Edit tour

Windows Analysis Report
5U5ouw7ryf.exe

Overview

General Information

Sample name:	5U5ouw7ryf.exe renamed because original name is a hash value
Original sample name:	41b5953e5d8016a817f4f793f7eb708c.exe
Analysis ID:	1416007
MD5:	41b5953e5d8016a817f4f793f7eb708c
SHA1:	c8f1fc586c61c93b9cb2d9ab3401ac548e3d10e7
SHA256:	636f2b1624573965b7fc093117d8927ebffdbc0d852c241aede59fe81fece84f
Tags:	32exetrojan
Infos:

Detection

Ramnit

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Ramnit VNC Module

Allocates memory in foreign processes

Contains VNC / remote desktop functionality (version string found)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found decision node followed by non-executed suspicious APIs

Found large amount of non-executed APIs

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Tries to load missing DLLs

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

5U5ouw7ryf.exe (PID: 7260 cmdline: "C:\Users\user\Desktop\5U5ouw7ryf.exe" MD5: 41B5953E5D8016A817F4F793F7EB708C)

svchost.exe (PID: 7292 cmdline: C:\Windows\system32\svchost.exe -k MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Ramnit	According to Check Point, Ramnit is primarily a banking trojan, meaning that its purpose is to steal login credentials for online banking, which cybercriminals can sell or use in future attacks. For this reason, Ramnit primarily targets individuals rather than focusing on particular industries.Ramnit campaigns have been observed to target organizations in particular industries. For example, a 2019 campaign targeted financial organizations in the United Kingdom, Italy, and Canada.	No Attribution	http://contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html http://www.nao-sec.org/2018/01/analyzing-ramnit-used-in-seamless.html http://www.secureworks.com/research/threat-profiles/gold-fairfax http://www.vkremez.com/2018/02/deeper-dive-into-ramnit-banker-vnc-ifsb.html https://artik.blue/malware4	https://malpedia.caad.fkie.fraunhofer.de/details/win.ramnit

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
5U5ouw7ryf.exe	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
5U5ouw7ryf.exe	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmp	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmp	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmp	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
00000002.00000002.2631715851.000000000010C000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
00000002.00000002.2631715851.000000000010C000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000000.00000000.1373498367.00000000001A6000.00000008.00000001.01000000.00000003.sdmp	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
00000000.00000000.1373498367.00000000001A6000.00000008.00000001.01000000.00000003.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000000.00000000.1373498367.00000000001A6000.00000008.00000001.01000000.00000003.sdmp	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
Process Memory Space: 5U5ouw7ryf.exe PID: 7260	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
Process Memory Space: 5U5ouw7ryf.exe PID: 7260	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: svchost.exe PID: 7292	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
Process Memory Space: svchost.exe PID: 7292	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Click to see the 9 entries

Unpacked PEs

Source	Rule	Description	Author
2.2.svchost.exe.10cc50.1.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
2.2.svchost.exe.10cc50.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.0.5U5ouw7ryf.exe.1a6000.2.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
0.0.5U5ouw7ryf.exe.1a6000.2.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.2.5U5ouw7ryf.exe.1a6000.1.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
0.2.5U5ouw7ryf.exe.1a6000.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
2.2.svchost.exe.147c50.2.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
2.2.svchost.exe.147c50.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
2.2.svchost.exe.147c50.2.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
0.2.5U5ouw7ryf.exe.1e1000.2.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
0.2.5U5ouw7ryf.exe.1e1000.2.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.0.5U5ouw7ryf.exe.1e1000.1.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
0.0.5U5ouw7ryf.exe.1e1000.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.0.5U5ouw7ryf.exe.1e1000.1.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
0.0.5U5ouw7ryf.exe.1e1000.1.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.0.5U5ouw7ryf.exe.1e1000.1.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
2.2.svchost.exe.c0000.0.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
2.2.svchost.exe.c0000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
2.2.svchost.exe.c0000.0.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
0.2.5U5ouw7ryf.exe.1e1000.2.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
0.2.5U5ouw7ryf.exe.1e1000.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.2.5U5ouw7ryf.exe.1e1000.2.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
2.2.svchost.exe.147c50.2.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
2.2.svchost.exe.147c50.2.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.0.5U5ouw7ryf.exe.1a6000.2.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
0.0.5U5ouw7ryf.exe.1a6000.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.0.5U5ouw7ryf.exe.1a6000.2.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
2.2.svchost.exe.10cc50.1.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
2.2.svchost.exe.10cc50.1.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
2.2.svchost.exe.10cc50.1.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
0.2.5U5ouw7ryf.exe.1a6000.1.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
0.2.5U5ouw7ryf.exe.1a6000.1.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.2.5U5ouw7ryf.exe.1a6000.1.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
0.0.5U5ouw7ryf.exe.1a0000.0.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
0.0.5U5ouw7ryf.exe.1a0000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.2.5U5ouw7ryf.exe.1a0000.0.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
0.2.5U5ouw7ryf.exe.1a0000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Click to see the 32 entries

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k, CommandLine: C:\Windows\system32\svchost.exe -k, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\5U5ouw7ryf.exe", ParentImage: C:\Users\user\Desktop\5U5ouw7ryf.exe, ParentProcessId: 7260, ParentProcessName: 5U5ouw7ryf.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k, ProcessId: 7292, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\system32\svchost.exe -k, CommandLine: C:\Windows\system32\svchost.exe -k, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\5U5ouw7ryf.exe", ParentImage: C:\Users\user\Desktop\5U5ouw7ryf.exe, ParentProcessId: 7260, ParentProcessName: 5U5ouw7ryf.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k, ProcessId: 7292, ProcessName: svchost.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 5U5ouw7ryf.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: 5U5ouw7ryf.exe

ReversingLabs: Detection: 86%

Machine Learning detection for sample

Source: 5U5ouw7ryf.exe

Joe Sandbox ML: detected

Source: C:\Windows\System32\svchost.exe

Code function: 2_2_000CB764 CryptQueryObject,GetLastError,CryptMsgGetParam,CryptMsgGetParam,GetLastError,CertFindCertificateInStore,GetLastError,lstrcmpA,CryptDecodeObject,GetLastError,CryptDecodeObject,GetLastError,CertFreeCertificateContext,CertCloseStore,CryptMsgClose,

2_2_000CB764

Source: 5U5ouw7ryf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 5U5ouw7ryf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: ntdll.pdb source: 5U5ouw7ryf.exe, 00000000.00000003.1386169269.0000000003320000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: 5U5ouw7ryf.exe, 00000000.00000003.1386169269.0000000003320000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000D73C8 lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,FindFirstFileW,lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,SetLastError,FindNextFileW,FindClose,SetLastError,	2_2_000D73C8
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000E0C40 lstrlenW,lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,DeleteFileW,FindNextFileW,FindClose,lstrcpyW,lstrcatW,lstrcatW,RemoveDirectoryW,	2_2_000E0C40
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000E0E4C lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,lstrlenW,HeapAlloc,lstrcpyW,CreateDirectoryW,GetLastError,FindFirstFileW,GetLastError,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,HeapFree,	2_2_000E0E4C

Source: global traffic

TCP traffic: 192.168.2.9:49707 -> 141.11.93.195:1081

Source: unknown	TCP traffic detected without corresponding DNS query: 141.11.93.195
Source: unknown	TCP traffic detected without corresponding DNS query: 141.11.93.195
Source: unknown	TCP traffic detected without corresponding DNS query: 141.11.93.195
Source: unknown	TCP traffic detected without corresponding DNS query: 141.11.93.195
Source: unknown	TCP traffic detected without corresponding DNS query: 141.11.93.195
Source: unknown	TCP traffic detected without corresponding DNS query: 141.11.93.195
Source: unknown	TCP traffic detected without corresponding DNS query: 141.11.93.195
Source: unknown	TCP traffic detected without corresponding DNS query: 141.11.93.195
Source: unknown	TCP traffic detected without corresponding DNS query: 141.11.93.195
Source: unknown	TCP traffic detected without corresponding DNS query: 141.11.93.195
Source: unknown	TCP traffic detected without corresponding DNS query: 141.11.93.195
Source: unknown	TCP traffic detected without corresponding DNS query: 141.11.93.195
Source: unknown	TCP traffic detected without corresponding DNS query: 141.11.93.195
Source: unknown	TCP traffic detected without corresponding DNS query: 141.11.93.195
Source: unknown	TCP traffic detected without corresponding DNS query: 141.11.93.195
Source: unknown	TCP traffic detected without corresponding DNS query: 141.11.93.195
Source: unknown	TCP traffic detected without corresponding DNS query: 141.11.93.195
Source: unknown	TCP traffic detected without corresponding DNS query: 141.11.93.195
Source: unknown	TCP traffic detected without corresponding DNS query: 141.11.93.195
Source: unknown	TCP traffic detected without corresponding DNS query: 141.11.93.195
Source: unknown	TCP traffic detected without corresponding DNS query: 141.11.93.195
Source: unknown	TCP traffic detected without corresponding DNS query: 141.11.93.195
Source: unknown	TCP traffic detected without corresponding DNS query: 141.11.93.195
Source: unknown	TCP traffic detected without corresponding DNS query: 141.11.93.195
Source: unknown	TCP traffic detected without corresponding DNS query: 141.11.93.195

Source: C:\Windows\System32\svchost.exe

Code function: 2_2_000CBE18 socket,connect,setsockopt,send,recv,shutdown,closesocket,HeapFree,

2_2_000CBE18

Source: C:\Windows\System32\svchost.exe

Code function: 2_2_000E4998 GetWindowLongPtrA,SendNotifyMessageA,GetClipboardOwner,OpenClipboard,GetClipboardData,GlobalLock,lstrlenA,lstrlenA,HeapAlloc,lstrlenA,lstrlenA,HeapFree,GlobalUnlock,CloseClipboard,SendNotifyMessageA,SetWindowLongPtrA,DefWindowProcA,

2_2_000E4998

Source: C:\Windows\System32\svchost.exe

Code function: 2_2_000E4BD4 IsIconic,GetLastActivePopup,OpenClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,CloseClipboard,

2_2_000E4BD4

Source: C:\Windows\System32\svchost.exe

2_2_000E4998

Source: Yara match	File source: 5U5ouw7ryf.exe, type: SAMPLE
Source: Yara match	File source: 2.2.svchost.exe.10cc50.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.5U5ouw7ryf.exe.1a6000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.5U5ouw7ryf.exe.1a6000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.147c50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.5U5ouw7ryf.exe.1e1000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.5U5ouw7ryf.exe.1e1000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.5U5ouw7ryf.exe.1e1000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.5U5ouw7ryf.exe.1e1000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.147c50.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.5U5ouw7ryf.exe.1a6000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.10cc50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.5U5ouw7ryf.exe.1a6000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.5U5ouw7ryf.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.5U5ouw7ryf.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2631715851.000000000010C000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1373498367.00000000001A6000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 5U5ouw7ryf.exe PID: 7260, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7292, type: MEMORYSTR

Source: C:\Windows\System32\svchost.exe

Code function: 2_2_000DE68C CreateDesktopA,GetLastError,GetDC,GetDeviceCaps,GetDeviceCaps,ReleaseDC,lstrcpyA,CloseDesktop,

2_2_000DE68C

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.svchost.exe.147c50.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 0.0.5U5ouw7ryf.exe.1e1000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 2.2.svchost.exe.c0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 0.2.5U5ouw7ryf.exe.1e1000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 0.0.5U5ouw7ryf.exe.1a6000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 2.2.svchost.exe.10cc50.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 0.2.5U5ouw7ryf.exe.1a6000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 00000000.00000000.1373498367.00000000001A6000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel

Source: C:\Users\user\Desktop\5U5ouw7ryf.exe	Code function: 0_2_001A321E NtWow64QueryInformationProcess64,GetModuleHandleW,GetProcAddress,NtWow64QueryInformationProcess64,	0_2_001A321E
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe	Code function: 0_2_001A2612 NtCreateSection,memset,RtlNtStatusToDosError,ZwClose,	0_2_001A2612
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe	Code function: 0_2_001A2849 NtMapViewOfSection,RtlNtStatusToDosError,	0_2_001A2849
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe	Code function: 0_2_001A3268 NtWow64ReadVirtualMemory64,GetModuleHandleW,GetProcAddress,NtWow64ReadVirtualMemory64,	0_2_001A3268
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe	Code function: 0_2_001A2883 NtUnmapViewOfSection,RtlNtStatusToDosError,	0_2_001A2883
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe	Code function: 0_2_001A35A8 GetModuleHandleW,GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,LocalFree,LocalFree,	0_2_001A35A8
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe	Code function: 0_2_001A2F6C memset,VirtualAllocEx,NtGetContextThread,memcpy,WriteProcessMemory,NtSetContextThread,ResumeThread,Sleep,SuspendThread,GetLastError,	0_2_001A2F6C
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe	Code function: 0_2_001A126D NtQueryVirtualMemory,	0_2_001A126D
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe	Code function: 0_2_001A2BC1 memset,ZwQueryInformationProcess,ReadProcessMemory,	0_2_001A2BC1
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000C5048 ZwQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,StrRChrA,	2_2_000C5048
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000C4868 ZwQueryInformationProcess,ReadProcessMemory,	2_2_000C4868
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000E39CC GetSystemTimes,NtQuerySystemInformation,	2_2_000E39CC
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000E1294 GetProcessId,lstrlenW,HeapAlloc,HeapFree,HeapAlloc,NtQuerySystemInformation,GetCurrentProcess,DuplicateHandle,NtQueryObject,HeapFree,HeapAlloc,HeapFree,HeapAlloc,NtQueryObject,RtlInitUnicodeString,RtlEqualUnicodeString,NtQueryInformationFile,NtQueryInformationFile,HeapAlloc,CloseHandle,HeapFree,HeapFree,HeapFree,	2_2_000E1294
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000C52A4 NtResumeProcess,RtlNtStatusToDosError,	2_2_000C52A4
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000C52BC NtSuspendProcess,RtlNtStatusToDosError,	2_2_000C52BC
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000ED324 ZwQueryKey,ZwQueryKey,	2_2_000ED324
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000C3448 NtCreateSection,RtlNtStatusToDosError,ZwClose,	2_2_000C3448
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000C4CE0 VirtualAllocEx,NtGetContextThread,WriteProcessMemory,NtSetContextThread,ResumeThread,Sleep,SuspendThread,GetLastError,	2_2_000C4CE0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000E3D74 InitializeCriticalSection,GetModuleHandleW,GetProcAddress,GetSystemTimes,NtQuerySystemInformation,HeapAlloc,GetTickCount,	2_2_000E3D74
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000C4644 ZwQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,	2_2_000C4644
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000C36AC NtMapViewOfSection,RtlNtStatusToDosError,	2_2_000C36AC
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000C36FC NtUnmapViewOfSection,RtlNtStatusToDosError,	2_2_000C36FC

Source: C:\Windows\System32\svchost.exe

Code function: 2_2_000DBF94 GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,GetLastError,CloseHandle,GetKeyState,ExitWindowsEx,

2_2_000DBF94

Source: C:\Users\user\Desktop\5U5ouw7ryf.exe	Code function: 0_2_001A104C	0_2_001A104C
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe	Code function: 0_2_001CA022	0_2_001CA022
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe	Code function: 0_2_001AE86C	0_2_001AE86C
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe	Code function: 0_2_001AF178	0_2_001AF178
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe	Code function: 0_2_001CB9DC	0_2_001CB9DC
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe	Code function: 0_2_001AF9E2	0_2_001AF9E2
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe	Code function: 0_2_001C9AB0	0_2_001C9AB0
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe	Code function: 0_2_001C8C3A	0_2_001C8C3A
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe	Code function: 0_2_001AED60	0_2_001AED60
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe	Code function: 0_2_001CA594	0_2_001CA594
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe	Code function: 0_2_001AF5AD	0_2_001AF5AD
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe	Code function: 0_2_001AE710	0_2_001AE710
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe	Code function: 0_2_001CC72C	0_2_001CC72C
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe	Code function: 0_2_001CD7A5	0_2_001CD7A5
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000D970C	2_2_000D970C
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000C8804	2_2_000C8804
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000DA82C	2_2_000DA82C
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000E187C	2_2_000E187C
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000CC114	2_2_000CC114
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000EC110	2_2_000EC110
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000DF968	2_2_000DF968
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000E0974	2_2_000E0974
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000E7200	2_2_000E7200
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000EAA60	2_2_000EAA60
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000DC288	2_2_000DC288
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000E1294	2_2_000E1294
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000EB368	2_2_000EB368
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000C3C70	2_2_000C3C70
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000ED4CC	2_2_000ED4CC
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000C94F8	2_2_000C94F8
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000D751C	2_2_000D751C
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000DED60	2_2_000DED60
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000D9DA8	2_2_000D9DA8
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000E3E60	2_2_000E3E60
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000EB718	2_2_000EB718
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000EC748	2_2_000EC748
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000EDF84	2_2_000EDF84
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000C8FA0	2_2_000C8FA0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000E8FB0	2_2_000E8FB0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000D77FC	2_2_000D77FC
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0012F88A	2_2_0012F88A
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_001159B0	2_2_001159B0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_001311E4	2_2_001311E4
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00115360	2_2_00115360
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_001343F5	2_2_001343F5
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_001154BB	2_2_001154BB
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_001154BC	2_2_001154BC
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00115DC8	2_2_00115DC8
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0013262C	2_2_0013262C

