Fuzzy Hash: 39427C3690DAC2C6E6B59B04F4847EAB3A4F788744F90412AE6CD52B98DF7DE144CF60
      Function 00007FF763E222A0 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 85libraryloaderCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: AddressProc$LibraryLoadlstrlen
      • String ID: ENCCHAR NSS_Init$ENCCHAR NSS_Shutdown$ENCCHAR PK11SDR_Decrypt$ENCCHAR PK11_Authenticate$ENCCHAR PK11_FreeSlot$ENCCHAR PK11_GetInternalKeySlot$d
      • API String ID: 1729337914-2566945990
      • Opcode ID: ad8f298560611540955a51c1541104dc0600b1afd4907dc56adb52078cf6072c
      • Instruction ID: ffef957c349d555b16a45c3f05d73d6b82c2b09da4ff8eb910bb819581a4f8f4
      • Opcode Fuzzy Hash: ad8f298560611540955a51c1541104dc0600b1afd4907dc56adb52078cf6072c
      • Instruction Fuzzy Hash: 0C518236519BC1D6E7B29B04F8847EAB3A4FB88744F94013ADA8D12B28DF7DD554CB20
      Function 00007FF763EEC84C Relevance: 19.6, APIs: 13, Instructions: 90COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: free$ErrorFreeHeapLast__free_lconv_mon__free_lconv_num_errno
      • String ID:
      • API String ID: 518839503-0
      • Opcode ID: a8a1d119e2ae3e296ddb892661aadd3ea2a5fa3dfd0f413256ea23c2b2c0d3de
      • Instruction ID: 6d0f0c369954b137c1e0d6d39166fe0d29c8d57479ba9a00a2c4d874696b0542
      • Opcode Fuzzy Hash: a8a1d119e2ae3e296ddb892661aadd3ea2a5fa3dfd0f413256ea23c2b2c0d3de
      • Instruction Fuzzy Hash: 5C410F32F09542C4EED5FAA2C5503FCA760AF84F45F884636EA4D66395CF6DA841C331
      Function 00007FF763E21FC0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 115memoryfileCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: Local$Free$AllocFile$CloseCreateHandleReadlstrlen
      • String ID: $ENCWCHAR %s\NSS3.DLL$d
      • API String ID: 1319876766-1918752920
      • Opcode ID: 0d0cd8ce7767989498efd3147525f3bc81a886d185369f7f22fc62146454c1d4
      • Instruction ID: af9255e2d04e64e3cc1c4f9110259b3ed6dcba2e090104c51f6f3847078bb7c6
      • Opcode Fuzzy Hash: 0d0cd8ce7767989498efd3147525f3bc81a886d185369f7f22fc62146454c1d4
      • Instruction Fuzzy Hash: D261FA32618AC5C2E7B19B05E4547EAB3A0FBC8750F900239EA9D57BA8CF7DD544CB20
      Function 00007FF763EEE1E8 Relevance: 18.1, APIs: 12, Instructions: 149COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: _fileno$_errno$_invalid_parameter_noinfo
      • String ID:
      • API String ID: 482796045-0
      • Opcode ID: aa6d8daceea12b5813846082434a8d28bb494e2c6cb0a078936921c818505e6c
      • Instruction ID: 29385296d9e706d4ab2f2fbcd29e8e4c5f943be24b1a245ffb72d57798055847
      • Opcode Fuzzy Hash: aa6d8daceea12b5813846082434a8d28bb494e2c6cb0a078936921c818505e6c
      • Instruction Fuzzy Hash: 7C51D431A0CE82C1E6A8BB3555921BDE350AF81B94B942735FA6E577D5CF2CE452C330
      Function 00007FF763E29FE0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 115memoryfileCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: Local$Free$AllocFile$CloseCreateHandleReadlstrlen
      • String ID: $ENCWCHAR %s\NSS3.DLL
      • API String ID: 1319876766-3743538101
      • Opcode ID: 30d150c6b8fe54552cfced7f429586411afa708e36324df7648d895aca3e237d
      • Instruction ID: 2b0062fc30a92c455b477878f1b614e7f5dce7f62e364ad28ecc2ea5968a4f8f
      • Opcode Fuzzy Hash: 30d150c6b8fe54552cfced7f429586411afa708e36324df7648d895aca3e237d
      • Instruction Fuzzy Hash: 8B611C32649BC6C1E7B09B40F4987AAB3A0F784754F900239EA9D57BA8CF7CD444CB60
      Function 00007FF763EF4750 Relevance: 16.8, APIs: 11, Instructions: 254COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: free$_errno$EnvironmentVariable__wtomb_environ_invalid_parameter_noinfo
      • String ID:
      • API String ID: 101574016-0
      • Opcode ID: c170c1ddb3271b5b93da008cca24eb28c97a998cd920edefaef54f658353e0a0
      • Instruction ID: 60c575caa4437a3d89a5c4c54032a182d2e908b1abadb60ee69121cdf85323dd
      • Opcode Fuzzy Hash: c170c1ddb3271b5b93da008cca24eb28c97a998cd920edefaef54f658353e0a0
      • Instruction Fuzzy Hash: 84A19231E09782C1FB91BB15A6102B9A294AF40B94FC8863AFA5D277D5EE7CE444C730
      Function 00007FF763E277E0 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 197memorystringCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: ProfileWlanlstrlen$AllocListLocal
      • String ID: ENCWCHAR ===== Network Interface: %s =====$ENCWCHAR Profile: %s Key: %s$ENCWCHAR Profile: %s Key: (KEY ERROR)$ENCWCHAR Profile: %s Key: PROTECTED KEY (ELEVATION REQUIRED)
      • API String ID: 2124714483-2134194222
      • Opcode ID: d86e80781186f58ca1687059494ef0f4117c85fc908beb364a72ab9ed2db1a7d
      • Instruction ID: c42655440273438146847804ce5a3b6656f8d830cf59e703957a60ab1a69263a
      • Opcode Fuzzy Hash: d86e80781186f58ca1687059494ef0f4117c85fc908beb364a72ab9ed2db1a7d
      • Instruction Fuzzy Hash: 31B1C336A0CAC6C6DAB09B14E4907EAB3A4F7C8745F90012AD68D93B99DF3DD184CF50
      Function 00007FF763E27E30 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 49stringregistrymemoryCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: Local$AllocDintFreeValuelstrcmpilstrlen
      • String ID: .exe$Executable$SOFTWARE\Aerofox\FoxmailPreview
      • API String ID: 2155083603-3659315336
      • Opcode ID: 7720bf8ab1967c8d3679f39bfc7db78ceef41d76a254b98fb25cfa13193238e9
      • Instruction ID: 01ddc9ce3022cab971113118f7216129fad3520ae9507a2750c1154ccff51b7d
      • Opcode Fuzzy Hash: 7720bf8ab1967c8d3679f39bfc7db78ceef41d76a254b98fb25cfa13193238e9
      • Instruction Fuzzy Hash: 9421FF3260CA42C6E790AB15E44476AB3B0FB85784FA40139F69DA3BA8DF7DD444C760
      Function 00007FF763EEE618 Relevance: 15.1, APIs: 10, Instructions: 123COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: _errno$_invalid_parameter_noinfo$ByteCharErrorLastMultiWide
      • String ID:
      • API String ID: 2295021086-0
      • Opcode ID: 62c4e1ca78e47fe857f04f83811506c5e79ad84d5970ccd1d0a2273ce0055223
      • Instruction ID: c51d0d695e1af6eff68c0acb1205aed18f8d1bf16ec9c1bc4d6c43b664dc111c
      • Opcode Fuzzy Hash: 62c4e1ca78e47fe857f04f83811506c5e79ad84d5970ccd1d0a2273ce0055223
      • Instruction Fuzzy Hash: 38516632A09A47CAFBE5BB6084443BDA6A0AF80798F945334FA5D267D5DF3CA441C730
      Function 00007FF763E52800 Relevance: 14.4, APIs: 3, Strings: 5, Instructions: 382COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID:
      • String ID: %s-mjXXXXXX9XXz$-mj%06X9%02X$MJ collide: %s$MJ delete: %s$d
      • API String ID: 0-1423884874
      • Opcode ID: 1107387ca954687a64ba97b71d54784d6d936056f5463cb4b4728b04bb955d5b
      • Instruction ID: 448dcb129f122f6808f109caeb589cda8d0b8f7a0320f2ed3b75de0cb7227557
      • Opcode Fuzzy Hash: 1107387ca954687a64ba97b71d54784d6d936056f5463cb4b4728b04bb955d5b
      • Instruction Fuzzy Hash: 4A22EA32A1D681C6E6A0EB15E48036AF7A0F7D4B90F501036FA8E57BA9DF3DD445CB60
      Function 00007FF763E30374 Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 330COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID:
      • String ID: day$hour$minute$month$second$year
      • API String ID: 0-1242934661
      • Opcode ID: ffb34000350207bc7b7e90a6ca2afa6582812440ac2c4b5800b96fbc2858aa67
      • Instruction ID: 99a7ccde1b3cff4cdca5defebbb59cfec2c6ada1669f75a89b41d29aa5294dba
      • Opcode Fuzzy Hash: ffb34000350207bc7b7e90a6ca2afa6582812440ac2c4b5800b96fbc2858aa67
      • Instruction Fuzzy Hash: E502103260DA85C5E7B1DB25E45036AF3A0FBD8B84F544226E68EA3768DF6CD441CF20
      Function 00007FF763E22B90 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 100memorystringCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: lstrlentype_info::_name_internal_method$AllocLocal
      • String ID: ENCCHAR formSubmitURL$ENCCHAR null$ENCCHAR userNameField$d
      • API String ID: 551288598-1867953385
      • Opcode ID: 4852e92eae1a581ef02289b245019e57f47af6dac448e4cb30b632c970b8983d
      • Instruction ID: ef4f49d797dabb2e244b492a7050426f1af47c5feb970434fbcf74f850190b05
      • Opcode Fuzzy Hash: 4852e92eae1a581ef02289b245019e57f47af6dac448e4cb30b632c970b8983d
      • Instruction Fuzzy Hash: D551A332618AC5C5DAB1EB15F4943EAB3A4F788784F90052ADA8D62B58DF7CD140CB20
      Function 00007FF763E22DF0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 100memorystringCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: lstrlentype_info::_name_internal_method$AllocLocal
      • String ID: ENCCHAR formSubmitURL$ENCCHAR httpRealm$ENCCHAR null$d
      • API String ID: 551288598-2769958101
      • Opcode ID: 66d4af4e0d85de7c13f302a2e662a0aa770fa8e923cf3c2932319bd2d97df8d1
      • Instruction ID: 5bf1c6a5be57da7383ceb1eb5186b17b7971d76c6ad7e3c22a3617da617c15eb
      • Opcode Fuzzy Hash: 66d4af4e0d85de7c13f302a2e662a0aa770fa8e923cf3c2932319bd2d97df8d1
      • Instruction Fuzzy Hash: FA519332618AC5C5DAB1EB15F4947EAB3A4F788784F90053ADA8E62B58DF7CD144CB20
      Function 00007FF763E22940 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 97memorystringCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: lstrlentype_info::_name_internal_method$AllocLocal
      • String ID: ENCCHAR hostname$ENCCHAR httpRealm$ENCCHAR null$d
      • API String ID: 551288598-3143494807
      • Opcode ID: 6657a482642a4a9aa28a4137fd2f3918fa349dab31f56ff8d662caa5ccff3dec
      • Instruction ID: 4d40e280e67310f3c32346305c4eaf1d2b8c368c9c978ed65290ab9af86a51fc
      • Opcode Fuzzy Hash: 6657a482642a4a9aa28a4137fd2f3918fa349dab31f56ff8d662caa5ccff3dec
      • Instruction Fuzzy Hash: 2151C532618BC5C5DAB1EB14F4847EEB3A0F788784F90052AEA8E62B59DF7CD144CB10
      Function 00007FF763E23280 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 92memorystringCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: lstrlentype_info::_name_internal_method$AllocLocal
      • String ID: ENCCHAR encryptedPassword$ENCCHAR guid$ENCCHAR null$d
      • API String ID: 551288598-3084204677
      • Opcode ID: 9321bd2b7b76334c95aa8fa9fb8f7b26e364cc05214e48586c1160aa40e488fd
      • Instruction ID: 359a6bbe6bf9c9bb03e8c7876c3918be33feb077a43b00d095d61b73df93ebb2