Source: 5U5ouw7ryf.exe, 00000000.00000003.1392327141.00000000033D6000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: OriginalFilenamentdll.dllj% vs 5U5ouw7ryf.exe

Source: C:\Users\user\Desktop\5U5ouw7ryf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior

Source: 5U5ouw7ryf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 2.2.svchost.exe.147c50.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 0.0.5U5ouw7ryf.exe.1e1000.1.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 2.2.svchost.exe.c0000.0.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 0.2.5U5ouw7ryf.exe.1e1000.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 0.0.5U5ouw7ryf.exe.1a6000.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 2.2.svchost.exe.10cc50.1.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 0.2.5U5ouw7ryf.exe.1a6000.1.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 00000000.00000000.1373498367.00000000001A6000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352

Source: classification engine

Classification label: mal96.troj.evad.winEXE@3/0@0/1

Source: C:\Windows\System32\svchost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\{41435A30-AC43-1BEB-BE05-A07FD209D423}

Source: 5U5ouw7ryf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\5U5ouw7ryf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 5U5ouw7ryf.exe

ReversingLabs: Detection: 86%

Source: unknown	Process created: C:\Users\user\Desktop\5U5ouw7ryf.exe "C:\Users\user\Desktop\5U5ouw7ryf.exe"
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k	Jump to behavior

Source: 5U5ouw7ryf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: ntdll.pdb source: 5U5ouw7ryf.exe, 00000000.00000003.1386169269.0000000003320000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: 5U5ouw7ryf.exe, 00000000.00000003.1386169269.0000000003320000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Windows\System32\svchost.exe

Code function: 2_2_000D9004 EnterCriticalSection,LeaveCriticalSection,GetModuleHandleW,LoadLibraryW,GetProcAddress,FreeLibrary,

2_2_000D9004

Source: C:\Users\user\Desktop\5U5ouw7ryf.exe	Code function: 0_2_001A103B push ecx; ret	0_2_001A104B
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe	Code function: 0_2_001C7BF5 push ecx; ret	0_2_001C7C08
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe	Code function: 0_2_001AE6FB push ecx; ret	0_2_001AE70B
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0012E845 push ecx; ret	2_2_0012E858
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_0011534B push ecx; ret	2_2_0011535B

Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000E30CC IsIconic,	2_2_000E30CC
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000E2308 IsIconic,GetLastActivePopup,	2_2_000E2308
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000E4BD4 IsIconic,GetLastActivePopup,OpenClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,CloseClipboard,	2_2_000E4BD4
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000DDC68 IsIconic,GetWindow,GetWindow,	2_2_000DDC68
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000DC5CC GetWindowLongPtrA,IsIconic,	2_2_000DC5CC

Source: C:\Windows\System32\svchost.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_2-32085

Source: C:\Windows\System32\svchost.exe

API coverage: 2.1 %

Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000D73C8 lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,FindFirstFileW,lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,SetLastError,FindNextFileW,FindClose,SetLastError,	2_2_000D73C8
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000E0C40 lstrlenW,lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,DeleteFileW,FindNextFileW,FindClose,lstrcpyW,lstrcatW,lstrcatW,RemoveDirectoryW,	2_2_000E0C40
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_000E0E4C lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,lstrlenW,HeapAlloc,lstrcpyW,CreateDirectoryW,GetLastError,FindFirstFileW,GetLastError,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,HeapFree,	2_2_000E0E4C

Source: svchost.exe, 00000002.00000002.2631935382.000001E8CD220000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\svchost.exe

Code function: 2_2_0010C001 LdrLoadDll,

2_2_0010C001

Source: C:\Windows\System32\svchost.exe

Code function: 2_2_000E5448 __crtCaptureCurrentContext,IsDebuggerPresent,__crtUnhandledException,

2_2_000E5448

Source: C:\Windows\System32\svchost.exe

Code function: 2_2_000E8618 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

2_2_000E8618

Source: C:\Windows\System32\svchost.exe

Code function: 2_2_000D9004 EnterCriticalSection,LeaveCriticalSection,GetModuleHandleW,LoadLibraryW,GetProcAddress,FreeLibrary,

2_2_000D9004

Source: C:\Windows\System32\svchost.exe

Code function: 2_2_000E6EB4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,

2_2_000E6EB4

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\5U5ouw7ryf.exe

Memory allocated: C:\Windows\System32\svchost.exe base: 190000 protect: page execute and read and write

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\5U5ouw7ryf.exe

Section loaded: NULL target: C:\Windows\System32\svchost.exe protection: execute and read and write

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\5U5ouw7ryf.exe

Thread register set: target process: 7292

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\5U5ouw7ryf.exe	Memory written: C:\Windows\System32\svchost.exe base: 7FF77AFE5080	Jump to behavior
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe	Memory written: C:\Windows\System32\svchost.exe base: 190000	Jump to behavior
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe	Memory written: C:\Windows\System32\svchost.exe base: 7FF77AFE5080	Jump to behavior

Source: C:\Users\user\Desktop\5U5ouw7ryf.exe

Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k

Jump to behavior

Source: 5U5ouw7ryf.exe	Binary or memory string: Program Manager
Source: 5U5ouw7ryf.exe	Binary or memory string: GetProgmanWindow
Source: 5U5ouw7ryf.exe	Binary or memory string: Shell_TrayWnd
Source: 5U5ouw7ryf.exe	Binary or memory string: Progman
Source: 5U5ouw7ryf.exe	Binary or memory string: explorerframe.dllshell32.dllexplorer.exewindows.immersiveshell.serviceprovider.dlltwinui.dllwpncore.dllauthui.dllpnidui.dllhgcpl.dllBINotifiedNewSessionEventStartMenuCacheFileReorderShellReadyEventShellDesktopSwitchEventole32.dllCoCreateInstanceCoCreateInstanceExCoGetClassObjectCoRegisterClassObjectcombase.dlluser32.dllSetImmersiveBackgroundWindowAcquireIAMKeyEnableIAMAccessEnableIAMAccessWin80MsgWaitForMultipleObjectsExKernelBase.dllCloseHandleCreateEventWCreateEventACreateEventExWCreateEventExAOpenEventWOpenEventAwindows.immersiveshell.serviceprovider.dllDefWindowProcWDefWindowProcADefDlgProcWDefDlgProcADefFrameProcWDefFrameProcADefMDIChildProcWDefMDIChildProcACallWindowProcWCallWindowProcAGetMessageWGetMessageAPeekMessageWPeekMessageATranslateMessageGetCursorPosd3d10_1.dllSetCursorPosd3d10_1core.dlld3d10.dlld3d10core.dlld2d1.dllGetMessagePosOPENGL32.dlld3d9.dlld3d11.dllDxtrans.dllSetCaptureFlash6.ocxReleaseCaptureGetCaptureCreateDesktopACreateDesktopWCreateDesktopExACreateDesktopExWOpenDesktopAOpenDesktopWOpenInputDesktopSwitchDesktopSetThreadDesktopGetUserObjectInformationAGetUserObjectInformationWFlashWindowExFlashWindowGetCaretBlinkTimeTrackPopupMenuExSetShellWindowSetShellWindowExGetShellWindowSetTaskmanWindowGetTaskmanWindowSetProgmanWindowGetProgmanWindowSystemParametersInfoWSystemParametersInfoAgdi32.dllSetDIBitsToDeviceBitBltWinmm.dllPlaySoundAPlaySoundWsndPlaySoundAsndPlaySoundWBeepMessageBeepwaveOutOpendsound.dllDirectSoundCreateDirectSoundCaptureCreateDirectSoundFullDuplexCreate8DirectSoundFullDuplexCreateDirectSoundCreate8DirectSoundCaptureCreate8LoadLibraryWLoadLibraryExALoadLibraryExWGetProcAddressRegQueryValueExWRegGetValueWntdll.dllZwRaiseHardErrorNtRaiseHardErrorZwConnectPortNtConnectPortShell32.dllSHRestrictedSHGetSetSettingsUxTheme.dllSetThemeAppPropertiesCreateDXGIFactory1D3D10CreateDevice1Direct3DCreate9Direct3DCreate9Ex\ThemeApiPortRtlSetUnhandledExceptionFilterMessageBoxTimeoutAuser32Program ManagerProgmanSHELLDLL_DefViewFolderViewSysListView32Shell_TrayWndNotifyIconOverflowWindow/0#32770MSTaskSwWClassTrayNotifyWndtaskmgrversion.dllGetFileVersionInfoSizeWGetFileVersionInfoW1.3.6.1.4.1.311.2.1.12rY
Source: 5U5ouw7ryf.exe	Binary or memory string: explorerframe.dllshell32.dllexplorer.exewindows.immersiveshell.serviceprovider.dlltwinui.dllwpncore.dllauthui.dllpnidui.dllhgcpl.dllBINotifiedNewSessionEventStartMenuCacheFileReorderShellReadyEventShellDesktopSwitchEventwindows.immersiveshell.serviceprovider.dllFlash6.ocxReleaseCaptureGetCaptureCreateDesktopACreateDesktopWCreateDesktopExACreateDesktopExWOpenDesktopAOpenDesktopWOpenInputDesktopSwitchDesktopSetThreadDesktopGetUserObjectInformationAGetUserObjectInformationWFlashWindowExFlashWindowGetCaretBlinkTimeTrackPopupMenuExSetShellWindowSetShellWindowExGetShellWindowSetTaskmanWindowGetTaskmanWindowSetProgmanWindowGetProgmanWindowSystemParametersInfoWSystemParametersInfoAgdi32.dllSetDIBitsToDeviceBitBltWinmm.dllPlaySoundAPlaySoundWsndPlaySoundAsndPlaySoundWBeepMessageBeepwaveOutOpendsound.dllDirectSoundCreateDirectSoundCaptureCreateDirectSoundFullDuplexCreate8DirectSoundFullDuplexCreateDirectSoundCreate8DirectSoundCaptureCreate8LoadLibraryWLoadLibraryExALoadLibraryExWGetProcAddressRegQueryValueExWRegGetValueWntdll.dllZwRaiseHardErrorNtRaiseHardErrorZwConnectPortNtConnectPortShell32.dllSHRestrictedSHGetSetSettingsUxTheme.dllSetThemeAppPropertiesDefWindowProcWDefWindowProcADefDlgProcWDefDlgProcADefFrameProcWDefFrameProcADefMDIChildProcWDefMDIChildProcACallWindowProcWCallWindowProcAGetMessageWGetMessageAPeekMessageWPeekMessageATranslateMessageGetCursorPosd3d10_1.dllSetCursorPosd3d10_1core.dlld3d10.dlld3d10core.dlld2d1.dllGetMessagePosOPENGL32.dlld3d9.dlld3d11.dllDxtrans.dllSetCaptureCreateDXGIFactory1D3D10CreateDevice1Direct3DCreate9Direct3DCreate9Ex\ThemeApiPortRtlSetUnhandledExceptionFilterMessageBoxTimeoutAuser32Program ManagerProgmanSHELLDLL_DefViewFolderViewSysListView32Shell_TrayWndNotifyIconOverflowWindow/0#32770MSTaskSwWClassTrayNotifyWndtaskmgr0
Source: 5U5ouw7ryf.exe	Binary or memory string: SetProgmanWindow

Source: C:\Users\user\Desktop\5U5ouw7ryf.exe

Code function: 0_2_001C15C8 cpuid

0_2_001C15C8

Source: C:\Windows\System32\svchost.exe

Code function: GetWindowRect,GetWindowRect,GetWindowRect,RedrawWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetLocaleInfoW,CharUpperBuffW,RedrawWindow,

2_2_000E4364

Source: C:\Windows\System32\svchost.exe

Code function: 2_2_000E39CC GetSystemTimes,NtQuerySystemInformation,

2_2_000E39CC

Source: C:\Users\user\Desktop\5U5ouw7ryf.exe

Code function: 0_2_001A289B GetModuleHandleA,GetVersion,GetCurrentProcessId,StrRChrA,CreateEventA,GetLastError,

0_2_001A289B

Stealing of Sensitive Information

Yara detected Ramnit VNC Module

Source: Yara match	File source: 5U5ouw7ryf.exe, type: SAMPLE
Source: Yara match	File source: 2.2.svchost.exe.10cc50.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.5U5ouw7ryf.exe.1a6000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.5U5ouw7ryf.exe.1a6000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.147c50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.5U5ouw7ryf.exe.1e1000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.5U5ouw7ryf.exe.1e1000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.5U5ouw7ryf.exe.1e1000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.5U5ouw7ryf.exe.1e1000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.147c50.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.5U5ouw7ryf.exe.1a6000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.10cc50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.5U5ouw7ryf.exe.1a6000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.5U5ouw7ryf.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.5U5ouw7ryf.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2631715851.000000000010C000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1373498367.00000000001A6000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 5U5ouw7ryf.exe PID: 7260, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7292, type: MEMORYSTR

Remote Access Functionality

Yara detected Ramnit VNC Module

Source: Yara match	File source: 5U5ouw7ryf.exe, type: SAMPLE
Source: Yara match	File source: 2.2.svchost.exe.10cc50.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.5U5ouw7ryf.exe.1a6000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.5U5ouw7ryf.exe.1a6000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.147c50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.5U5ouw7ryf.exe.1e1000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.5U5ouw7ryf.exe.1e1000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.5U5ouw7ryf.exe.1e1000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.5U5ouw7ryf.exe.1e1000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.147c50.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.5U5ouw7ryf.exe.1a6000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.10cc50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.5U5ouw7ryf.exe.1a6000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.5U5ouw7ryf.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.5U5ouw7ryf.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2631715851.000000000010C000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1373498367.00000000001A6000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 5U5ouw7ryf.exe PID: 7260, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7292, type: MEMORYSTR

Contains VNC / remote desktop functionality (version string found)

Source: 5U5ouw7ryf.exe	String found in binary or memory: RFB 003.008
Source: 5U5ouw7ryf.exe, 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: RFB 003.008
Source: 5U5ouw7ryf.exe, 00000000.00000000.1373498367.00000000001A6000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: RFB 003.008
Source: svchost.exe	String found in binary or memory: RFB 003.008
Source: svchost.exe	String found in binary or memory: RFB 003.008
Source: svchost.exe, 00000002.00000002.2631715851.000000000010C000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: RFB 003.008
Source: svchost.exe, 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmp	String found in binary or memory: RFB 003.008
Source: 5U5ouw7ryf.exe	String found in binary or memory: RFB 003.008

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 Create Account	412 Process Injection	412 Process Injection	OS Credential Dumping	1 System Time Discovery	1 Remote Desktop Protocol	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Obfuscated Files or Information	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	3 Clipboard Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Remote Access Software	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	23 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
5U5ouw7ryf.exe	87%	ReversingLabs	Win32.Trojan.ExplorerHijack
5U5ouw7ryf.exe	100%	Avira	TR/Hijacker.Gen
5U5ouw7ryf.exe	100%	Joe Sandbox ML

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
141.11.93.195	unknown	United Kingdom		3215	FranceTelecom-OrangeFR	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1416007
Start date and time:	2024-03-26 18:22:13 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	5U5ouw7ryf.exe renamed because original name is a hash value
Original Sample Name:	41b5953e5d8016a817f4f793f7eb708c.exe
Detection:	MAL
Classification:	mal96.troj.evad.winEXE@3/0@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 30 Number of non-executed functions: 224
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: 5U5ouw7ryf.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FranceTelecom-OrangeFR	mo68mtK9Ap.elf	Get hash	malicious	Moobot	Browse	90.116.169.108
	bfpRfi6WQB.elf	Get hash	malicious	Mirai, Moobot	Browse	90.73.222.26
	97zyqEu4Nh.elf	Get hash	malicious	Moobot	Browse	92.137.157.184
	3LzfDqJag5.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	2.2.2.2
	eDqAMUwIIi.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	2.2.2.2
	CGoyUyeqeg.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	2.2.2.2
	ENjd76BBjH.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	2.2.2.2
	SecuriteInfo.com.Win32.TrojanX-gen.9596.22784.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	2.2.2.2
	bot.arm7-20240324-1846.elf	Get hash	malicious	Mirai, Moobot	Browse	194.2.224.18
	bot.mpsl-20240324-1846.elf	Get hash	malicious	Mirai, Moobot	Browse	92.139.161.173

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.427428766359845
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	5U5ouw7ryf.exe
File size:	549'888 bytes
MD5:	41b5953e5d8016a817f4f793f7eb708c
SHA1:	c8f1fc586c61c93b9cb2d9ab3401ac548e3d10e7
SHA256:	636f2b1624573965b7fc093117d8927ebffdbc0d852c241aede59fe81fece84f
SHA512:	dbf7530d1485c8a48bca3783c202c55a9f226219a5afd632c176e0622c53263b7882035d3651d33bf1dcbd552a4a87afbebbaf707aadc4c8b7eeab923fc26919
SSDEEP:	6144:ScBUcxlczk0VXhumbeBJ1UW04tWu1lTWVwzYGK8zm4vK3JQErTw6f:xxlMVXhFbsVEujTWG8GTzqrTw6f
TLSH:	AEC4AE11B3D40C72E9AB467885A35B06E7FABC121674DB4F53909E9A1F33342BB29353
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......(2.OlS..lS..lS......dS..lS...S...\..oS...\..mS...\..oS..I$..mS..I$<.eS..I$..mS..RichlS..........................PE..L....c&e...

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x401640
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x652663CA [Wed Oct 11 08:58:50 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	faf16be05abc0234db15c73412fc4a90

Entrypoint Preview

Instruction
call 00007F1878B5BA20h
xor eax, eax
ret
push ebp
mov ebp, esp
push esi
xor eax, eax
push edi
mov edi, 0048798Ch
inc eax
lock xadd dword ptr [edi], eax
push dword ptr [ebp+2Ch]
mov eax, dword ptr [004878F0h]
push dword ptr [ebp+28h]
push dword ptr [ebp+24h]
push dword ptr [ebp+20h]
test eax, eax
je 00007F1878B5BBCAh
push dword ptr [ebp+1Ch]
push dword ptr [ebp+18h]
push dword ptr [ebp+14h]
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call eax
mov esi, eax
jmp 00007F1878B5BBE4h
mov eax, dword ptr [ebp+1Ch]
or eax, 04h
push eax
push dword ptr [ebp+18h]
push dword ptr [ebp+14h]
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call dword ptr [00487418h]
mov esi, eax
test esi, esi
je 00007F1878B5BBC2h
push 00000001h
push dword ptr [ebp+1Ch]
push dword ptr [ebp+2Ch]
call 00007F1878B5BE05h
add esp, 0Ch
or eax, FFFFFFFFh
lock xadd dword ptr [edi], eax
pop edi
mov eax, esi
pop esi
pop ebp
retn 0028h
push ebp
mov ebp, esp
push esi
xor eax, eax
push edi
mov edi, 0048798Ch
inc eax
lock xadd dword ptr [edi], eax
push dword ptr [ebp+2Ch]
mov eax, dword ptr [004878ECh]
push dword ptr [ebp+28h]
push dword ptr [ebp+24h]
push dword ptr [ebp+20h]
test eax, eax
je 00007F1878B5BBCAh
push dword ptr [ebp+1Ch]
push dword ptr [ebp+18h]
push dword ptr [ebp+14h]
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call eax
mov esi, eax
jmp 00007F1878B5BBE4h
mov eax, dword ptr [ebp+1Ch]

Rich Headers

Programming Language:

[ASM] VS2013 UPD2 build 30501
[ C ] VS2013 UPD2 build 30501
[LNK] VS2013 UPD2 build 30501

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x538c	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x88000	0x368	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x5000	0xf4	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3652	0x3800	1205753b19af7115c73271ac518e9651	False	0.6178152901785714	data	6.323010929191531	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x5000	0x8e6	0xa00	1a5390658faf6ec5dfbfba52dad2f874	False	0.4125	data	4.657177116851479	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x6000	0x81a40	0x81a00	cee8b2f47d0a537cd5fbb7a6f06b1c2f	False	0.47575638862102215	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	6.425881869977691	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x88000	0x368	0x400	d7173a080d432fd35ae6cde1d21653d6	False	0.802734375	data	6.017266907398042	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
ntdll.dll	NtQueryVirtualMemory, RtlUnwind, NtSetContextThread, NtGetContextThread, ZwQueryInformationProcess, RtlNtStatusToDosError, ZwClose, NtUnmapViewOfSection, NtMapViewOfSection, NtCreateSection, memcpy, memset
SHLWAPI.dll	StrChrA, StrRChrA, PathCombineW
PSAPI.DLL	EnumProcessModules
KERNEL32.dll	GetThreadContext, GetFileSize, LoadLibraryA, FreeLibrary, lstrcmpA, LeaveCriticalSection, EnterCriticalSection, VirtualProtect, CreateFileA, GetModuleFileNameA, lstrlenA, lstrcatA, lstrcpyA, lstrcmpiA, SetFilePointer, GetCurrentProcess, VirtualAllocEx, CloseHandle, CreateProcessW, GetModuleHandleA, LocalAlloc, LocalFree, GetLastError, Sleep, GetCurrentProcessId, SwitchToThread, SuspendThread, ResumeThread, VirtualFree, OpenProcess, VirtualProtectEx, ReadProcessMemory, WriteProcessMemory, GetModuleHandleW, GetVersion, CreateEventA, GetProcAddress, VirtualAlloc, ReadFile
SHELL32.dll	SHGetFolderPathW

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 26, 2024 18:23:12.971007109 CET	49707	1081	192.168.2.9	141.11.93.195
Mar 26, 2024 18:23:13.982316971 CET	49707	1081	192.168.2.9	141.11.93.195
Mar 26, 2024 18:23:15.982395887 CET	49707	1081	192.168.2.9	141.11.93.195
Mar 26, 2024 18:23:19.982309103 CET	49707	1081	192.168.2.9	141.11.93.195
Mar 26, 2024 18:23:27.982348919 CET	49707	1081	192.168.2.9	141.11.93.195
Mar 26, 2024 18:23:38.982863903 CET	49712	1081	192.168.2.9	141.11.93.195
Mar 26, 2024 18:23:39.982422113 CET	49712	1081	192.168.2.9	141.11.93.195
Mar 26, 2024 18:23:41.998013973 CET	49712	1081	192.168.2.9	141.11.93.195
Mar 26, 2024 18:23:45.998042107 CET	49712	1081	192.168.2.9	141.11.93.195
Mar 26, 2024 18:23:53.998135090 CET	49712	1081	192.168.2.9	141.11.93.195
Mar 26, 2024 18:24:05.014147043 CET	49713	1081	192.168.2.9	141.11.93.195
Mar 26, 2024 18:24:06.029361963 CET	49713	1081	192.168.2.9	141.11.93.195
Mar 26, 2024 18:24:08.029396057 CET	49713	1081	192.168.2.9	141.11.93.195
Mar 26, 2024 18:24:12.029412031 CET	49713	1081	192.168.2.9	141.11.93.195
Mar 26, 2024 18:24:20.029484034 CET	49713	1081	192.168.2.9	141.11.93.195
Mar 26, 2024 18:24:31.045516968 CET	49715	1081	192.168.2.9	141.11.93.195
Mar 26, 2024 18:24:32.045090914 CET	49715	1081	192.168.2.9	141.11.93.195
Mar 26, 2024 18:24:34.060765028 CET	49715	1081	192.168.2.9	141.11.93.195
Mar 26, 2024 18:24:38.076368093 CET	49715	1081	192.168.2.9	141.11.93.195
Mar 26, 2024 18:24:46.076436043 CET	49715	1081	192.168.2.9	141.11.93.195
Mar 26, 2024 18:24:57.092478991 CET	49718	1081	192.168.2.9	141.11.93.195
Mar 26, 2024 18:24:58.107673883 CET	49718	1081	192.168.2.9	141.11.93.195
Mar 26, 2024 18:25:00.107698917 CET	49718	1081	192.168.2.9	141.11.93.195
Mar 26, 2024 18:25:04.107755899 CET	49718	1081	192.168.2.9	141.11.93.195
Mar 26, 2024 18:25:12.107723951 CET	49718	1081	192.168.2.9	141.11.93.195

Target ID:	0
Start time:	15:23:09
Start date:	26/03/2024
Path:	C:\Users\user\Desktop\5U5ouw7ryf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\5U5ouw7ryf.exe"
Imagebase:	0x1a0000
File size:	549'888 bytes
MD5 hash:	41B5953E5D8016A817F4F793F7EB708C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ramnitvncmodule, Description: Yara detected Ramnit VNC Module, Source: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: crime_win32_hvnc_zloader1_hvnc_generic, Description: Detects Zloader hidden VNC, Source: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmp, Author: @VK_Intel Rule: JoeSecurity_ramnitvncmodule, Description: Yara detected Ramnit VNC Module, Source: 00000000.00000000.1373498367.00000000001A6000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000000.1373498367.00000000001A6000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: crime_win32_hvnc_zloader1_hvnc_generic, Description: Detects Zloader hidden VNC, Source: 00000000.00000000.1373498367.00000000001A6000.00000008.00000001.01000000.00000003.sdmp, Author: @VK_Intel
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	15:23:09
Start date:	26/03/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k
Imagebase:	0x7ff77afe0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ramnitvncmodule, Description: Yara detected Ramnit VNC Module, Source: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_ramnitvncmodule, Description: Yara detected Ramnit VNC Module, Source: 00000002.00000002.2631715851.000000000010C000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000002.00000002.2631715851.000000000010C000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	26.3%
Total number of Nodes:	236
Total number of Limit Nodes:	13

Executed Functions

Function 001A35A8 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 193
librarynativeloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(NTDLL.DLL,00000000,00000002,00000000,NTDLL.DLL,?,?,?,001A2AFF,?,?,?,?,001A5350,00000028,001A3321), ref: 001A35BC
GetProcAddress.KERNEL32(00000000,ZwWow64QueryInformationProcess64), ref: 001A35C8
NtWow64QueryInformationProcess64.NTDLL(00000008,00000000,00000030,00000030,00000008,?,?,?,001A2AFF,?,?,?,?,001A5350,00000028,001A3321), ref: 001A35E4

Part of subcall function 001A1490: LocalAlloc.KERNEL32(00000000,?,001A2A74,00000104,00000000,00000000,001A14C8,00000000,?,001A2928,00000000,00227950,?,?,?,001A14C8), ref: 001A1496

StrRChrA.KERNELBASE(00000020,00000000,0000005C), ref: 001A3776
LocalFree.KERNEL32(?,00000100,00000000,00000200,?,?,?,001A2AFF,?,?,?,?,001A5350,00000028,001A3321,00000000), ref: 001A37C7
LocalFree.KERNEL32(00000000,?,00000100,00000000,00000200,?,?,?,001A2AFF,?,?,?,?,001A5350,00000028,001A3321), ref: 001A37D1

Part of subcall function 001A3268: GetModuleHandleW.KERNEL32(NTDLL.DLL,ZwWow64ReadVirtualMemory64,00000000,?,?,?,001A362A,00000008,?,00000000,00000028,00000100,00000000,00000200), ref: 001A328C
Part of subcall function 001A3268: GetProcAddress.KERNEL32(00000000), ref: 001A3293
Part of subcall function 001A3268: NtWow64ReadVirtualMemory64.NTDLL(00000028,00000000,?,?,00000008,00000000,00000028,00000000,?,?,?,001A362A,00000008,?,00000000,00000028), ref: 001A32BB

Strings

NTDLL.DLL, xrefs: 001A35B2
ZwWow64QueryInformationProcess64, xrefs: 001A35C2

Memory Dump Source

Source File: 00000000.00000002.1392785835.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1392766312.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392802939.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392869504.0000000000227000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392884959.0000000000228000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_5U5ouw7ryf.jbxd

Yara matches

Similarity

API ID: Local$AddressFreeHandleModuleProcWow64$AllocInformationMemory64Process64QueryReadVirtual
String ID: NTDLL.DLL$ZwWow64QueryInformationProcess64
API String ID: 3048855126-3633144524
Opcode ID: 45fa7f2dc942e67503746c73337e60396e22c868be055e8b9c38f876facd5fd8
Instruction ID: ce3266d118c9d6f408a35bb7c21eac66fbc2364fb68b042bc35766fea9d09f69
Opcode Fuzzy Hash: 45fa7f2dc942e67503746c73337e60396e22c868be055e8b9c38f876facd5fd8
Instruction Fuzzy Hash: 797150B9E00609AFDB15DFA9C880AAEB7F5FF49300F144569F959E7241D730EA41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001A3417 Relevance: 12.1, APIs: 8, Instructions: 133
threadsleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.NTDLL ref: 001A344E

Part of subcall function 001A32E9: GetCurrentProcessId.KERNEL32(00000008,?,00000000,001A3458,?,00000000,000004C8,00000008,00000000), ref: 001A32FB
Part of subcall function 001A32E9: OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,001A3458,?,00000000,000004C8,00000008,00000000), ref: 001A3308
Part of subcall function 001A32E9: FindCloseChangeNotification.KERNELBASE(00000000,000004C8,00000008,00000000), ref: 001A3357

memcpy.NTDLL(?,001A3871,00000100,?,00000000,000004C8,00000008,00000000), ref: 001A3479
VirtualAllocEx.KERNELBASE(?,00000000,00000318,00003000,00000040,?,?,?,?,00000008,00000000), ref: 001A3493
WriteProcessMemory.KERNELBASE(?,?,?,00000318,?), ref: 001A3523
ResumeThread.KERNELBASE(?), ref: 001A3579
Sleep.KERNELBASE(000001F4), ref: 001A3584
Wow64SuspendThread.KERNEL32(?), ref: 001A358D
GetLastError.KERNEL32(?,?,?,?,00000008,00000000), ref: 001A3595

Memory Dump Source

Source File: 00000000.00000002.1392785835.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1392766312.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392802939.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392869504.0000000000227000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392884959.0000000000228000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_5U5ouw7ryf.jbxd

Yara matches

Similarity

API ID: Process$Thread$AllocChangeCloseCurrentErrorFindLastMemoryNotificationOpenResumeSleepSuspendVirtualWow64Writememcpymemset
String ID:
API String ID: 2216870587-0
Opcode ID: e4dd19ac68c92fa0dc1c11f96c3feaf249af599ab2f2e44c724cbf523e4b80b5
Instruction ID: d799b9923b0df2502a516665edbaa17b9cd12023de1a6e3943f9e2e56a4b0814
Opcode Fuzzy Hash: e4dd19ac68c92fa0dc1c11f96c3feaf249af599ab2f2e44c724cbf523e4b80b5
Instruction Fuzzy Hash: 634180B5A40615AFDB11CF58CC45F9AFBB9FF0A710F1081A5F918E7251D770AA90CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001A289B Relevance: 9.1, APIs: 6, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,?,?,?,001A14C8,00000000), ref: 001A28AE
GetVersion.KERNEL32(?,?,?,001A14C8,00000000), ref: 001A28C1
GetCurrentProcessId.KERNEL32(?,?,?,001A14C8,00000000), ref: 001A28D1
StrRChrA.SHLWAPI(00000000,0000005C,?,?,?,001A14C8,00000000), ref: 001A293D
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,001A14C8,00000000), ref: 001A2953
GetLastError.KERNEL32(?,?,?,001A14C8,00000000), ref: 001A2962

Memory Dump Source

Source File: 00000000.00000002.1392785835.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1392766312.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392802939.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392869504.0000000000227000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392884959.0000000000228000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_5U5ouw7ryf.jbxd