      • Opcode Fuzzy Hash: 9321bd2b7b76334c95aa8fa9fb8f7b26e364cc05214e48586c1160aa40e488fd
      • Instruction Fuzzy Hash: 0251A532619AC5C5E7B1EB14F8847EAB3A4F788784F90012ADA8D56B58DF7DD144CB20
      Function 00007FF763E23050 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 92memorystringCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: lstrlentype_info::_name_internal_method$AllocLocal
      • String ID: ENCCHAR encryptedPassword$ENCCHAR encryptedUsername$ENCCHAR null$d
      • API String ID: 551288598-273128752
      • Opcode ID: 6b82d4f0dcab4d8684f29202bf01b9a4f906d385681006c3da3e510088f7f618
      • Instruction ID: 5348f59522b53097104c330be16088a41ab1f0a54a7d00f4d1e5d2f17d674b95
      • Opcode Fuzzy Hash: 6b82d4f0dcab4d8684f29202bf01b9a4f906d385681006c3da3e510088f7f618
      • Instruction Fuzzy Hash: 6B519432619BC5C5EBB1EB14F4847EAB3A4FB88784F90012ADA8D56B58DF7DD144CB20
      Function 00007FF763E212E0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 54registryCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: Close$CreateValue_errno_invalid_parameter_noinfo
      • String ID: ?$PASSWORDDELIVERYOPTIONS$PASSWORDDELIVERYOPTIONS$SOFTWARE\%s
      • API String ID: 3235468379-2278741741
      • Opcode ID: bb920ed5dc75f68a0330986e7717629baa5795f5c10aef4d068a344fed0a23e5
      • Instruction ID: fdd86a9ad32846e436d221641951d68073d3a478c53673fd953ae27651ba3ce7
      • Opcode Fuzzy Hash: bb920ed5dc75f68a0330986e7717629baa5795f5c10aef4d068a344fed0a23e5
      • Instruction Fuzzy Hash: E1213032618B85C3E7A0AB61F45476AB3A1FB84784FD04139EA8D57B68DFBCD144CB24
      Function 00007FF763EEB630 Relevance: 13.6, APIs: 9, Instructions: 98COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      • _lock.LIBCMT ref: 00007FF763EEB659
        • Part of subcall function 00007FF763EEEE5C: _amsg_exit.LIBCMT ref: 00007FF763EEEE86
      • DecodePointer.KERNEL32(?,?,?,?,?,00000000,00000000,00007FF763EEB81D,?,?,00000000,00007FF763EEEE8B,?,?,00000000,00007FF763EE7DF1), ref: 00007FF763EEB68C
      • DecodePointer.KERNEL32(?,?,?,?,?,00000000,00000000,00007FF763EEB81D,?,?,00000000,00007FF763EEEE8B,?,?,00000000,00007FF763EE7DF1), ref: 00007FF763EEB6AA
      • DecodePointer.KERNEL32(?,?,?,?,?,00000000,00000000,00007FF763EEB81D,?,?,00000000,00007FF763EEEE8B,?,?,00000000,00007FF763EE7DF1), ref: 00007FF763EEB6EA
      • DecodePointer.KERNEL32(?,?,?,?,?,00000000,00000000,00007FF763EEB81D,?,?,00000000,00007FF763EEEE8B,?,?,00000000,00007FF763EE7DF1), ref: 00007FF763EEB704
      • DecodePointer.KERNEL32(?,?,?,?,?,00000000,00000000,00007FF763EEB81D,?,?,00000000,00007FF763EEEE8B,?,?,00000000,00007FF763EE7DF1), ref: 00007FF763EEB714
      • _initterm.LIBCMT ref: 00007FF763EEB754
      • _initterm.LIBCMT ref: 00007FF763EEB767
      • ExitProcess.KERNEL32 ref: 00007FF763EEB7A0
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: DecodePointer$_initterm$ExitProcess_amsg_exit_lock
      • String ID:
      • API String ID: 3873167975-0
      • Opcode ID: 6d70ea429a5e0ba823f8c6855957f035e45de86b7617d3b39a54417b43be0fb9
      • Instruction ID: 80fb11b592d4a8328c76cea6a4207cfe41de635266cb13f8c9b41716053c2eca
      • Opcode Fuzzy Hash: 6d70ea429a5e0ba823f8c6855957f035e45de86b7617d3b39a54417b43be0fb9
      • Instruction Fuzzy Hash: 36413C31A1DB43C1EBD1AB11E840179E2A5FB84B84FC40235E94D66BA5EF7CE455C730
      Function 00007FF763E27CD0 Relevance: 13.6, APIs: 5, Strings: 4, Instructions: 75COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID:
      • String ID: </keyMaterial>$<keyMaterial>$<protected>false</protected>$<protected>true</protected>
      • API String ID: 0-1104641132
      • Opcode ID: ca4ec8cbbab90b285ce1895503194e99f2cf11f2c7f3359da8b1989d05b8a099
      • Instruction ID: 4bfaa5ff7cfbb665a8d2bedaa00003ad006c8107f6d92b9b360e7464297c1562
      • Opcode Fuzzy Hash: ca4ec8cbbab90b285ce1895503194e99f2cf11f2c7f3359da8b1989d05b8a099
      • Instruction Fuzzy Hash: 80312B72618B41C2D7A0AB19F44432AB7A0FB84B94F94023DFA9D53BA8DF7CD450CB20
      Function 00007FF763E95360 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 413COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID:
      • String ID: !$A$CORRELATED $EXECUTE %s%s SUBQUERY %d$LIST$SCALAR
      • API String ID: 0-2854972494
      • Opcode ID: 810ddfa1f422b2eacce3ca5c7fa0c54e8d9b51cd02c9e9686c2462fd46c39f0e
      • Instruction ID: 8b73f848566a5164de3557b77762d2ada4d2a79ddd9d1bbd79ab5f7430180314
      • Opcode Fuzzy Hash: 810ddfa1f422b2eacce3ca5c7fa0c54e8d9b51cd02c9e9686c2462fd46c39f0e
      • Instruction Fuzzy Hash: 7032B67661CAC5C6E6B0DB15E4807AAB7A0F7C8780F904126EA8D57B99DF3CD841CF60
      Function 00007FF763EEED74 Relevance: 12.1, APIs: 8, Instructions: 59COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      • _FF_MSGBANNER.LIBCMT ref: 00007FF763EEED9B
        • Part of subcall function 00007FF763EEBAAC: _set_error_mode.LIBCMT ref: 00007FF763EEBAB5
        • Part of subcall function 00007FF763EEBAAC: _set_error_mode.LIBCMT ref: 00007FF763EEBAC4