Yara matches

Similarity

API ID: CreateCurrentErrorEventHandleLastModuleProcessVersion
String ID:
API String ID: 3503360540-0
Opcode ID: 4ab28046b79f2df9ede7141521b6cc6841e81b64a5e12e33025b956b1cd681c8
Instruction ID: 26b229ef21ea7506d92988d9b67c11b5609cca97f629495267bca6642948196f
Opcode Fuzzy Hash: 4ab28046b79f2df9ede7141521b6cc6841e81b64a5e12e33025b956b1cd681c8
Instruction Fuzzy Hash: 8C21D13950E732AFD3351BADFC0DB667BA4AB43B65F041125F905E22A1DB3088C1CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001A3268 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37
librarynativeloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(NTDLL.DLL,ZwWow64ReadVirtualMemory64,00000000,?,?,?,001A362A,00000008,?,00000000,00000028,00000100,00000000,00000200), ref: 001A328C
GetProcAddress.KERNEL32(00000000), ref: 001A3293
NtWow64ReadVirtualMemory64.NTDLL(00000028,00000000,?,?,00000008,00000000,00000028,00000000,?,?,?,001A362A,00000008,?,00000000,00000028), ref: 001A32BB

Strings

NTDLL.DLL, xrefs: 001A3287
ZwWow64ReadVirtualMemory64, xrefs: 001A3282

Memory Dump Source

Source File: 00000000.00000002.1392785835.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1392766312.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392802939.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392869504.0000000000227000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392884959.0000000000228000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_5U5ouw7ryf.jbxd

Yara matches

Similarity

API ID: AddressHandleMemory64ModuleProcReadVirtualWow64
String ID: NTDLL.DLL$ZwWow64ReadVirtualMemory64
API String ID: 148456037-3377366912
Opcode ID: 06130655a6ba732e6c52631c382d4d081527b39edb5d3cdbb6de0cef6507547c
Instruction ID: 5c75b7bea10eeec146376bec8c00fca2ecdb949ac75c250ba6fec9c89158d24a
Opcode Fuzzy Hash: 06130655a6ba732e6c52631c382d4d081527b39edb5d3cdbb6de0cef6507547c
Instruction Fuzzy Hash: E2F01239A05719BFCF158FE5DC18EAA7BA9EF0A311B004259F905E6620D77199508B90

Uniqueness

Uniqueness Score: -1.00%

Function 001A321E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26
librarynativeloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(NTDLL.DLL,ZwWow64QueryInformationProcess64,00000000,?,001A2C58,?,00000000,?,00000030,?,?,00000000,00000027,00000000), ref: 001A323A
GetProcAddress.KERNEL32(00000000), ref: 001A3241
NtWow64QueryInformationProcess64.NTDLL(00000027,00000000,?,?,00000030,00000000,?,001A2C58,?,00000000,?,00000030,?,?,00000000,00000027), ref: 001A325F

Strings

NTDLL.DLL, xrefs: 001A3235
ZwWow64QueryInformationProcess64, xrefs: 001A3230

Memory Dump Source

Source File: 00000000.00000002.1392785835.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1392766312.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392802939.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392869504.0000000000227000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392884959.0000000000228000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_5U5ouw7ryf.jbxd

Yara matches

Similarity

API ID: AddressHandleInformationModuleProcProcess64QueryWow64
String ID: NTDLL.DLL$ZwWow64QueryInformationProcess64
API String ID: 782493824-3633144524
Opcode ID: d9ede61a2357dc4bc1a285328e47386097764948beab22a24abc44b87a77666e
Instruction ID: 5ad6983aa684387e3d0cc2525c218f241a9a84130a4ae810512cbb6d797e8a50
Opcode Fuzzy Hash: d9ede61a2357dc4bc1a285328e47386097764948beab22a24abc44b87a77666e
Instruction Fuzzy Hash: 61E0ED36608615BFCF115FF8AD09B9A3BAABB49754B040021FA15D2121D771D9619B90

Uniqueness

Uniqueness Score: -1.00%

Function 001A2612 Relevance: 6.1, APIs: 4, Instructions: 80
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateSection.NTDLL ref: 001A2667
memset.NTDLL ref: 001A2692
RtlNtStatusToDosError.NTDLL ref: 001A26AE
ZwClose.NTDLL(00000000), ref: 001A26C2

Part of subcall function 001A2849: NtMapViewOfSection.NTDLL(000000FF,00000000,00000040,00000000,00000000,00000000,00000000,00000002,00000000,00000040), ref: 001A2872
Part of subcall function 001A2849: RtlNtStatusToDosError.NTDLL ref: 001A2879

Memory Dump Source

Source File: 00000000.00000002.1392785835.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1392766312.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392802939.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392869504.0000000000227000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392884959.0000000000228000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_5U5ouw7ryf.jbxd

Yara matches

Similarity

API ID: ErrorSectionStatus$CloseCreateViewmemset
String ID:
API String ID: 783833395-0
Opcode ID: 174b003f82b5f67afc64a73c76c80edcb3bb7f845d79dd3068f6cb22a6fc3419
Instruction ID: c5eaab832c490c847edef27e004d55bd39e4f92a0c717eee6035a0937a422aa5
Opcode Fuzzy Hash: 174b003f82b5f67afc64a73c76c80edcb3bb7f845d79dd3068f6cb22a6fc3419
Instruction Fuzzy Hash: 8821FC75D01609AFDB11DFA9CD809EEBBB9EF09350F20016AED08E7250D7319E449B90

Uniqueness

Uniqueness Score: -1.00%

Function 001A2849 Relevance: 3.0, APIs: 2, Instructions: 25nativeCOMMON

Download Yara Rule

APIs

NtMapViewOfSection.NTDLL(000000FF,00000000,00000040,00000000,00000000,00000000,00000000,00000002,00000000,00000040), ref: 001A2872
RtlNtStatusToDosError.NTDLL ref: 001A2879

Memory Dump Source

Source File: 00000000.00000002.1392785835.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1392766312.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392802939.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392869504.0000000000227000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392884959.0000000000228000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_5U5ouw7ryf.jbxd

Yara matches

Similarity

API ID: ErrorSectionStatusView
String ID:
API String ID: 1313840181-0
Opcode ID: 533bd04658221d8343a66a79f441b896506a19f32539b705901ad9850dffe881
Instruction ID: 58afa6cfb49cdbc7d2872542472119456594f4a9b29ab363f58273be4963c6a9
Opcode Fuzzy Hash: 533bd04658221d8343a66a79f441b896506a19f32539b705901ad9850dffe881
Instruction Fuzzy Hash: 4CE07DB590420CBFEF059F90DD0BDAEBB7DEB04300F10816ABD1556650E6B56A549B90

Uniqueness

Uniqueness Score: -1.00%

Function 001A2883 Relevance: 3.0, APIs: 2, Instructions: 9nativeCOMMON

Download Yara Rule

APIs

NtUnmapViewOfSection.NTDLL(001A1D32,?), ref: 001A288C
RtlNtStatusToDosError.NTDLL ref: 001A2893

Memory Dump Source

Source File: 00000000.00000002.1392785835.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1392766312.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392802939.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392869504.0000000000227000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392884959.0000000000228000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_5U5ouw7ryf.jbxd

Yara matches

Similarity

API ID: ErrorSectionStatusUnmapView
String ID:
API String ID: 507025375-0
Opcode ID: bea086cfd20b416f329d67da5a0dc743b31f11f82d4c1a2de36520c719e84238
Instruction ID: dc1fe7683ca0ca663f7864b06cf561ad3a884cce7da6b6cb68d3132913adbc18
Opcode Fuzzy Hash: bea086cfd20b416f329d67da5a0dc743b31f11f82d4c1a2de36520c719e84238
Instruction Fuzzy Hash: 97C04832008608FBCF012FA1EE0888D3F2EEB0A361B108010FA0989821CB7695A49BA0

Uniqueness

Uniqueness Score: -1.00%

Function 001A14B0 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 116
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000,00000003), ref: 001A14BC

Part of subcall function 001A289B: GetModuleHandleA.KERNEL32(00000000,00000000,?,?,?,001A14C8,00000000), ref: 001A28AE
Part of subcall function 001A289B: GetVersion.KERNEL32(?,?,?,001A14C8,00000000), ref: 001A28C1
Part of subcall function 001A289B: GetCurrentProcessId.KERNEL32(?,?,?,001A14C8,00000000), ref: 001A28D1
Part of subcall function 001A289B: StrRChrA.SHLWAPI(00000000,0000005C,?,?,?,001A14C8,00000000), ref: 001A293D
Part of subcall function 001A289B: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,001A14C8,00000000), ref: 001A2953
Part of subcall function 001A289B: GetLastError.KERNEL32(?,?,?,001A14C8,00000000), ref: 001A2962

memset.NTDLL ref: 001A1546
memset.NTDLL ref: 001A1563
SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?), ref: 001A1578
memset.NTDLL ref: 001A1597
PathCombineW.SHLWAPI(?,?,svchost.exe -k), ref: 001A15B9
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000004,00000000,00000000,?,?), ref: 001A15E2
CloseHandle.KERNEL32(?), ref: 001A160A
CloseHandle.KERNEL32(?), ref: 001A1614

Strings

D, xrefs: 001A159F
svchost.exe -k, xrefs: 001A15AB
Pswu, xrefs: 001A15B9

Memory Dump Source

Source File: 00000000.00000002.1392785835.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1392766312.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392802939.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392869504.0000000000227000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392884959.0000000000228000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_5U5ouw7ryf.jbxd

Yara matches

Similarity

API ID: Handle$memset$CloseCreateModulePathProcess$CombineCurrentErrorEventFolderLastVersion
String ID: D$Pswu$svchost.exe -k
API String ID: 2129906036-1442003292
Opcode ID: 63aea334e9d44cd709bd2a5b7c3a89f5a0f680deb6fbea0e67aa38051babf1e0
Instruction ID: 5044f4c1e9960d4c746c484cb5037870c27f234f993cffdd6646ce0fb8891540
Opcode Fuzzy Hash: 63aea334e9d44cd709bd2a5b7c3a89f5a0f680deb6fbea0e67aa38051babf1e0
Instruction Fuzzy Hash: DC4102B5A083407BE720DB60CC0AF9F77E9AFDA704F144929F798D6190EBB4D1488B56

Uniqueness

Uniqueness Score: -1.00%

Function 001A1905 Relevance: 15.1, APIs: 10, Instructions: 137
threadsleepinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.NTDLL ref: 001A1926

Part of subcall function 001A3097: GetModuleHandleW.KERNEL32(KERNEL32.DLL,IsWow64Process,?,?,001A28EA,00001C5C,00000000,?,?,?,001A14C8,00000000), ref: 001A30B2
Part of subcall function 001A3097: GetProcAddress.KERNEL32(00000000), ref: 001A30B9
Part of subcall function 001A3097: OpenProcess.KERNEL32(00000400,00000000,00000000,00000000,00000000,?,?,001A28EA,00001C5C,00000000,?,?,?,001A14C8,00000000), ref: 001A30D9
Part of subcall function 001A3097: FindCloseChangeNotification.KERNELBASE(001A14C8,?,?,001A28EA,00001C5C,00000000,?,?,?,001A14C8,00000000), ref: 001A3102

ReadProcessMemory.KERNEL32(?,00000000,?,00000004,?,?,?,00000000), ref: 001A19BE
ResumeThread.KERNEL32(?,?,?,?,?,?,?,00000000), ref: 001A19FB
Sleep.KERNEL32(0000012C,?,?,?,?,?,?,00000000), ref: 001A1A06
SuspendThread.KERNEL32(?,?,?,?,?,?,?,00000000), ref: 001A1A0F
GetThreadContext.KERNEL32(?,00010003,?,?,?,?,?,?,00000000), ref: 001A1A26
SwitchToThread.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 001A1A5F
GetLastError.KERNEL32(?,?,00000000), ref: 001A1A7E
ResumeThread.KERNEL32(?,?,?,00000000), ref: 001A1A8F
LocalFree.KERNEL32(00000000,?,?,00000000), ref: 001A1A9A

Part of subcall function 001A31BB: lstrlenA.KERNEL32(?,00000000,?,001A1ADB,?,?,001A1523,?,00000000), ref: 001A31C9
Part of subcall function 001A31BB: lstrcpyA.KERNEL32(00000000,?,-00000003,?,001A1ADB,?,?,001A1523,?,00000000), ref: 001A31E2
Part of subcall function 001A31BB: StrRChrA.SHLWAPI(00000000,00000000,0000002E,?,001A1ADB,?,?,001A1523,?,00000000), ref: 001A31ED
Part of subcall function 001A31BB: lstrcatA.KERNEL32(00000000,.dll,?,001A1ADB,?,?,001A1523,?,00000000), ref: 001A3213

Memory Dump Source

Source File: 00000000.00000002.1392785835.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1392766312.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392802939.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392869504.0000000000227000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392884959.0000000000228000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_5U5ouw7ryf.jbxd

Yara matches

Similarity

API ID: Thread$ProcessResume$AddressChangeCloseContextErrorFindFreeHandleLastLocalMemoryModuleNotificationOpenProcReadSleepSuspendSwitchlstrcatlstrcpylstrlenmemset
String ID:
API String ID: 1962443624-0
Opcode ID: 5303521c0137262eda89a35062ce291c4e1c293731287aa035e2edec150ae5cf
Instruction ID: f71f1c0b811e7a23fec4d7a745800b569bd36940e9b96225bf657f61e49f27cf
Opcode Fuzzy Hash: 5303521c0137262eda89a35062ce291c4e1c293731287aa035e2edec150ae5cf
Instruction Fuzzy Hash: 83411379905249FFDF119FA0DD49AAE7BB9EF02350F144065F908DB160EB308E84CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001A2C96 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 119
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001A35A8: GetModuleHandleW.KERNEL32(NTDLL.DLL,00000000,00000002,00000000,NTDLL.DLL,?,?,?,001A2AFF,?,?,?,?,001A5350,00000028,001A3321), ref: 001A35BC
Part of subcall function 001A35A8: GetProcAddress.KERNEL32(00000000,ZwWow64QueryInformationProcess64), ref: 001A35C8
Part of subcall function 001A35A8: NtWow64QueryInformationProcess64.NTDLL(00000008,00000000,00000030,00000030,00000008,?,?,?,001A2AFF,?,?,?,?,001A5350,00000028,001A3321), ref: 001A35E4

VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004,00000000,000004C8,00000008,00000000), ref: 001A2CC4
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 001A2DB9

Part of subcall function 001A35A8: StrRChrA.KERNELBASE(00000020,00000000,0000005C), ref: 001A3776
Part of subcall function 001A35A8: LocalFree.KERNEL32(?,00000100,00000000,00000200,?,?,?,001A2AFF,?,?,?,?,001A5350,00000028,001A3321,00000000), ref: 001A37C7
Part of subcall function 001A35A8: LocalFree.KERNEL32(00000000,?,00000100,00000000,00000200,?,?,?,001A2AFF,?,?,?,?,001A5350,00000028,001A3321), ref: 001A37D1

VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 001A2CFF
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 001A2D0F
lstrcmpiA.KERNEL32(?,00000000), ref: 001A2D4D
StrChrA.SHLWAPI(?,0000002E), ref: 001A2D5C
lstrcmpiA.KERNEL32(?,00000000), ref: 001A2D6F

Strings

NTDLL.DLL, xrefs: 001A2C9B

Memory Dump Source

Source File: 00000000.00000002.1392785835.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1392766312.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392802939.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392869504.0000000000227000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392884959.0000000000228000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_5U5ouw7ryf.jbxd

Yara matches

Similarity

API ID: FreeVirtual$AllocLocallstrcmpi$AddressHandleInformationModuleProcProcess64QueryWow64
String ID: NTDLL.DLL
API String ID: 2432548908-1613819793
Opcode ID: ef61dc35b0eb475646a7d93f89f8ef4602e4fc31d9cf812e35752fe4c0fc52e1
Instruction ID: 99e1ac68511929f7d248b7a83588cbe137cab0915c3c3071b30d60c46fe3cde9
Opcode Fuzzy Hash: ef61dc35b0eb475646a7d93f89f8ef4602e4fc31d9cf812e35752fe4c0fc52e1
Instruction Fuzzy Hash: 5A41CE35A01705FBEB258F98CD49FAA7BB9FF46710F244018F904AA282D3719E40CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001A32E9 Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32(00000008,?,00000000,001A3458,?,00000000,000004C8,00000008,00000000), ref: 001A32FB
OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,001A3458,?,00000000,000004C8,00000008,00000000), ref: 001A3308

Part of subcall function 001A2AD6: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,00000000,000004C8,00000008,00000000), ref: 001A2B16
Part of subcall function 001A2AD6: VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,000004C8,00000008,00000000), ref: 001A2BAF

FindCloseChangeNotification.KERNELBASE(00000000,000004C8,00000008,00000000), ref: 001A3357

Strings

NTDLL.DLL, xrefs: 001A3313, 001A331A, 001A3338
ZwGetContextThread, xrefs: 001A330E
xy", xrefs: 001A3361
ZwSetContextThread, xrefs: 001A3333
xy", xrefs: 001A3351

Memory Dump Source

Source File: 00000000.00000002.1392785835.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1392766312.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392802939.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392869504.0000000000227000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392884959.0000000000228000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_5U5ouw7ryf.jbxd

Yara matches

Similarity

API ID: ProcessVirtual$AllocChangeCloseCurrentFindFreeNotificationOpen
String ID: NTDLL.DLL$ZwGetContextThread$ZwSetContextThread$xy"$xy"
API String ID: 1388074787-1372746786
Opcode ID: 252c9545f109570f6975b139dd64fe72e3c706a9881cacefec92148d991bd99e
Instruction ID: 1d096f07ebc66c032e042d0f6bdd5cc3b88c2f8e341ffd9ba210bdbadb4881fe
Opcode Fuzzy Hash: 252c9545f109570f6975b139dd64fe72e3c706a9881cacefec92148d991bd99e
Instruction Fuzzy Hash: DCF0F6B6A0DA10BF9B209BF9BD89DBA3769FB977503080435F614D6220E7300CC297B1

Uniqueness

Uniqueness Score: -1.00%

Function 001A2140 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 122
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32(00000000,?), ref: 001A2160
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 001A216D

Part of subcall function 001A2AD6: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,00000000,000004C8,00000008,00000000), ref: 001A2B16
Part of subcall function 001A2AD6: VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,000004C8,00000008,00000000), ref: 001A2BAF

FindCloseChangeNotification.KERNELBASE(00000000), ref: 001A226C

Strings

NTDLL.DLL, xrefs: 001A2178, 001A217F, 001A218B
ZwWriteVirtualMemory, xrefs: 001A2186
ZwProtectVirtualMemory, xrefs: 001A2173

Memory Dump Source

Source File: 00000000.00000002.1392785835.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1392766312.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392802939.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392869504.0000000000227000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392884959.0000000000228000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_5U5ouw7ryf.jbxd

Yara matches

Similarity

API ID: ProcessVirtual$AllocChangeCloseCurrentFindFreeNotificationOpen
String ID: NTDLL.DLL$ZwProtectVirtualMemory$ZwWriteVirtualMemory
API String ID: 1388074787-2238432915
Opcode ID: b2ed336f1663786fbd1ff5716042994b4bf2267940ca96a43a6b679cc1b3b0b0
Instruction ID: 658fad47bec7ac099b25e9da16e7762e3c755d93cfe656a669113bc05135ace0
Opcode Fuzzy Hash: b2ed336f1663786fbd1ff5716042994b4bf2267940ca96a43a6b679cc1b3b0b0
Instruction Fuzzy Hash: 4F41A3B6D00609BFDF019F98DD41AEEBBBAFB49710F144029FA14B6260D3719A619B60

Uniqueness

Uniqueness Score: -1.00%

Function 001A3097 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 47
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,IsWow64Process,?,?,001A28EA,00001C5C,00000000,?,?,?,001A14C8,00000000), ref: 001A30B2
GetProcAddress.KERNEL32(00000000), ref: 001A30B9
OpenProcess.KERNEL32(00000400,00000000,00000000,00000000,00000000,?,?,001A28EA,00001C5C,00000000,?,?,?,001A14C8,00000000), ref: 001A30D9
FindCloseChangeNotification.KERNELBASE(001A14C8,?,?,001A28EA,00001C5C,00000000,?,?,?,001A14C8,00000000), ref: 001A3102

Strings

IsWow64Process, xrefs: 001A30A8
KERNEL32.DLL, xrefs: 001A30AD

Memory Dump Source

Source File: 00000000.00000002.1392785835.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1392766312.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392802939.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392869504.0000000000227000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392884959.0000000000228000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_5U5ouw7ryf.jbxd

Yara matches

Similarity

API ID: AddressChangeCloseFindHandleModuleNotificationOpenProcProcess
String ID: IsWow64Process$KERNEL32.DLL
API String ID: 869619728-1193389583
Opcode ID: f7d8020ff1a4b4e759890f5b3f62578bdb31d27a027323db0ec82b58b02ebbdf
Instruction ID: 37942c3483dc7b8ef435457db4ffc323289a88f17f84a98288a3248bcc7e61fd
Opcode Fuzzy Hash: f7d8020ff1a4b4e759890f5b3f62578bdb31d27a027323db0ec82b58b02ebbdf
Instruction Fuzzy Hash: 6D01A239699A04FBCB20CBA4ED09F9ABBB8EF53B22F100115F915E7240D7749E4186A0

Uniqueness

Uniqueness Score: -1.00%

Function 001A1EF2 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.NTDLL(0000012C,00227924,00000018,?,?,?,?,?,?,001A1CE6,0000012C,?), ref: 001A1F94

Strings

LdrLoadDll, xrefs: 001A1F23
NTDLL.DLL, xrefs: 001A1F28, 001A1F2D, 001A1F4D, 001A1F6D
NtProtectVirtualMemory, xrefs: 001A1F68
LdrGetProcedureAddress, xrefs: 001A1F48

Memory Dump Source

Source File: 00000000.00000002.1392785835.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1392766312.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392802939.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392869504.0000000000227000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392884959.0000000000228000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_5U5ouw7ryf.jbxd

Yara matches

Similarity

API ID: memcpy
String ID: LdrGetProcedureAddress$LdrLoadDll$NTDLL.DLL$NtProtectVirtualMemory
API String ID: 3510742995-862099514
Opcode ID: 9c3654279d610b15999771ad99457509d18faaaf6abb4d4e3176afe01bd8e005
Instruction ID: 328dd2149527bbda545598d6a63b05eb61ff4df0aa79193bb36c68699f371ab7
Opcode Fuzzy Hash: 9c3654279d610b15999771ad99457509d18faaaf6abb4d4e3176afe01bd8e005
Instruction Fuzzy Hash: A511657AA1E3007BC730BF99FC46D667BA1F7A7B60B145025F4089B131E3B158858B90

Uniqueness

Uniqueness Score: -1.00%

Function 001A1B72 Relevance: 6.2, APIs: 4, Instructions: 154
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.NTDLL(-00000B24,?,?,?,?,?,?,?,00000000,00000000), ref: 001A1C58
memcpy.NTDLL(-00000B24,-00000B24,?,?,?,?,?,?,?,00000000,00000000), ref: 001A1C7C
memcpy.NTDLL(0000016C,001A23E2,00000800,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 001A1D02

Part of subcall function 001A1E3F: GetModuleHandleW.KERNEL32(NTDLL.DLL,0000012C,00000000,?,001A1CEF,0000012C), ref: 001A1E75
Part of subcall function 001A1E3F: memcpy.NTDLL(001A1CEF,0022790C,00000018,?,001A1CEF,0000012C), ref: 001A1EE4

Part of subcall function 001A29E9: memset.NTDLL ref: 001A2A07
Part of subcall function 001A29E9: LocalFree.KERNEL32(00000000), ref: 001A2A52

FindCloseChangeNotification.KERNELBASE(00000000,00000000,00000000), ref: 001A1D3D

Part of subcall function 001A2883: NtUnmapViewOfSection.NTDLL(001A1D32,?), ref: 001A288C
Part of subcall function 001A2883: RtlNtStatusToDosError.NTDLL ref: 001A2893

Memory Dump Source

Source File: 00000000.00000002.1392785835.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1392766312.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392802939.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392869504.0000000000227000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392884959.0000000000228000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_5U5ouw7ryf.jbxd

Yara matches

Similarity

API ID: memcpy$ChangeCloseErrorFindFreeHandleLocalModuleNotificationSectionStatusUnmapViewmemset
String ID:
API String ID: 3425476150-0
Opcode ID: 17d60f680470eb1a3ead2184e0792a5304ec25a315eccf697d55e489a17a445b
Instruction ID: fcd9fa66248bb213eab1b9aa5b96493e1be6c19371dc5c134ca284976d580c83
Opcode Fuzzy Hash: 17d60f680470eb1a3ead2184e0792a5304ec25a315eccf697d55e489a17a445b
Instruction Fuzzy Hash: F051AE7A905209BFCB11DFD8ED45BAC77B5FB0A314F144169E804E7361E734AA91DB80

Uniqueness

Uniqueness Score: -1.00%

Function 001A227B Relevance: 6.1, APIs: 4, Instructions: 118
threadsleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.NTDLL ref: 001A22BB

Part of subcall function 001A32E9: GetCurrentProcessId.KERNEL32(00000008,?,00000000,001A3458,?,00000000,000004C8,00000008,00000000), ref: 001A32FB
Part of subcall function 001A32E9: OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,001A3458,?,00000000,000004C8,00000008,00000000), ref: 001A3308
Part of subcall function 001A32E9: FindCloseChangeNotification.KERNELBASE(00000000,000004C8,00000008,00000000), ref: 001A3357

Part of subcall function 001A2140: GetCurrentProcessId.KERNEL32(00000000,?), ref: 001A2160
Part of subcall function 001A2140: OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 001A216D

ResumeThread.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001A234A
Sleep.KERNELBASE(0000012C,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001A2355
Wow64SuspendThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001A235E

Memory Dump Source

Source File: 00000000.00000002.1392785835.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1392766312.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392802939.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392869504.0000000000227000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392884959.0000000000228000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_5U5ouw7ryf.jbxd

Yara matches

Similarity

API ID: Process$CurrentOpenThread$ChangeCloseFindNotificationResumeSleepSuspendWow64memset
String ID:
API String ID: 480387206-0
Opcode ID: 4a88bce3985724bafc03bae9bee4544d11216ed97a7db6ab02dc2e7ccf791943
Instruction ID: 74ebf0cbdebbd31d688a60d328938b4de516273e40284f779b2a9c8ad92ac961
Opcode Fuzzy Hash: 4a88bce3985724bafc03bae9bee4544d11216ed97a7db6ab02dc2e7ccf791943
Instruction Fuzzy Hash: 1E4163BAD00209EFDF119F94CD02FAEBBB9FF0A310F104165FA14A6191E7759A54CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001A2AD6 Relevance: 2.6, APIs: 2, Instructions: 76memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001A2C96: VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004,00000000,000004C8,00000008,00000000), ref: 001A2CC4
Part of subcall function 001A2C96: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 001A2CFF
Part of subcall function 001A2C96: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 001A2D0F
Part of subcall function 001A2C96: lstrcmpiA.KERNEL32(?,00000000), ref: 001A2D4D
Part of subcall function 001A2C96: StrChrA.SHLWAPI(?,0000002E), ref: 001A2D5C
Part of subcall function 001A2C96: lstrcmpiA.KERNEL32(?,00000000), ref: 001A2D6F
Part of subcall function 001A2C96: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 001A2DB9

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,00000000,000004C8,00000008,00000000), ref: 001A2B16

Part of subcall function 001A3268: GetModuleHandleW.KERNEL32(NTDLL.DLL,ZwWow64ReadVirtualMemory64,00000000,?,?,?,001A362A,00000008,?,00000000,00000028,00000100,00000000,00000200), ref: 001A328C
Part of subcall function 001A3268: GetProcAddress.KERNEL32(00000000), ref: 001A3293
Part of subcall function 001A3268: NtWow64ReadVirtualMemory64.NTDLL(00000028,00000000,?,?,00000008,00000000,00000028,00000000,?,?,?,001A362A,00000008,?,00000000,00000028), ref: 001A32BB

VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,000004C8,00000008,00000000), ref: 001A2BAF

Memory Dump Source

Source File: 00000000.00000002.1392785835.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1392766312.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392802939.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392869504.0000000000227000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392884959.0000000000228000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_5U5ouw7ryf.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree$lstrcmpi$AddressHandleMemory64ModuleProcReadWow64
String ID:
API String ID: 3389612928-0
Opcode ID: 05c1207bf4df15c31c36669a82d24bb8116eeabe5deacf5d22e1ba11ea9cdb31
Instruction ID: 4c5709fa93acb8cabe4fc190b6fe4af1231a7348916544c7a195fe61fa18dc3d
Opcode Fuzzy Hash: 05c1207bf4df15c31c36669a82d24bb8116eeabe5deacf5d22e1ba11ea9cdb31
Instruction Fuzzy Hash: 532127B6D01218ABDF15DFA8DD41BEEBBB5FF09760F18411AF904B7280D77499408BA0

Uniqueness

Uniqueness Score: -1.00%

Function 001A29E9 Relevance: 2.5, APIs: 2, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 001A1490: LocalAlloc.KERNEL32(00000000,?,001A2A74,00000104,00000000,00000000,001A14C8,00000000,?,001A2928,00000000,00227950,?,?,?,001A14C8), ref: 001A1496

memset.NTDLL ref: 001A2A07
LocalFree.KERNEL32(00000000), ref: 001A2A52

Part of subcall function 001A3417: memset.NTDLL ref: 001A344E
Part of subcall function 001A3417: memcpy.NTDLL(?,001A3871,00000100,?,00000000,000004C8,00000008,00000000), ref: 001A3479
Part of subcall function 001A3417: VirtualAllocEx.KERNELBASE(?,00000000,00000318,00003000,00000040,?,?,?,?,00000008,00000000), ref: 001A3493

Memory Dump Source

Source File: 00000000.00000002.1392785835.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1392766312.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392802939.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392869504.0000000000227000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392884959.0000000000228000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_5U5ouw7ryf.jbxd

Yara matches

Similarity

API ID: AllocLocalmemset$FreeVirtualmemcpy
String ID:
API String ID: 2149420209-0
Opcode ID: dd9a40de63a7109f1fa6e87fa9073e480fc7239f4c2c1cb5caa251aacdba4321
Instruction ID: ccac0ab92534a6112062a24a2b9eb7a9162139c7ae3f38d96ff85216739b7d68
Opcode Fuzzy Hash: dd9a40de63a7109f1fa6e87fa9073e480fc7239f4c2c1cb5caa251aacdba4321
Instruction Fuzzy Hash: 2701DB796023086BCB319F29EC01B9B7FA8EF96364F004425FD0896622D330DD1487A1

Uniqueness

Uniqueness Score: -1.00%

Function 001A2002 Relevance: 1.4, APIs: 1, Instructions: 124COMMON

Download Yara Rule

APIs

Part of subcall function 001A1490: LocalAlloc.KERNEL32(00000000,?,001A2A74,00000104,00000000,00000000,001A14C8,00000000,?,001A2928,00000000,00227950,?,?,?,001A14C8), ref: 001A1496

LocalFree.KERNEL32(00000000,00001000,00000000,?,?,?,?,?,?,?,001A22E0,?,?,?,00000000,000004C8), ref: 001A2132

Part of subcall function 001A2C2C: memset.NTDLL ref: 001A2C3F

Memory Dump Source

Source File: 00000000.00000002.1392785835.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1392766312.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392802939.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392869504.0000000000227000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392884959.0000000000228000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_5U5ouw7ryf.jbxd

Yara matches

Similarity

API ID: Local$AllocFreememset
String ID:
API String ID: 3749828606-0
Opcode ID: 5493364eaa275fda2d50eb8e30558437817f3d0874356a37fa85e6ae24967fae
Instruction ID: 33144dc1ac813e8c36468114c9ec0fc1ebf7b2a0854a94533b88e67286dc793e
Opcode Fuzzy Hash: 5493364eaa275fda2d50eb8e30558437817f3d0874356a37fa85e6ae24967fae
Instruction Fuzzy Hash: D6414F79D00309ABDB14DA98CC82EFFB7B9EF4A350F154519FA05A7241E770AE41C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 001A2C2C Relevance: 1.3, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 001A2C3F

Part of subcall function 001A321E: GetModuleHandleW.KERNEL32(NTDLL.DLL,ZwWow64QueryInformationProcess64,00000000,?,001A2C58,?,00000000,?,00000030,?,?,00000000,00000027,00000000), ref: 001A323A
Part of subcall function 001A321E: GetProcAddress.KERNEL32(00000000), ref: 001A3241
Part of subcall function 001A321E: NtWow64QueryInformationProcess64.NTDLL(00000027,00000000,?,?,00000030,00000000,?,001A2C58,?,00000000,?,00000030,?,?,00000000,00000027), ref: 001A325F