        • Part of subcall function 00007FF763EEB84C: _set_error_mode.LIBCMT ref: 00007FF763EEB891
        • Part of subcall function 00007FF763EEB84C: _set_error_mode.LIBCMT ref: 00007FF763EEB8A2
        • Part of subcall function 00007FF763EEB84C: GetModuleFileNameW.KERNEL32 ref: 00007FF763EEB904
        • Part of subcall function 00007FF763EEB49C: ExitProcess.KERNEL32 ref: 00007FF763EEB4AB
        • Part of subcall function 00007FF763EEBCC0: malloc.LIBCMT ref: 00007FF763EEBCEB
        • Part of subcall function 00007FF763EEBCC0: Sleep.KERNEL32(?,?,00000000,00007FF763EEEDD5,?,?,?,00007FF763EEEE7F,?,?,00000000,00007FF763EE7DF1,?,?,00000000,00007FF763EE7EA8), ref: 00007FF763EEBCFE
      • _errno.LIBCMT ref: 00007FF763EEEDDD
      • _lock.LIBCMT ref: 00007FF763EEEDF1
      • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,?,00007FF763EEEE7F,?,?,00000000,00007FF763EE7DF1,?,?,00000000,00007FF763EE7EA8,?,?,00000000,00007FF763EE7EDF), ref: 00007FF763EEEE07
      • free.LIBCMT ref: 00007FF763EEEE14
      • _errno.LIBCMT ref: 00007FF763EEEE19
      • LeaveCriticalSection.KERNEL32(?,?,?,00007FF763EEEE7F,?,?,00000000,00007FF763EE7DF1,?,?,00000000,00007FF763EE7EA8,?,?,00000000,00007FF763EE7EDF), ref: 00007FF763EEEE3C
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: _set_error_mode$CriticalSection_errno$CountExitFileInitializeLeaveModuleNameProcessSleepSpin_lockfreemalloc
      • String ID:
      • API String ID: 113790786-0
      • Opcode ID: afd95673f251174982a8ce794f848919b6841aae659399595e9bffaeb35b0786
      • Instruction ID: 79144b142ae7258a67f59d1b3d01623b454a5725deb79e3073f92867b55fb37c
      • Opcode Fuzzy Hash: afd95673f251174982a8ce794f848919b6841aae659399595e9bffaeb35b0786
      • Instruction Fuzzy Hash: E9213C31E0CA42C1F6A4BBA1A445779A254EF85780FD45634F54E667E2CF3CE844C330
      Function 00007FF763EDD060 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 345COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID:
      • String ID: BINARY$NOCASE$RTRIM$main$temp
      • API String ID: 0-4153596280
      • Opcode ID: 264f2d91e0dc36247998cdc2bbe38767bda35f6d9167a53e3278ae513d9a9100
      • Instruction ID: 8461f11ba06b025a78d39461485f6b68b1dab64d7551d8f9ac3c472292009bdc
      • Opcode Fuzzy Hash: 264f2d91e0dc36247998cdc2bbe38767bda35f6d9167a53e3278ae513d9a9100
      • Instruction Fuzzy Hash: AD12F936618A85C6E790EB15E49036ABBA0FFC4B84F441135FA8E57BA9CF7CD441CB60
      Function 00007FF763E6DB60 Relevance: 10.7, APIs: 7, Instructions: 187memoryCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: DebugDeleteHeap
      • String ID:
      • API String ID: 382907993-0
      • Opcode ID: 3ff71fdd0b51cc498c7720015ec7bbdbec7a5d8604f93bcacb844dcd5fb0a999
      • Instruction ID: 4cc8c325c2fdb110740320dae09a8da47ff57bdcec4187ef870b21594b3eca44
      • Opcode Fuzzy Hash: 3ff71fdd0b51cc498c7720015ec7bbdbec7a5d8604f93bcacb844dcd5fb0a999
      • Instruction Fuzzy Hash: 42A1B63692C681C6E690EB25E05066FF7A0FBC5740FA01135F68A67B99CB3DE845CF60
      Function 00007FF763EED5D4 Relevance: 10.6, APIs: 7, Instructions: 67COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: __doserrno_errno
      • String ID:
      • API String ID: 921712934-0
      • Opcode ID: f2041d385c892d0757d5d6668edc701c75112b82868591f33da2619ea02b38e1
      • Instruction ID: 756ce6e9e977c90e7c973eec9fe09eb8d794901e390b86caeeb0e4657c9811ce
      • Opcode Fuzzy Hash: f2041d385c892d0757d5d6668edc701c75112b82868591f33da2619ea02b38e1
      • Instruction Fuzzy Hash: AE21B332A18246C9E6957B5598413BEB6116F80B71FDA4335FA3D273D2CE7CA440C730
      Function 00007FF763EEDE18 Relevance: 10.6, APIs: 7, Instructions: 67COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: __doserrno_errno
      • String ID:
      • API String ID: 921712934-0
      • Opcode ID: 2a485d2182b2693aa220179e2fccca2090916ad751d186b53ed027089b094a89
      • Instruction ID: b7659a15b530ed0c7083938e1c97da39709f23063ae47c81c51e0d03afc80116
      • Opcode Fuzzy Hash: 2a485d2182b2693aa220179e2fccca2090916ad751d186b53ed027089b094a89
      • Instruction Fuzzy Hash: 9D21B032E18642C9E2957B65984537EB611AF90761FD94234FA1D273E2CFBCA841C730
      Function 00007FF763E6E210 Relevance: 9.1, APIs: 6, Instructions: 141COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 6f9fa9a074520f378ecd565d94ef68dc142d2de658c11a0cdc9186cc5a329083
      • Instruction ID: 2520647b8e7f69edb7414b237b78830da5b18adff410e1f8b224d8bb783f88c9
      • Opcode Fuzzy Hash: 6f9fa9a074520f378ecd565d94ef68dc142d2de658c11a0cdc9186cc5a329083
      • Instruction Fuzzy Hash: 8E71CC7291C681C7E690EB25E58476AF760F7C5790F602031F68A67BA9CE7CE444CF60
      Function 00007FF763EE4570 Relevance: 9.1, APIs: 6, Instructions: 63threadCOMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: CreateErrorLastThread_errno_getptd_invalid_parameter_noinfofree
      • String ID:
      • API String ID: 3283625137-0
      • Opcode ID: 3b9470f5cdc7cb2e638c02177c5309ea6d32a8d6b38ea68cabda743d3a18046c