Part of subcall function 001A3268: GetModuleHandleW.KERNEL32(NTDLL.DLL,ZwWow64ReadVirtualMemory64,00000000,?,?,?,001A362A,00000008,?,00000000,00000028,00000100,00000000,00000200), ref: 001A328C
Part of subcall function 001A3268: GetProcAddress.KERNEL32(00000000), ref: 001A3293
Part of subcall function 001A3268: NtWow64ReadVirtualMemory64.NTDLL(00000028,00000000,?,?,00000008,00000000,00000028,00000000,?,?,?,001A362A,00000008,?,00000000,00000028), ref: 001A32BB

Memory Dump Source

Source File: 00000000.00000002.1392785835.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1392766312.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392802939.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392869504.0000000000227000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392884959.0000000000228000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_5U5ouw7ryf.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProcWow64$InformationMemory64Process64QueryReadVirtualmemset
String ID:
API String ID: 3636394353-0
Opcode ID: 6603850cba599077c631d4fd6514c48d83e1c95ba5685a0acf441e1a9ba9fed4
Instruction ID: a02d1d1a250837ec349f65c284b48b90a240c9aa842a1fb750882894511360e9
Opcode Fuzzy Hash: 6603850cba599077c631d4fd6514c48d83e1c95ba5685a0acf441e1a9ba9fed4
Instruction Fuzzy Hash: 6F016275D01209BBEB11DBD8CC42FEDBBACDB09720F108052FE14AB245E771AA058BE1

Uniqueness

Uniqueness Score: -1.00%

Function 001A2B99 Relevance: 1.3, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,000004C8,00000008,00000000), ref: 001A2BAF

Memory Dump Source

Source File: 00000000.00000002.1392785835.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1392766312.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392802939.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392869504.0000000000227000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392884959.0000000000228000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_5U5ouw7ryf.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 67194d5a06725843e1a4de10935a840f59102055b57161576807addc0723137d
Instruction ID: 4d55d7f05b969d2191c879c20f2ba08d4106085cf47b31283b1dd503f8fcfbc2
Opcode Fuzzy Hash: 67194d5a06725843e1a4de10935a840f59102055b57161576807addc0723137d
Instruction Fuzzy Hash: 4BD06738D02A54ABDF21DA54DD06B8EB731BF05720F604240F9507729087246D418A95

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 001A2F6C Relevance: 15.1, APIs: 10, Instructions: 93threadnativeinjectionCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 001A2F86
VirtualAllocEx.KERNEL32(?,00000000,00000318,00003000,00000040,?,00000008,00000000), ref: 001A2FAA
NtGetContextThread.NTDLL ref: 001A2FC5
memcpy.NTDLL(?,001A3896,00000100,00000000,?,00000008,00000000), ref: 001A300B
WriteProcessMemory.KERNEL32(?,?,?,00000318,001A2F5A,?,?,00000000,?,00000008,00000000), ref: 001A3045
NtSetContextThread.NTDLL ref: 001A305A
ResumeThread.KERNEL32(?,?,00000000,?,00000008,00000000), ref: 001A306B
Sleep.KERNEL32(000001F4,?,00000000,?,00000008,00000000), ref: 001A3076
SuspendThread.KERNEL32(?,?,00000000,?,00000008,00000000), ref: 001A307F
GetLastError.KERNEL32(?,00000008,00000000), ref: 001A3087

Memory Dump Source

Source File: 00000000.00000002.1392785835.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1392766312.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392802939.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392869504.0000000000227000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392884959.0000000000228000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_5U5ouw7ryf.jbxd

Yara matches

Similarity

API ID: Thread$Context$AllocErrorLastMemoryProcessResumeSleepSuspendVirtualWritememcpymemset
String ID:
API String ID: 1761926231-0
Opcode ID: 700bb7695fee71dec0b04cc1f738eecae17d3eded3113695d69e62bb4eb6f13b
Instruction ID: 7fdfdefbfbee0521efa290ba69aabc2b97e083f702da6609fc32377f1c7da886
Opcode Fuzzy Hash: 700bb7695fee71dec0b04cc1f738eecae17d3eded3113695d69e62bb4eb6f13b
Instruction Fuzzy Hash: 6531D175600219EFDB118F64DD89BEA7BB9FF0A340F108166F918DA161D770DA90CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 001A126D Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 195nativeCOMMON

Download Yara Rule

APIs

NtQueryVirtualMemory.NTDLL ref: 001A131E

Strings

y", xrefs: 001A133D
y", xrefs: 001A147C
y", xrefs: 001A141F

Memory Dump Source

Source File: 00000000.00000002.1392785835.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1392766312.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392802939.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392869504.0000000000227000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392884959.0000000000228000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_5U5ouw7ryf.jbxd

Yara matches

Similarity

API ID: MemoryQueryVirtual
String ID: y"$y"$y"
API String ID: 2850889275-463226130
Opcode ID: efae49ca14e8994d7bc6090a8cbe30dc309f1add63870aa076992ae3fc54023f
Instruction ID: 8ff1d5a36c41e288242d7a66dbae8db67a823fb66be8392a24a064569a04fdb1
Opcode Fuzzy Hash: efae49ca14e8994d7bc6090a8cbe30dc309f1add63870aa076992ae3fc54023f
Instruction Fuzzy Hash: B7619E39A04612BFDB2ACF6CD89066973A6BF9B364F288569D846C7590E730DC82C640

Uniqueness

Uniqueness Score: -1.00%

Function 001A2BC1 Relevance: 4.5, APIs: 3, Instructions: 37nativeCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 001A2BE0
ZwQueryInformationProcess.NTDLL(00000000,00000000,?,00000018,00000000,?,?,?), ref: 001A2BF6
ReadProcessMemory.KERNEL32(00000000,001A1D73,?,000001E8,00000000,?,?,?), ref: 001A2C16

Memory Dump Source

Source File: 00000000.00000002.1392785835.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1392766312.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392802939.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392869504.0000000000227000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392884959.0000000000228000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_5U5ouw7ryf.jbxd

Yara matches

Similarity

API ID: Process$InformationMemoryQueryReadmemset
String ID:
API String ID: 248391229-0
Opcode ID: 1e06b67ebbbf3800a5eda2c283b798c79da825ef63ccc9de3fc81056114ff918
Instruction ID: 30aeaa14b0c7460bc3435e75307b42ea4fa2169d2874c334db12f5727e0d5cec
Opcode Fuzzy Hash: 1e06b67ebbbf3800a5eda2c283b798c79da825ef63ccc9de3fc81056114ff918
Instruction Fuzzy Hash: B6F0FFB5A0420DBFEB10DA94DD85EEEBBBCEB05344F4080A1BA18D2151E7719F599BA0

Uniqueness

Uniqueness Score: -1.00%

Function 001AF5AD Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmp, Offset: 001A6000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_5U5ouw7ryf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 684598e9523c870b10bf3775ebcc9031ee10cb13f13bfee7ca9439e3404d8188
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: AAC1633A20519349DF6D46BAC87413FFAA15EA37B131A077DE4B6CB1D4EF20C926DA10

Uniqueness

Uniqueness Score: -1.00%

Function 001AF9E2 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmp, Offset: 001A6000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_5U5ouw7ryf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 4672914680546a242f0c9ccc39fe57621ae3be6b1829f5c5dfa1873d4cf48cf2
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: FAC1833A20519349DF6D46BAC87443FBAA15AA37B131A077DD4B7CB1D4EF20C926D620

Uniqueness

Uniqueness Score: -1.00%

Function 001AF178 Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmp, Offset: 001A6000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_5U5ouw7ryf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: 0ca03e482f73b1582d755f0ce44c43f1a58748fa074c50f0e4984c12118429e1
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: D9C1723A2051534ADF2D46B9C87413FBAA15EA37B131A077DD4B7CB1D4EF20C926DA60

Uniqueness

Uniqueness Score: -1.00%

Function 001AED60 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmp, Offset: 001A6000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_5U5ouw7ryf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 21947bbc831ed056af56551f60cfb379c806ee9c52a6e9f40e4ece6088f53d35
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 7BC1703A20519349DF6D467AC87403FFAE19AA37B131A076DE4B7CB1D5EF20C925DA20

Uniqueness

Uniqueness Score: -1.00%

Function 001A104C Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1392785835.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1392766312.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392802939.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392869504.0000000000227000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392884959.0000000000228000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_5U5ouw7ryf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction ID: 325534060dc2412e4b40b6ee893fcbd7c27fbf0af1ab1aca5c8805b56d5d1b46
Opcode Fuzzy Hash: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction Fuzzy Hash: BC21D636900204AFCB10EF78C8819A7BBA5FF46320F068169E915DB245DB30F915CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 001CD7A5 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmp, Offset: 001A6000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_5U5ouw7ryf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9156eb209e15bdecf59ff37c8b45ad9ae18ef71c36593ddbe3b2089c9b51da5b
Instruction ID: 9b2a1fe1e1bd7bfaa7131e239143be48bc29ef193c065b7587284dba897faaba
Opcode Fuzzy Hash: 9156eb209e15bdecf59ff37c8b45ad9ae18ef71c36593ddbe3b2089c9b51da5b
Instruction Fuzzy Hash: 53117D7231021A1ACB2CA97C5C87A76B798D758B50B80857FED55DB1D1EA30E701C690

Uniqueness

Uniqueness Score: -1.00%

Function 001C15C8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmp, Offset: 001A6000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_5U5ouw7ryf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01f7ed3a248085ef90dbb4e168fd587bc1084e307bc1ea0b8e759cf3c25ae399
Instruction ID: 2ebc83a362f1019e444b4d68c36d6c708bf1c327651b6bf74cb3dbb427650716
Opcode Fuzzy Hash: 01f7ed3a248085ef90dbb4e168fd587bc1084e307bc1ea0b8e759cf3c25ae399
Instruction Fuzzy Hash: D001D871544724EFE725DF689C89B9A77F4FB04305F10841DFA5AEB291C7B09440CB50

Uniqueness

Uniqueness Score: -1.00%

Function 001A3C39 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 120memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(00000000,00000004,00000040,00000000,001A5370,0000001C,001A3C17,002275A8,00000004,00227548,00000004,002275A0,00000002,00000000,?,001A4011), ref: 001A3C84
VirtualProtect.KERNEL32(00000000,00000005,00000040,?,00227548,00000004,002275A8), ref: 001A3CDF
VirtualProtect.KERNEL32(?,00000005,?,?), ref: 001A3D1A
VirtualProtect.KERNEL32(00000000,00000004,?,?,00227548,00000004,002275A8), ref: 001A3D31
EnterCriticalSection.KERNEL32(00227A20), ref: 001A3D44
LeaveCriticalSection.KERNEL32(00227A20), ref: 001A3D62
GetLastError.KERNEL32(?,001A4011,00000002,00000000,00000001,0022759C,?,001A3F4B,00227548,001A1B67,00000000), ref: 001A3D77

Strings

z", xrefs: 001A3D3E
8z", xrefs: 001A3D51

Memory Dump Source

Source File: 00000000.00000002.1392785835.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1392766312.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392802939.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392869504.0000000000227000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392884959.0000000000228000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_5U5ouw7ryf.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$CriticalSection$EnterErrorLastLeave
String ID: z"$8z"
API String ID: 2664878573-1190258936
Opcode ID: 62d298c8e2032dae08ce27d7d263a3f4cc883c2e60804b99cebf96a40da03a6c
Instruction ID: 4fe64b7ba25ca734afff3859c849c1c9cc55b10ffea54d291a46f7659335191e
Opcode Fuzzy Hash: 62d298c8e2032dae08ce27d7d263a3f4cc883c2e60804b99cebf96a40da03a6c
Instruction Fuzzy Hash: 60418CB5504704EFDB20CFA4DD89BAABBF5BF09720F144409F555EA691D770EA40CB60

Uniqueness

Uniqueness Score: -1.00%

Function 001A3DA5 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 119memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(00000000,00000004,00000040,00000000), ref: 001A3E67
VirtualProtect.KERNEL32(00000000,00000004,00000000,00000000), ref: 001A3E9B
EnterCriticalSection.KERNEL32(00227A20), ref: 001A3EAE
LeaveCriticalSection.KERNEL32(00227A20), ref: 001A3ECC
GetLastError.KERNEL32 ref: 001A3EE2
LocalFree.KERNEL32(00000000), ref: 001A3F1B

Strings

8z", xrefs: 001A3EBB
z", xrefs: 001A3EA8

Memory Dump Source

Source File: 00000000.00000002.1392785835.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1392766312.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392802939.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392869504.0000000000227000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392884959.0000000000228000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_5U5ouw7ryf.jbxd

Yara matches

Similarity

API ID: CriticalProtectSectionVirtual$EnterErrorFreeLastLeaveLocal
String ID: z"$8z"
API String ID: 567920170-1190258936
Opcode ID: 921dd7ac014a1bd671996443073cae1177f88570c6d16e28a9798c85dadf53ec
Instruction ID: dbc682605b731999103c91ddf7242578efc0c31f0602456ee761b26020a89036
Opcode Fuzzy Hash: 921dd7ac014a1bd671996443073cae1177f88570c6d16e28a9798c85dadf53ec
Instruction Fuzzy Hash: 6F419E79D00625EFDB21CFA4D845BAEBBB0BF1A720F158119F915AB250D374DA90CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 001A1E3F Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 62COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(NTDLL.DLL,0000012C,00000000,?,001A1CEF,0000012C), ref: 001A1E75
memcpy.NTDLL(001A1CEF,0022790C,00000018,?,001A1CEF,0000012C), ref: 001A1EE4

Strings

LdrLoadDll, xrefs: 001A1E81
NTDLL.DLL, xrefs: 001A1E70
NtProtectVirtualMemory, xrefs: 001A1EBB
LdrGetProcedureAddress, xrefs: 001A1E9E

Memory Dump Source

Source File: 00000000.00000002.1392785835.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1392766312.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392802939.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392869504.0000000000227000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392884959.0000000000228000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_5U5ouw7ryf.jbxd

Yara matches

Similarity

API ID: HandleModulememcpy
String ID: LdrGetProcedureAddress$LdrLoadDll$NTDLL.DLL$NtProtectVirtualMemory
API String ID: 1801490239-862099514
Opcode ID: db6c94e02f72304d9b4983218e801dcbbd5e944b87381de4beb6b9f2e71efb69
Instruction ID: 7e56d6df9cea9025b7858b3bf6696f15ab4ae418f67cc921fc00470040c0b2c3
Opcode Fuzzy Hash: db6c94e02f72304d9b4983218e801dcbbd5e944b87381de4beb6b9f2e71efb69
Instruction Fuzzy Hash: 9611A17E25E3007BC336EBECBC069767BE5A397B10B14581AF808D31B1D77159968AB0

Uniqueness

Uniqueness Score: -1.00%

Function 001A3111 Relevance: 9.1, APIs: 6, Instructions: 74fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000000,?,?,?,?,001A1AF7,002278F4,00227904), ref: 001A3130
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,001A1AF7,002278F4,00227904,?,001A1523,?,00000000), ref: 001A313F
ReadFile.KERNEL32(00000000,00000000,?,?,00000000,00000001,?,?,?,?,001A1AF7,002278F4,00227904,?,001A1523,?), ref: 001A316A
GetLastError.KERNEL32(?,?,?,?,001A1AF7,002278F4,00227904,?,001A1523,?,00000000), ref: 001A3190
CloseHandle.KERNEL32(00000000,?,?,?,?,001A1AF7,002278F4,00227904,?,001A1523,?,00000000), ref: 001A319E
LocalFree.KERNEL32(00000000,?,?,?,?,001A1AF7,002278F4,00227904,?,001A1523,?,00000000), ref: 001A31AD

Memory Dump Source

Source File: 00000000.00000002.1392785835.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1392766312.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392802939.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392869504.0000000000227000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392884959.0000000000228000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_5U5ouw7ryf.jbxd

Yara matches

Similarity

API ID: File$CloseCreateErrorFreeHandleLastLocalReadSize
String ID:
API String ID: 2671872497-0
Opcode ID: d27410af7912154490dc4851000b5eddeb7e9b58ba179b170b5efe8b56f27ffc
Instruction ID: 72bbc1777d6196ec64f73a85c698b01b24aa8729a71344c7784b628ad8173750
Opcode Fuzzy Hash: d27410af7912154490dc4851000b5eddeb7e9b58ba179b170b5efe8b56f27ffc
Instruction Fuzzy Hash: FE11B279A01204BFD7214FA8DC88F7E7B6DEB47764F100259FD25E7280D7709E8586A0

Uniqueness

Uniqueness Score: -1.00%

Function 001A44AC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 71libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(NTDLL.DLL,00000008,00227A00,?,?,001A3FBA,?,?,?), ref: 001A44B9
LoadLibraryA.KERNEL32(ntdsapi.dll,00000001), ref: 001A452A
FreeLibrary.KERNEL32(00000000), ref: 001A4535

Strings

NTDLL.DLL, xrefs: 001A44B4
ntdsapi.dll, xrefs: 001A4523

Memory Dump Source

Source File: 00000000.00000002.1392785835.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1392766312.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392802939.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392869504.0000000000227000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392884959.0000000000228000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_5U5ouw7ryf.jbxd

Yara matches

Similarity

API ID: Library$FreeHandleLoadModule
String ID: NTDLL.DLL$ntdsapi.dll
API String ID: 2140536961-4180381668
Opcode ID: c3be9f16c9faeb5eaa0a55888cb498b64deda8ff23af9ea85779f9211b2b0ac3
Instruction ID: 6e9cc2cf3ac6e48afdfbbf2ba2086b5cf17596ea512401ac18da331f717b3606
Opcode Fuzzy Hash: c3be9f16c9faeb5eaa0a55888cb498b64deda8ff23af9ea85779f9211b2b0ac3
Instruction Fuzzy Hash: 5D214C79E002099FDB14DFA8D9848AEFBF5EF86310B15446AE909E3300D7B09E40CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 001A458C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 56libraryloaderCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(?,?,001A4099,001A39A2,?,?,?,001A3FBA,?,?,?), ref: 001A4593
GetModuleHandleW.KERNEL32(NTDLL.DLL,LdrRegisterDllNotification,?,001A4099,001A39A2,?,?,?,001A3FBA,?,?,?), ref: 001A45A7
GetProcAddress.KERNEL32(00000000), ref: 001A45AE

Strings

NTDLL.DLL, xrefs: 001A45A2
LdrRegisterDllNotification, xrefs: 001A459D

Memory Dump Source

Source File: 00000000.00000002.1392785835.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1392766312.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392802939.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392869504.0000000000227000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392884959.0000000000228000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_5U5ouw7ryf.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProcVersion
String ID: LdrRegisterDllNotification$NTDLL.DLL
API String ID: 3310240892-3368964806
Opcode ID: 54ded57710e633a2d84a11d2b7acf046ab8137981e20bfc8f83da81745f0ade1
Instruction ID: 3775cebe0a7f51af5212168e6c90ea7ad5eaa3b58cd805947fe2470b0ed9d6cd
Opcode Fuzzy Hash: 54ded57710e633a2d84a11d2b7acf046ab8137981e20bfc8f83da81745f0ade1
Instruction Fuzzy Hash: B3111878609706EFDB259FA9DC05A55BBA5BF8B310B04D165F90CCB251DBB0C881CB94

Uniqueness

Uniqueness Score: -1.00%

Function 001A31BB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,00000000,?,001A1ADB,?,?,001A1523,?,00000000), ref: 001A31C9

Part of subcall function 001A1490: LocalAlloc.KERNEL32(00000000,?,001A2A74,00000104,00000000,00000000,001A14C8,00000000,?,001A2928,00000000,00227950,?,?,?,001A14C8), ref: 001A1496

lstrcpyA.KERNEL32(00000000,?,-00000003,?,001A1ADB,?,?,001A1523,?,00000000), ref: 001A31E2
StrRChrA.SHLWAPI(00000000,00000000,0000002E,?,001A1ADB,?,?,001A1523,?,00000000), ref: 001A31ED
lstrcatA.KERNEL32(00000000,.dll,?,001A1ADB,?,?,001A1523,?,00000000), ref: 001A3213

Strings

.dll, xrefs: 001A320A

Memory Dump Source

Source File: 00000000.00000002.1392785835.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1392766312.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392802939.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392869504.0000000000227000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392884959.0000000000228000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_5U5ouw7ryf.jbxd

Yara matches

Similarity

API ID: AllocLocallstrcatlstrcpylstrlen
String ID: .dll
API String ID: 3822144076-2738580789
Opcode ID: 01a43f945a2ad75cf89e56c847797b831e443336ce30ffcaf53d12401ded7c92
Instruction ID: 4683d163ada833455138228b196aa50fbae095e8cd66c852bef8bdcd407fecea
Opcode Fuzzy Hash: 01a43f945a2ad75cf89e56c847797b831e443336ce30ffcaf53d12401ded7c92
Instruction Fuzzy Hash: B3F0593E945B24BBC7221FA4DD0AB5EBF5AAF077A4F054002FA14DA1A1C374CE4087E1

Uniqueness

Uniqueness Score: -1.00%

Function 001B0460 Relevance: 7.8, APIs: 5, Instructions: 276COMMONLIBRARYCODE

Download Yara Rule

APIs

_ValidateScopeTableHandlers.LIBCMT ref: 001B0570
__FindPESection.LIBCMT ref: 001B058A

Memory Dump Source

Source File: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmp, Offset: 001A6000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_5U5ouw7ryf.jbxd

Yara matches

Similarity

API ID: FindHandlersScopeSectionTableValidate
String ID:
API String ID: 876702719-0
Opcode ID: 8bc92cd720ef00609098ffb6b9e9814e12efc582b7b6c18401bb48d7b34630a5
Instruction ID: d8d2010f288e2af609343deaf4543ad04309646b8ea07c5f168f91f78e8566e9
Opcode Fuzzy Hash: 8bc92cd720ef00609098ffb6b9e9814e12efc582b7b6c18401bb48d7b34630a5
Instruction Fuzzy Hash: 17A17D71A006159FDB26CF58C980BEEB7B5FB8C320F154669D885AB252E735EC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001A1D4B Relevance: 7.6, APIs: 5, Instructions: 90COMMON

Download Yara Rule

APIs

Part of subcall function 001A1490: LocalAlloc.KERNEL32(00000000,?,001A2A74,00000104,00000000,00000000,001A14C8,00000000,?,001A2928,00000000,00227950,?,?,?,001A14C8), ref: 001A1496

Part of subcall function 001A2BC1: memset.NTDLL ref: 001A2BE0
Part of subcall function 001A2BC1: ZwQueryInformationProcess.NTDLL(00000000,00000000,?,00000018,00000000,?,?,?), ref: 001A2BF6
Part of subcall function 001A2BC1: ReadProcessMemory.KERNEL32(00000000,001A1D73,?,000001E8,00000000,?,?,?), ref: 001A2C16

ReadProcessMemory.KERNEL32(?,00000000,00000000,00001000,00000000,?,00001000,00000000,00000000,?,?,?,?,?,?,001A19A9), ref: 001A1D8B
ReadProcessMemory.KERNEL32(?,?,00000000,00001000,00000000,?,?,?,?,?,?,001A19A9,?,00000000), ref: 001A1DAB
ReadProcessMemory.KERNEL32(?,000000D0,?,00000018,00000000,?,?,?,?,?,?,001A19A9,?,00000000), ref: 001A1E02
ReadProcessMemory.KERNEL32(?,00000000,00000000,00001000,00000000), ref: 001A1E20
LocalFree.KERNEL32(00000000,?,00001000,00000000,00000000,?,?,?,?,?,?,001A19A9,?,00000000), ref: 001A1E31

Memory Dump Source

Source File: 00000000.00000002.1392785835.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1392766312.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392802939.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392869504.0000000000227000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392884959.0000000000228000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_5U5ouw7ryf.jbxd

Yara matches

Similarity

API ID: Process$MemoryRead$Local$AllocFreeInformationQuerymemset
String ID:
API String ID: 1829246340-0
Opcode ID: 7c53ed8549ae70854d91097f12236df23f5b2aaa0c8aafa4a70b42d877ba7819
Instruction ID: 106063379b7476e77ec20cb81b02e038d9bde874e31b1e84d2ab4dd440a89272
Opcode Fuzzy Hash: 7c53ed8549ae70854d91097f12236df23f5b2aaa0c8aafa4a70b42d877ba7819
Instruction Fuzzy Hash: 5E313C79600605BBEB21DB65CC85FABBBBDFF49780F408459F945D6181DB70E980CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001A38A2 Relevance: 7.6, APIs: 5, Instructions: 76stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(55C35D5E,00000004,001A1B67,00000000,00227548,?,001A1B67), ref: 001A38DC

Part of subcall function 001A1490: LocalAlloc.KERNEL32(00000000,?,001A2A74,00000104,00000000,00000000,001A14C8,00000000,?,001A2928,00000000,00227950,?,?,?,001A14C8), ref: 001A1496

lstrcpyA.KERNEL32(00000000,55C35D5E,00000001,?,001A1B67), ref: 001A38F3
StrChrA.SHLWAPI(00000000,0000002E,?,001A1B67), ref: 001A38FC
GetModuleHandleA.KERNEL32(00000000,?,001A1B67), ref: 001A391A

Part of subcall function 001A3C39: VirtualProtect.KERNEL32(00000000,00000004,00000040,00000000,001A5370,0000001C,001A3C17,002275A8,00000004,00227548,00000004,002275A0,00000002,00000000,?,001A4011), ref: 001A3C84
Part of subcall function 001A3C39: VirtualProtect.KERNEL32(00000000,00000005,00000040,?,00227548,00000004,002275A8), ref: 001A3CDF
Part of subcall function 001A3C39: VirtualProtect.KERNEL32(?,00000005,?,?), ref: 001A3D1A
Part of subcall function 001A3C39: VirtualProtect.KERNEL32(00000000,00000004,?,?,00227548,00000004,002275A8), ref: 001A3D31
Part of subcall function 001A3C39: EnterCriticalSection.KERNEL32(00227A20), ref: 001A3D44

LocalFree.KERNEL32(00000000,?,001A1B67), ref: 001A394A

Memory Dump Source

Source File: 00000000.00000002.1392785835.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1392766312.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392802939.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392869504.0000000000227000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392884959.0000000000228000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_5U5ouw7ryf.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$Local$AllocCriticalEnterFreeHandleModuleSectionlstrcpylstrlen
String ID:
API String ID: 1124667966-0
Opcode ID: 234721ced0eeb14fa6f6abfced656a6f1b4adf7348260590b18bb62a9fd46be3
Instruction ID: 7bdec16c19748f3b98258843b2fbed091431196b7ba6dc9b5b0e14c9537eedf5
Opcode Fuzzy Hash: 234721ced0eeb14fa6f6abfced656a6f1b4adf7348260590b18bb62a9fd46be3
Instruction Fuzzy Hash: 2621A1359002059FCB14DFA9D884B6B77B8FF4A764F014069F9259B252D7B0DE81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001A2E54 Relevance: 7.6, APIs: 5, Instructions: 75fileCOMMON

Download Yara Rule

APIs

Part of subcall function 001A2A5E: GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,00000104,00000000,00000000,001A14C8,00000000,?,001A2928,00000000,00227950,?,?,?,001A14C8), ref: 001A2A7F
Part of subcall function 001A2A5E: LocalFree.KERNEL32(00000000,?,001A2928,00000000,00227950,?,?,?,001A14C8,00000000), ref: 001A2A97

Part of subcall function 001A41DA: lstrcmpA.KERNEL32(?,00000004,00000004,00000004,00000000,00000004,002275A8), ref: 001A4226

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,00000008,00000000,001A1A5A,?,?,0000012C), ref: 001A2EAA
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,00000000), ref: 001A2EBD
ReadFile.KERNEL32(00000000,?,00000004,?,00000000,?,?,?,?,?,?,00000000), ref: 001A2ED4
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 001A2EEA
LocalFree.KERNEL32(?,00000008,00000000,001A1A5A,?,?,0000012C,?,?,?,?,?,?,00000000), ref: 001A2EF4

Memory Dump Source

Source File: 00000000.00000002.1392785835.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1392766312.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392802939.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392869504.0000000000227000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392884959.0000000000228000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_5U5ouw7ryf.jbxd

Yara matches

Similarity

API ID: File$FreeLocal$CloseCreateHandleModuleNamePointerReadlstrcmp
String ID:
API String ID: 883149339-0
Opcode ID: 4e45aa87bd35240e6a0c12e21d3ae8c12b4dc6f49b18fa28cad9f89420a75daa
Instruction ID: 00d37cdcaeefceed8e60d59b8ebd786b305922946a09f58f23413293cb85fc83
Opcode Fuzzy Hash: 4e45aa87bd35240e6a0c12e21d3ae8c12b4dc6f49b18fa28cad9f89420a75daa
Instruction Fuzzy Hash: 9E11C47A900219BBEB20ABA99D49EBF7FBCEF47370F100055F904E6491DB319D80D6A0

Uniqueness

Uniqueness Score: -1.00%

Function 001A3AEF Relevance: 7.6, APIs: 5, Instructions: 61memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,00000005,00000040,00000000,001A5380,00000018,001A3AC2,?,?,001A3FC7,00000002,?,001A3BD4,?,00000000,00000000), ref: 001A3B28
VirtualProtect.KERNEL32(?,00000005,00000000,00000000,?,001A3BD4,?,00000000,00000000,00000000,?,001A3FC7,?,?), ref: 001A3B47
VirtualProtect.KERNEL32(?,00000004,00000040,00000000,001A5380,00000018,001A3AC2,?,?,001A3FC7,00000002,?,001A3BD4,?,00000000,00000000), ref: 001A3B58
VirtualProtect.KERNEL32(?,00000004,00000000,00000000,?,001A3BD4,?,00000000,00000000,00000000,?,001A3FC7,?,?), ref: 001A3B7D
GetLastError.KERNEL32(?,001A3BD4,?,00000000,00000000,00000000,?,001A3FC7,?,?), ref: 001A3B85

Memory Dump Source

Source File: 00000000.00000002.1392785835.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1392766312.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392802939.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392869504.0000000000227000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392884959.0000000000228000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_5U5ouw7ryf.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$ErrorLast
String ID:
API String ID: 1469625949-0
Opcode ID: fb758af446ac76dfa93c7f2041878978c4ac491ad5e74c91604a761aa8823737
Instruction ID: c6d29dd0a629e792661ce08d92ea2dba60847adf188769307966ba4da574ad1d
Opcode Fuzzy Hash: fb758af446ac76dfa93c7f2041878978c4ac491ad5e74c91604a761aa8823737
Instruction Fuzzy Hash: CB216074904B0AEFDB208FA0CD44B6EBB76BF05721F008215F621A6591D734D952DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001A339D Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 52stringCOMMON

Download Yara Rule

APIs

Part of subcall function 001A1490: LocalAlloc.KERNEL32(00000000,?,001A2A74,00000104,00000000,00000000,001A14C8,00000000,?,001A2928,00000000,00227950,?,?,?,001A14C8), ref: 001A1496

memset.NTDLL ref: 001A33BB

Part of subcall function 001A2AD6: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,00000000,000004C8,00000008,00000000), ref: 001A2B16
Part of subcall function 001A2AD6: VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,000004C8,00000008,00000000), ref: 001A2BAF

lstrcpyA.KERNEL32(00000018,001A23BD,?,?,?,001A23BD,?,?), ref: 001A33F1

Part of subcall function 001A3417: memset.NTDLL ref: 001A344E
Part of subcall function 001A3417: memcpy.NTDLL(?,001A3871,00000100,?,00000000,000004C8,00000008,00000000), ref: 001A3479
Part of subcall function 001A3417: VirtualAllocEx.KERNELBASE(?,00000000,00000318,00003000,00000040,?,?,?,?,00000008,00000000), ref: 001A3493

LocalFree.KERNEL32(00000000,?,?,?,001A23BD,?,?), ref: 001A340B

Strings

LoadLibraryA, xrefs: 001A33C3
KERNEL32.DLL, xrefs: 001A33C8

Memory Dump Source

Source File: 00000000.00000002.1392785835.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1392766312.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392802939.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392869504.0000000000227000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392884959.0000000000228000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_5U5ouw7ryf.jbxd

Yara matches

Similarity

API ID: AllocVirtual$FreeLocalmemset$lstrcpymemcpy
String ID: KERNEL32.DLL$LoadLibraryA
API String ID: 1924211247-1423781741
Opcode ID: 5ea2af21a32c4ba5cfbac64a9254f3ac447f950cb5275fc40e715c066318b88a
Instruction ID: 76e3744577d6b85a8f934e3434075fe34c60f59151cdff72f7660e2257257a51
Opcode Fuzzy Hash: 5ea2af21a32c4ba5cfbac64a9254f3ac447f950cb5275fc40e715c066318b88a
Instruction Fuzzy Hash: 4201F27A741B007BD3212B299C02F5BBFADEFAB760F108429F10996242D721A90587E0