      • Instruction ID: 297555a6d2c5b6cbd14e54f5bfb4ca7cf4ec6587138e81bcd460fc40399311e1
      • Opcode Fuzzy Hash: 3b9470f5cdc7cb2e638c02177c5309ea6d32a8d6b38ea68cabda743d3a18046c
      • Instruction Fuzzy Hash: B9216231A08786C6EA94BBA5A44126AE290BF84B90F844735FE5D237D6DF3CE450CB30
      Function 00007FF763EE7E50 Relevance: 9.0, APIs: 6, Instructions: 37threadCOMMONLIBRARYCODE
      Download Yara Rule
      APIs
      • GetLastError.KERNEL32(?,?,00000000,00007FF763EE7EDF,?,?,?,00007FF763EE467B,?,?,00000000,00007FF763EE4E03), ref: 00007FF763EE7E5A
      • FlsGetValue.KERNEL32(?,?,00000000,00007FF763EE7EDF,?,?,?,00007FF763EE467B,?,?,00000000,00007FF763EE4E03), ref: 00007FF763EE7E68
      • SetLastError.KERNEL32(?,?,00000000,00007FF763EE7EDF,?,?,?,00007FF763EE467B,?,?,00000000,00007FF763EE4E03), ref: 00007FF763EE7EC0
        • Part of subcall function 00007FF763EEBD40: Sleep.KERNEL32(?,?,00000000,00007FF763EE7E83,?,?,00000000,00007FF763EE7EDF,?,?,?,00007FF763EE467B,?,?,00000000,00007FF763EE4E03), ref: 00007FF763EEBD85
      • FlsSetValue.KERNEL32(?,?,00000000,00007FF763EE7EDF,?,?,?,00007FF763EE467B,?,?,00000000,00007FF763EE4E03), ref: 00007FF763EE7E94
      • free.LIBCMT ref: 00007FF763EE7EB7
      • GetCurrentThreadId.KERNEL32 ref: 00007FF763EE7EA8
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: ErrorLastValue_lock$CurrentSleepThreadfree
      • String ID:
      • API String ID: 3106088686-0
      • Opcode ID: 1cd774ec05fc4325d2650eb334d30f1c4be20916b2c0d6dfd5ddfd2a1e093ca9
      • Instruction ID: f4fc82b88351a850de7baf4dcf64da021dfb58c6a4b3c32f47aaa274e8f5a80a
      • Opcode Fuzzy Hash: 1cd774ec05fc4325d2650eb334d30f1c4be20916b2c0d6dfd5ddfd2a1e093ca9
      • Instruction Fuzzy Hash: 77012134A09743C2FB95BF65A444078A6A1BF89B54FD88338E92D163D5EE3CE804C330
      Function 00007FF763E90700 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 269COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: delete
      • String ID: %s%s$e
      • API String ID: 974290055-1438274125
      • Opcode ID: d8b48f6f2c6a85fd232c34efe8a8a14f7c1decc6d20b68cf109e70f561ba789a
      • Instruction ID: 76f6a460c07f8a82f7de302d94016caff87ed03407760cb3075fd14c8d31308b
      • Opcode Fuzzy Hash: d8b48f6f2c6a85fd232c34efe8a8a14f7c1decc6d20b68cf109e70f561ba789a
      • Instruction Fuzzy Hash: 3DE1FB3251CA81C6E6A0AB15E45036AF7A0F7C4B94F905132FACE57BA9DF7CD844CB20
      Function 00007FF763E495F0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 268COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID:
      • String ID: @ $SQLite format 3
      • API String ID: 0-3708268960
      • Opcode ID: d9cdc5089dea9722adf8292ff7b0ae40d4b277a866f6bad34aec0dc4894d465f
      • Instruction ID: 75871d7bbfe9c2cb0a6d7843993838d141d22f3bf09fd169ef5181be04f390b5
      • Opcode Fuzzy Hash: d9cdc5089dea9722adf8292ff7b0ae40d4b277a866f6bad34aec0dc4894d465f
      • Instruction Fuzzy Hash: F1D1EE72A18681C7EB64DB2AE15026EBBA0F7C8744F500126FB8D977A9DB3CD445CF24
      Function 00007FF763E6EDD0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 160COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID:
      • String ID: %d of %d pages missing from overflow list starting at %d$failed to get page %d$free-page count in header is too small$freelist leaf count too big on page %d
      • API String ID: 0-1290261800
      • Opcode ID: 51b72c1504386477fa4b5dc3a8a7ad725fa38a3bb0aa021a4d22cd12433e3e60
      • Instruction ID: 7a8bcd3fcc470417fd536ba1aee3f558dd8b321dc863f05605c982170c39d8f7
      • Opcode Fuzzy Hash: 51b72c1504386477fa4b5dc3a8a7ad725fa38a3bb0aa021a4d22cd12433e3e60
      • Instruction Fuzzy Hash: 1B81EA72A0CA81C6D7A0EB19E55076AB7A0F7C5780F505036F68DA3B99DF6CD445CF20
      Function 00007FF763EE3ABC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: _callnewh_errno$AllocHeapType_info_dtormallocstd::exception::exceptiontype_info::_
      • String ID: bad allocation
      • API String ID: 1736788397-2104205924
      • Opcode ID: 9defffcb0435256335de9652b8d7be219744e451e899b0cf9a030c74eca59270
      • Instruction ID: 6d8eaff9166599d1efa39daa73e52c9e38e650171635cd0a8d245a455732e1b3
      • Opcode Fuzzy Hash: 9defffcb0435256335de9652b8d7be219744e451e899b0cf9a030c74eca59270
      • Instruction Fuzzy Hash: 5C214731A08747D1EA94BB51B8411F8E3A4AF48380FC80135F94E227A6EF6DE585C730
      Function 00007FF763E21E70 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 56registrymemoryCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: Local$AllocFreeValuelstrlen
      • String ID: ENCWCHAR SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe$Path
      • API String ID: 3635103947-2298922025
      • Opcode ID: 28bc287aa5eb016748eed61b35c2192a42abd7c7dd6b0fc26af89aec37d1b080
      • Instruction ID: 9d32520e22d2809f228c09907e81318566471a82a8462e75792e41496f67d299
      • Opcode Fuzzy Hash: 28bc287aa5eb016748eed61b35c2192a42abd7c7dd6b0fc26af89aec37d1b080
      • Instruction Fuzzy Hash: 9031E932609A82C6E7B1AB14F4557EAF3A4FB89754F900139E6CD52B98DF7CD144CB20
      Function 00007FF763E27F20 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27registrymemoryCOMMON
      Download Yara Rule
      APIs
      • LocalAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF763E28005), ref: 00007FF763E27F36
      • RegGetValueW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF763E28005), ref: 00007FF763E27F81
      • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF763E28005), ref: 00007FF763E27F97
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: Local$AllocFreeValue
      • String ID: SOFTWARE\Aerofox\FoxmailPreview$Version
      • API String ID: 3763969679-3619246949
      • Opcode ID: 05d090ac0b3a9399ca4a72deb2b0449b3bacd87be8f220978da2e00c35281540
      • Instruction ID: 3b6e6417acbc0e6faaef7bc5522f87806aa7e08bd4263ffe8f6eedb3c4a76cd8
      • Opcode Fuzzy Hash: 05d090ac0b3a9399ca4a72deb2b0449b3bacd87be8f220978da2e00c35281540
      • Instruction Fuzzy Hash: 1F014B31608A42C2E7A0AB14E84476AB3B0FB85740FE00138F79D627A8DF7DD844C720
      Function 00007FF763E2AE70 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27registrymemoryCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: Local$AllocFreeValue
      • String ID: Path$SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\thunderbird.exe
      • API String ID: 3763969679-3718243712
      • Opcode ID: d26ed8af342fd61c12532628d268f57e26b9801521dfa58eeff7cf5130500fac
      • Instruction ID: 2d5f1752ff59140aa6e5c59f1f3b52adf57796931901601061185cb01402a1a4
      • Opcode Fuzzy Hash: d26ed8af342fd61c12532628d268f57e26b9801521dfa58eeff7cf5130500fac
      • Instruction Fuzzy Hash: 3C014F31608A42C2E7A0EB14E44476AB3B0FB85790FE00139F68D56BA8DF7DC445C720
      Function 00007FF763EF0FD8 Relevance: 7.6, APIs: 5, Instructions: 116COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: _errno$_fileno_getbuf_invalid_parameter_noinfo_isatty
      • String ID:
      • API String ID: 2574049805-0
      • Opcode ID: 3a1741117c34abe4ffc33185734f8180aca56100f3d5e52a3a0cf58f798bdaa3
      • Instruction ID: 3068165e414b464ce04495693e2f12f17c28e9dd4f385d5bce8d88d2d23f7301
      • Opcode Fuzzy Hash: 3a1741117c34abe4ffc33185734f8180aca56100f3d5e52a3a0cf58f798bdaa3
      • Instruction Fuzzy Hash: AF41F5B2A08646C6EBA4BF69C44127DB290EF84B50FD84238E91C273D5DEBDD851C3B0
      Function 00007FF763EE4ADC Relevance: 7.6, APIs: 5, Instructions: 115COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: _errno$_fileno_getbuf_invalid_parameter_noinfo_isatty
      • String ID:
      • API String ID: 2574049805-0
      • Opcode ID: d821a509031e5c32eda5312869b85c90763443a79dc5fd09f7ce31319725e5ea
      • Instruction ID: 8eb7946b397420045ba76aa9d7c4821fc9519d0cb1f5e5ef4bdb15ee37280419
      • Opcode Fuzzy Hash: d821a509031e5c32eda5312869b85c90763443a79dc5fd09f7ce31319725e5ea
      • Instruction Fuzzy Hash: 4641D672A08702C9EB94AF28C45127DB690EF84B54F940336EA6D573D5DE3CE851CBB0
      Function 00007FF763EF0348 Relevance: 7.6, APIs: 5, Instructions: 102COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: ByteCharMultiWide$StringTypefreemalloc
      • String ID:
      • API String ID: 307345228-0
      • Opcode ID: d17e4e078f68b3d9675a1591302bd3664cff74d3f4ccf7707ebeaa381c1a9b5c
      • Instruction ID: d0d3ce8d8c7f4664f580092afafcfc7b5f6ad3f648ba7bfc96ab33bf68fb4907
      • Opcode Fuzzy Hash: d17e4e078f68b3d9675a1591302bd3664cff74d3f4ccf7707ebeaa381c1a9b5c
      • Instruction Fuzzy Hash: EF416332A05A41C6EB91AF259800569A395FF44BA8FDC4239FE6D577D5DF7CE801C320
      Function 00007FF763EE970C Relevance: 7.6, APIs: 5, Instructions: 72COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      • DecodePointer.KERNEL32(?,?,?,00007FF763EE9821,?,?,?,?,00007FF763EE3B37), ref: 00007FF763EE9735
      • DecodePointer.KERNEL32(?,?,?,00007FF763EE9821,?,?,?,?,00007FF763EE3B37), ref: 00007FF763EE9745
        • Part of subcall function 00007FF763EE4284: _errno.LIBCMT ref: 00007FF763EE428D
        • Part of subcall function 00007FF763EE4284: _invalid_parameter_noinfo.LIBCMT ref: 00007FF763EE4298
      • EncodePointer.KERNEL32(?,?,?,00007FF763EE9821,?,?,?,?,00007FF763EE3B37), ref: 00007FF763EE97C3
        • Part of subcall function 00007FF763EEBDC4: realloc.LIBCMT ref: 00007FF763EEBDEF
        • Part of subcall function 00007FF763EEBDC4: Sleep.KERNEL32(?,?,00000000,00007FF763EE97B3,?,?,?,00007FF763EE9821,?,?,?,?,00007FF763EE3B37), ref: 00007FF763EEBE0B
      • EncodePointer.KERNEL32(?,?,?,00007FF763EE9821,?,?,?,?,00007FF763EE3B37), ref: 00007FF763EE97D3
      • EncodePointer.KERNEL32(?,?,?,00007FF763EE9821,?,?,?,?,00007FF763EE3B37), ref: 00007FF763EE97E0
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: Pointer$Encode$Decode$Sleep_errno_invalid_parameter_noinforealloc
      • String ID:
      • API String ID: 1909145217-0
      • Opcode ID: ff6c3343d74ff8fd6b5156d4d3eee6365b94d8c122786dc9322943ba846443b4
      • Instruction ID: d93b77e141a9d679ba7a4ce0f20181a480a47fd58309138ef50df506e879da1b
      • Opcode Fuzzy Hash: ff6c3343d74ff8fd6b5156d4d3eee6365b94d8c122786dc9322943ba846443b4
      • Instruction Fuzzy Hash: 8F213D31B0A746C2EB95BB61E9880AAE391BF88B80FC44535F94D27755EE7CE084C370
      Function 00007FF763EF0BCC Relevance: 7.5, APIs: 5, Instructions: 31COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: __doserrno_errno
      • String ID:
      • API String ID: 921712934-0
      • Opcode ID: 4bd9ccf4257c8c168ed7ce0265ab49fe7612b49806588b91a0817b818feabbc5
      • Instruction ID: 8222239232a98ceff2a67babdf92a37e477367cc41e041d7f8f668c9f09d2323
      • Opcode Fuzzy Hash: 4bd9ccf4257c8c168ed7ce0265ab49fe7612b49806588b91a0817b818feabbc5
      • Instruction Fuzzy Hash: B6016D72A1864AC4EB957B64888137CA6515F50B21FD54339F62E263D2CEBCA841C331
      Function 00007FF763E24050 Relevance: 7.5, APIs: 5, Instructions: 27COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: Uninitialize$CreateFromGuidInitializeString
      • String ID:
      • API String ID: 46189592-0
      • Opcode ID: 6b460ca79f777db8172b930f2d2d7aee14fefab3f5eb77e195ddf2c3e5d524b9
      • Instruction ID: 018b4889f87e249a17ad76fd5e0e3eb02ccc30a8b3bb00849fae53f304b2c96d
      • Opcode Fuzzy Hash: 6b460ca79f777db8172b930f2d2d7aee14fefab3f5eb77e195ddf2c3e5d524b9
      • Instruction Fuzzy Hash: 95F04F31A18943C2EB90BB20E85563AB3A0FF94B95FC41039F54E97760DE6CD185CB30
      Function 00007FF763E312B0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 180COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID:
      • String ID: /$R$d
      • API String ID: 0-2129447320
      • Opcode ID: 4b44e6cde3fa981dd5c0e852ec8296700e7747c7cececa00581312faf3ca8c95
      • Instruction ID: 7fe83b4589e6717d0796117ed855d1e86019b51e82ae1e3e86e80f9c51b5680b
      • Opcode Fuzzy Hash: 4b44e6cde3fa981dd5c0e852ec8296700e7747c7cececa00581312faf3ca8c95
      • Instruction Fuzzy Hash: 9291F13260CBC5C5EAA0EB55E4903BAB7A0FBC9B84F504535E68D53B65DE3CD101CB60
      Function 00007FF763EEB460 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17libraryloaderCOMMONLIBRARYCODE
      Download Yara Rule
      APIs
      • GetModuleHandleW.KERNEL32(?,?,000000FF,00007FF763EEB4A9,?,?,00000028,00007FF763EE4215,?,?,00000000,00007FF763EEBCF0,?,?,00000000,00007FF763EEEDD5), ref: 00007FF763EEB46F
      • GetProcAddress.KERNEL32(?,?,000000FF,00007FF763EEB4A9,?,?,00000028,00007FF763EE4215,?,?,00000000,00007FF763EEBCF0,?,?,00000000,00007FF763EEEDD5), ref: 00007FF763EEB484
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: AddressHandleModuleProc
      • String ID: CorExitProcess$mscoree.dll
      • API String ID: 1646373207-1276376045
      • Opcode ID: 0c98680ffb776f8f1a8e8a2d4ab503b6fe14e7b403d11f55ab57effef1a6c83b
      • Instruction ID: 7ce489b65e8481288338530dca6c8629ae08b3e7c1d403dd29b8ab69bffcbc0c
      • Opcode Fuzzy Hash: 0c98680ffb776f8f1a8e8a2d4ab503b6fe14e7b403d11f55ab57effef1a6c83b
      • Instruction Fuzzy Hash: B6E01231F19703C2FFA9BB90A8A42389390AF49741FCC143CD81E16390EEACA949C330
      Function 00007FF763E2E1B0 Relevance: 6.4, APIs: 5, Instructions: 179stringmemoryCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: lstrlen$AllocLocal
      • String ID:
      • API String ID: 2140729754-0
      • Opcode ID: 7dff1bd1dec06322136d6bd30ac40e2d3b8583bfaa34955ab7c6f9786ac351c3
      • Instruction ID: 3edc3498931639aef135238fbcac6352e270cb297a375aea37055737e55c9079
      • Opcode Fuzzy Hash: 7dff1bd1dec06322136d6bd30ac40e2d3b8583bfaa34955ab7c6f9786ac351c3
      • Instruction Fuzzy Hash: 4E81D972608A81CAD7A4DB29E48072AF7A0F7C8784F505529F78E93B98DE7CD545CF10
      Function 00007FF763E2E6A0 Relevance: 6.4, APIs: 5, Instructions: 175stringmemoryCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: lstrlen$AllocLocal
      • String ID:
      • API String ID: 2140729754-0
      • Opcode ID: 212b2ca959c54889c0269acd869b2160fb4b1460e5fc08839702d25f49bd2309
      • Instruction ID: 263f5be9934696b8d670295e418e08292fe2f5dc76dcbadcc57806eab392df93
      • Opcode Fuzzy Hash: 212b2ca959c54889c0269acd869b2160fb4b1460e5fc08839702d25f49bd2309
      • Instruction Fuzzy Hash: 5D81B872A1CA81CAD7A0DB29E48076AF7A0F7C8784F505129F6CE93B58DA7CD445CF10
      Function 00007FF763E68660 Relevance: 6.3, APIs: 4, Instructions: 296memoryCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: DebugDeleteHeap
      • String ID:
      • API String ID: 382907993-0
      • Opcode ID: 4adade84d71831ecb7ed19cfece2f3bdb1c93b0e3bc3f971ac9191bf26e13c96
      • Instruction ID: 29dcb81aa4708385d5d0fb2cc1bc756df8ae792a1bba8faada8409aa3e74164d
      • Opcode Fuzzy Hash: 4adade84d71831ecb7ed19cfece2f3bdb1c93b0e3bc3f971ac9191bf26e13c96
      • Instruction Fuzzy Hash: C5F1A276608784CAD7A0DB69E49076AFBA1F7C9790F104026FA8D93B69DB7CE444CF10
      Function 00007FF763E4B1C0 Relevance: 6.1, APIs: 4, Instructions: 142COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 565de8bdb3627577356645b4e6439c35e014c54ca8a9d1ba2df1e3bb25aa0dfe
      • Instruction ID: 90b41034986588260927553b30a2ca5804b85e642fa5e81526620db8f6cea4e9
      • Opcode Fuzzy Hash: 565de8bdb3627577356645b4e6439c35e014c54ca8a9d1ba2df1e3bb25aa0dfe
      • Instruction Fuzzy Hash: F971883291C6C2CAE7A0AA25E0447AEF7A0F7C8744F505025F6C997B5ADB7CE448CF60
      Function 00007FF763E279A2 Relevance: 6.1, APIs: 4, Instructions: 88stringCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: ProfileWlan$FreeListLocal_errno_invalid_parameter_noinfolstrlen
      • String ID:
      • API String ID: 1876236585-0
      • Opcode ID: 4bc9118122fbfcbd15d743131bfff5da8197c736f1d68bc8f697cafa5cc97f31
      • Instruction ID: 9d31928eb669d77812b94d47f299f1f53edb2cb9bd4288a648d88b7380db3b0b
      • Opcode Fuzzy Hash: 4bc9118122fbfcbd15d743131bfff5da8197c736f1d68bc8f697cafa5cc97f31
      • Instruction Fuzzy Hash: 67519372A0CAC6C6DAB09B14E4907EAB3A4E7C8754F501126EA8D93B59DF3CE584CF50
      Function 00007FF763EEC150 Relevance: 6.0, APIs: 4, Instructions: 45COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: _amsg_exit$_getptd_lockfree
      • String ID:
      • API String ID: 2148533958-0
      • Opcode ID: 5c32c2e3205890c41809e7faa9b5227a894db64d588fffb33eae37d125309cd1
      • Instruction ID: 35c54d54e1be2e0877a70e9d3f1ad252e9fc40149eaf9787530a98a29d9ea5d6
      • Opcode Fuzzy Hash: 5c32c2e3205890c41809e7faa9b5227a894db64d588fffb33eae37d125309cd1
      • Instruction Fuzzy Hash: 1A112936A19A46C5EAD5AB51E4407B8B7A0EB54B80FC80235EA0E23395CF2CE454C730
      Function 00007FF763EECA20 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: _amsg_exit_getptd$_lock
      • String ID:
      • API String ID: 3670291111-0
      • Opcode ID: f1be9111fc1fb4cd093e23f8c43004844fb388dedb79a84011bf30b553da1eaa
      • Instruction ID: 4acc9868b45eec0d5983b0469fc629051c1f9f419ee194101435f41ded7e2c55
      • Opcode Fuzzy Hash: f1be9111fc1fb4cd093e23f8c43004844fb388dedb79a84011bf30b553da1eaa
      • Instruction Fuzzy Hash: 14F0E731E09542C5FA94BB6198417B8A661EF55B80F885238EA0E273E2DF2CA844D331
      Function 00007FF763E28D90 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 314COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: swscanf
      • String ID: %2x$q
      • API String ID: 3616590096-422182567
      • Opcode ID: 05b4d067fa696309f7f942e02863d28febe8bcaf010b57bb3f734e43b3fdb050
      • Instruction ID: a1db05e39ccc92eeb90d915f8f740693949e02aa72da47d5096d1ed8364ad46e
      • Opcode Fuzzy Hash: 05b4d067fa696309f7f942e02863d28febe8bcaf010b57bb3f734e43b3fdb050
      • Instruction Fuzzy Hash: F1F1DA72609B81C6DAA0DB19E49076AB7A0F7C9790F504226FB9D97BA8DF3CD540CF10
      Function 00007FF763E6FAA9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71memoryCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: DebugDeleteHeap
      • String ID: Fragmentation of %d bytes reported as %d on page %d$Multiple uses for byte %u of page %d
      • API String ID: 382907993-531957496
      • Opcode ID: 2d8a0e3d0d7ae9d02cda2269a63150a5384acf7e185f4685468deac6ab7cb467
      • Instruction ID: 4d5b28788f47f18d4c09d66d6764717c687b497801edcf9cad7c977bd6f9f061
      • Opcode Fuzzy Hash: 2d8a0e3d0d7ae9d02cda2269a63150a5384acf7e185f4685468deac6ab7cb467
      • Instruction Fuzzy Hash: AA310732A0C6C5CAD7B4DB19E4907AAB7A1F7C5740F404135EA8D93B99CE6CD445CF20
      Function 00007FF763EE2880 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: _errno_invalid_parameter_noinfo
      • String ID: B
      • API String ID: 2959964966-1255198513
      • Opcode ID: 4c26f81f46c2d2345e81fac103e8bb81ae72b127b7f7923da0e526780dfd105f
      • Instruction ID: 0e0be36fc4be32964b54c7769d48d1f35e42832363eb388d7dcdefb7006b3d10
      • Opcode Fuzzy Hash: 4c26f81f46c2d2345e81fac103e8bb81ae72b127b7f7923da0e526780dfd105f
      • Instruction Fuzzy Hash: A3217C72F08A66C9F751FF6094406ECA670AB247A8F940231FE1E26B89DF399441C730
      Function 00007FF763EE31EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2248472773.00007FF763E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF763E20000, based on PE: true
      • Associated: 00000000.00000002.2248452636.00007FF763E20000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248539884.00007FF763EF6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248559209.00007FF763F08000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F11000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248574621.00007FF763F17000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2248604645.00007FF763F1A000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_7ff763e20000_64.jbxd
      Similarity
      • API ID: _errno_invalid_parameter_noinfo
      • String ID: I
      • API String ID: 2959964966-3707901625
      • Opcode ID: bbb170b3f9788c505c14e8867f3bb5de3cc13563db0622ea53e942999b169b43
      • Instruction ID: d75bd2694c1b08fece346df7b6d1f8903845bd7f873ac0591271febb15204ec2
      • Opcode Fuzzy Hash: bbb170b3f9788c505c14e8867f3bb5de3cc13563db0622ea53e942999b169b43
      • Instruction Fuzzy Hash: 25117072A18781C5DB50AB12E940269F6A0FB98FE0F584331EB9D17BA5CF3CD540CB20