Uniqueness

Uniqueness Score: -1.00%

Function 001A3A35 Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 45stringCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00227A20), ref: 001A3A41
lstrcmpA.KERNEL32(?,?), ref: 001A3A77
LeaveCriticalSection.KERNEL32(00227A20), ref: 001A3AA5

Strings

8z", xrefs: 001A3A92
8z", xrefs: 001A3A4D

Memory Dump Source

Source File: 00000000.00000002.1392785835.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1392766312.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392802939.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392869504.0000000000227000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392884959.0000000000228000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_5U5ouw7ryf.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeavelstrcmp
String ID: 8z"$8z"
API String ID: 4188137280-314587729
Opcode ID: 1a5ee47f9481b702d459639a4b6619213fc73c78a0a06d014697ea14e75839c6
Instruction ID: 21054e0f340599b85069439c16bdb022091e459c05d82b80016ca449c7a1dec0
Opcode Fuzzy Hash: 1a5ee47f9481b702d459639a4b6619213fc73c78a0a06d014697ea14e75839c6
Instruction Fuzzy Hash: EE01203D618231AB8B208F51D849A7EB761FB82371B158015F9A6D7520D330DFD0DBE1

Uniqueness

Uniqueness Score: -1.00%

Function 001C3A18 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 001C3A82
_memset.LIBCMT ref: 001C3AB3
_memmove.LIBCMT ref: 001C3AF1

Strings

<, xrefs: 001C3AC1

Memory Dump Source

Source File: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmp, Offset: 001A6000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_5U5ouw7ryf.jbxd

Yara matches

Similarity

API ID: _memset$_memmove
String ID: <
API String ID: 2532777613-4251816714
Opcode ID: e2b67628775db194304f48f3ddecd6e71d522255d15c462eb1e05ee6224af7ee
Instruction ID: 74995d95d44f1c94079eb71ada6593d34c5aa035d367d34d7bc53f87668ee74e
Opcode Fuzzy Hash: e2b67628775db194304f48f3ddecd6e71d522255d15c462eb1e05ee6224af7ee
Instruction Fuzzy Hash: FF314F71900215AFEB20DF65CC85FAA7BFCEB15750F10846AF905DB241E731EA01CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001A3F28 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(ADVAPI32.DLL,00000000,00000000,?,00227548,00227548,?,001A1B67,00227548,00000004,002275A8,00000004), ref: 001A3F35

Part of subcall function 001A3FD2: GetModuleHandleA.KERNEL32(00000002,00000000,00000000,00000000,?,001A3F4B,00227548,001A1B67,00000000,?,00227548,00227548,?,001A1B67,00227548,00000004), ref: 001A3FF6

GetCurrentProcess.KERNEL32(002275A8,00000004,00000004,002275A8,00000004), ref: 001A3F62

Part of subcall function 001A2DC8: EnumProcessModules.PSAPI(?,00000000,00001000,00000000,00001000,00000000,00000000,00000000), ref: 001A2DF3
Part of subcall function 001A2DC8: LocalFree.KERNEL32(00000000,?,00000000,00001000,00000000,00001000,00000000,00000000,00000000), ref: 001A2E07

LocalFree.KERNEL32(?), ref: 001A3FAA

Strings

ADVAPI32.DLL, xrefs: 001A3F30

Memory Dump Source

Source File: 00000000.00000002.1392785835.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1392766312.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392802939.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392869504.0000000000227000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392884959.0000000000228000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_5U5ouw7ryf.jbxd

Yara matches

Similarity

API ID: FreeHandleLocalModuleProcess$CurrentEnumModules
String ID: ADVAPI32.DLL
API String ID: 1860380997-33758204
Opcode ID: 34d499421617368a4e7f5ea8fbdd705d67826a6d0d0cd71d2ced2763e6c8976e
Instruction ID: 30204f44ee55d0efbb5326b67a9d0db2c71f1e39edbd3b6bc633d309cc9a2ce5
Opcode Fuzzy Hash: 34d499421617368a4e7f5ea8fbdd705d67826a6d0d0cd71d2ced2763e6c8976e
Instruction Fuzzy Hash: 2611EB3AA04208BFCF119F90EC05EAE7B7AEF46360F100025F82492211CB319E649BA2

Uniqueness

Uniqueness Score: -1.00%

Function 001A336A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,Wow64EnableWow64FsRedirection,?,001A1534,00000000), ref: 001A3380
GetProcAddress.KERNEL32(00000000), ref: 001A3387

Strings

Wow64EnableWow64FsRedirection, xrefs: 001A3376
KERNEL32.DLL, xrefs: 001A337B

Memory Dump Source

Source File: 00000000.00000002.1392785835.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1392766312.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392802939.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392869504.0000000000227000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392884959.0000000000228000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_5U5ouw7ryf.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: KERNEL32.DLL$Wow64EnableWow64FsRedirection
API String ID: 1646373207-2529553039
Opcode ID: 40595e8e9dbc716749fcc2ae990d90a51e057b66ec6aeb78fdfe3833ecd500ea
Instruction ID: df309394ab980ac4bde9e6da9ea85bfc1dfff001d48fe2f09e7f692e2825ca4a
Opcode Fuzzy Hash: 40595e8e9dbc716749fcc2ae990d90a51e057b66ec6aeb78fdfe3833ecd500ea
Instruction Fuzzy Hash: A2D05E3828C705EBDF105FF5AC1DE0537A9BB027453000421F418D1620DB20D581CA50

Uniqueness

Uniqueness Score: -1.00%

Function 001A1AA8 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

memcpy.NTDLL(002278F4,?,00000018,00000000,?,?,001A1523,?,00000000), ref: 001A1B25

Part of subcall function 001A2A5E: GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,00000104,00000000,00000000,001A14C8,00000000,?,001A2928,00000000,00227950,?,?,?,001A14C8), ref: 001A2A7F
Part of subcall function 001A2A5E: LocalFree.KERNEL32(00000000,?,001A2928,00000000,00227950,?,?,?,001A14C8,00000000), ref: 001A2A97

Part of subcall function 001A31BB: lstrlenA.KERNEL32(?,00000000,?,001A1ADB,?,?,001A1523,?,00000000), ref: 001A31C9
Part of subcall function 001A31BB: lstrcpyA.KERNEL32(00000000,?,-00000003,?,001A1ADB,?,?,001A1523,?,00000000), ref: 001A31E2
Part of subcall function 001A31BB: StrRChrA.SHLWAPI(00000000,00000000,0000002E,?,001A1ADB,?,?,001A1523,?,00000000), ref: 001A31ED
Part of subcall function 001A31BB: lstrcatA.KERNEL32(00000000,.dll,?,001A1ADB,?,?,001A1523,?,00000000), ref: 001A3213

Part of subcall function 001A3111: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000000,?,?,?,?,001A1AF7,002278F4,00227904), ref: 001A3130
Part of subcall function 001A3111: GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,001A1AF7,002278F4,00227904,?,001A1523,?,00000000), ref: 001A313F
Part of subcall function 001A3111: CloseHandle.KERNEL32(00000000,?,?,?,?,001A1AF7,002278F4,00227904,?,001A1523,?,00000000), ref: 001A319E
Part of subcall function 001A3111: LocalFree.KERNEL32(00000000,?,?,?,?,001A1AF7,002278F4,00227904,?,001A1523,?,00000000), ref: 001A31AD

LocalFree.KERNEL32(00000000), ref: 001A1B14

Part of subcall function 001A3111: ReadFile.KERNEL32(00000000,00000000,?,?,00000000,00000001,?,?,?,?,001A1AF7,002278F4,00227904,?,001A1523,?), ref: 001A316A

Strings

Hu", xrefs: 001A1B57
xu", xrefs: 001A1B46

Memory Dump Source

Source File: 00000000.00000002.1392785835.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1392766312.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392802939.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392869504.0000000000227000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392884959.0000000000228000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_5U5ouw7ryf.jbxd

Yara matches

Similarity

API ID: File$FreeLocal$CloseCreateHandleModuleNameReadSizelstrcatlstrcpylstrlenmemcpy
String ID: Hu"$xu"
API String ID: 523194690-4177316256
Opcode ID: 9ce822d0a87588ea355665b6fc14098428b2fa6f169224ebdaef25f7ebe25141
Instruction ID: d1bfc3a17ea85998d1ff28d38b442bc79d1128689c254f9905af36f59a81dc9a
Opcode Fuzzy Hash: 9ce822d0a87588ea355665b6fc14098428b2fa6f169224ebdaef25f7ebe25141
Instruction Fuzzy Hash: AF11E03EA9D33077C6322698BC03B6972289B63BB0F410075FD18772A2FB654D6192E1

Uniqueness

Uniqueness Score: -1.00%

Function 001A2DC8 Relevance: 6.1, APIs: 4, Instructions: 61COMMON

Download Yara Rule

APIs

Part of subcall function 001A1490: LocalAlloc.KERNEL32(00000000,?,001A2A74,00000104,00000000,00000000,001A14C8,00000000,?,001A2928,00000000,00227950,?,?,?,001A14C8), ref: 001A1496

EnumProcessModules.PSAPI(?,00000000,00001000,00000000,00001000,00000000,00000000,00000000), ref: 001A2DF3
LocalFree.KERNEL32(00000000,?,00000000,00001000,00000000,00001000,00000000,00000000,00000000), ref: 001A2E07
GetLastError.KERNEL32(?,00000000,00001000,00000000,00001000,00000000,00000000,00000000), ref: 001A2E3D
LocalFree.KERNEL32(00000000), ref: 001A2E46

Memory Dump Source

Source File: 00000000.00000002.1392785835.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1392766312.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392802939.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392869504.0000000000227000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392884959.0000000000228000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_5U5ouw7ryf.jbxd

Yara matches

Similarity

API ID: Local$Free$AllocEnumErrorLastModulesProcess
String ID:
API String ID: 114004284-0
Opcode ID: 74a7d92cfdade3bbae7f875349978717b1bc1dfb07a8a1b08936329f314e762f
Instruction ID: 352333e6bc8f0e4d8e1965b519e70c09e31e49a72dcb3c2c074cd4df4474b217
Opcode Fuzzy Hash: 74a7d92cfdade3bbae7f875349978717b1bc1dfb07a8a1b08936329f314e762f
Instruction Fuzzy Hash: 581180BAA01219BBDB219AADCC45AAF7BADDF4B7A5F110064FC04DB201DB70DD4087A0

Uniqueness

Uniqueness Score: -1.00%

Function 001A2A5E Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

Part of subcall function 001A1490: LocalAlloc.KERNEL32(00000000,?,001A2A74,00000104,00000000,00000000,001A14C8,00000000,?,001A2928,00000000,00227950,?,?,?,001A14C8), ref: 001A1496

GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,00000104,00000000,00000000,001A14C8,00000000,?,001A2928,00000000,00227950,?,?,?,001A14C8), ref: 001A2A7F
LocalFree.KERNEL32(00000000,?,001A2928,00000000,00227950,?,?,?,001A14C8,00000000), ref: 001A2A97
GetLastError.KERNEL32(?,001A2928,00000000,00227950,?,?,?,001A14C8,00000000), ref: 001A2ABA
LocalFree.KERNEL32(00000000,?,001A2928,00000000,00227950,?,?,?,001A14C8,00000000), ref: 001A2AC3

Memory Dump Source

Source File: 00000000.00000002.1392785835.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1392766312.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392802939.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392869504.0000000000227000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392884959.0000000000228000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_5U5ouw7ryf.jbxd

Yara matches

Similarity

API ID: Local$Free$AllocErrorFileLastModuleName
String ID:
API String ID: 1353466770-0
Opcode ID: 71434c8fa28114ef8b3b2ca398ea3ba711069e9a846869ed33c1b48d644f7955
Instruction ID: e9d54104a9ea7f8a608a491a2641d410294fced3c5a757278c3724a6cdadd454
Opcode Fuzzy Hash: 71434c8fa28114ef8b3b2ca398ea3ba711069e9a846869ed33c1b48d644f7955
Instruction Fuzzy Hash: 5D016D7AA016257BD731AAAD9C44AABBA9DDF577A4F054461FD04D7601EB70CC0082F0

Uniqueness

Uniqueness Score: -1.00%

Function 001CAD5D Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 001CAD81

Part of subcall function 001CB468: __fltout2.LIBCMT ref: 001CB491

__cftog_l.LIBCMT ref: 001CADA7
__cftoe_l.LIBCMT ref: 001CADD9

Memory Dump Source

Source File: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmp, Offset: 001A6000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_5U5ouw7ryf.jbxd

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: cc797f4a937cfe9f16ff9734c3d5a423fa9c4cbbbe86976da81b9899cba00756
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: E501693204014EBBCF165E84CC42DEE3F22BF28359B998419FA1998531C732C9B1AB82

Uniqueness

Uniqueness Score: -1.00%

Function 001A3AB3 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

Part of subcall function 001A3AEF: VirtualProtect.KERNEL32(?,00000005,00000040,00000000,001A5380,00000018,001A3AC2,?,?,001A3FC7,00000002,?,001A3BD4,?,00000000,00000000), ref: 001A3B28
Part of subcall function 001A3AEF: VirtualProtect.KERNEL32(?,00000005,00000000,00000000,?,001A3BD4,?,00000000,00000000,00000000,?,001A3FC7,?,?), ref: 001A3B47
Part of subcall function 001A3AEF: VirtualProtect.KERNEL32(?,00000004,00000040,00000000,001A5380,00000018,001A3AC2,?,?,001A3FC7,00000002,?,001A3BD4,?,00000000,00000000), ref: 001A3B58
Part of subcall function 001A3AEF: VirtualProtect.KERNEL32(?,00000004,00000000,00000000,?,001A3BD4,?,00000000,00000000,00000000,?,001A3FC7,?,?), ref: 001A3B7D

EnterCriticalSection.KERNEL32(00227A20,?,001A3FC7,00000002,?,001A3BD4,?,00000000,00000000,00000000,?,001A3FC7,?,?), ref: 001A3ACB
LeaveCriticalSection.KERNEL32(00227A20,?,001A3BD4,?,00000000,00000000,00000000,?,001A3FC7,?,?), ref: 001A3ADC
LocalFree.KERNEL32(?,?,001A3BD4,?,00000000,00000000,00000000,?,001A3FC7,?,?), ref: 001A3AE3

Strings

z", xrefs: 001A3AC3

Memory Dump Source

Source File: 00000000.00000002.1392785835.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1392766312.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392802939.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392869504.0000000000227000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392884959.0000000000228000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_5U5ouw7ryf.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$CriticalSection$EnterFreeLeaveLocal
String ID: z"
API String ID: 2854541331-3351007082
Opcode ID: b99d432842e2bb62a03b7e6cc436c37a9b24eafb2feb2b0b38deba02f27d3fe1
Instruction ID: 99e25dc5cac83b3f8d06ffcda618bb52a4bd887256be1847708520e991ca41a0
Opcode Fuzzy Hash: b99d432842e2bb62a03b7e6cc436c37a9b24eafb2feb2b0b38deba02f27d3fe1
Instruction Fuzzy Hash: DDE048B61042147B83105B59ED8486BFBADFF9A7743114116F509C7311D7319C4187E1

Uniqueness

Uniqueness Score: -1.00%

Function 001C720A Relevance: 6.0, APIs: 4, Instructions: 26COMMONLIBRARYCODE

Download Yara Rule

APIs

___crtCorExitProcess.LIBCMT ref: 001C7210
__FF_MSGBANNER.LIBCMT ref: 001C7223

Part of subcall function 001C73B5: __NMSG_WRITE.LIBCMT ref: 001C73DC
Part of subcall function 001C73B5: __NMSG_WRITE.LIBCMT ref: 001C73E6

__NMSG_WRITE.LIBCMT ref: 001C722B

Part of subcall function 001C7412: ___crtMessageBoxW.LIBCMT ref: 001C7552

Part of subcall function 001C723C: _doexit.LIBCMT ref: 001C7246

Memory Dump Source

Source File: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmp, Offset: 001A6000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_5U5ouw7ryf.jbxd

Yara matches

Similarity

API ID: ___crt$ExitMessageProcess_doexit
String ID:
API String ID: 3013061184-0
Opcode ID: a7a3077baa2f95853782cab798f794634b66fae93efadf64e57ae21c422a6640
Instruction ID: 0727c9eb91e2ff383bb14a9a25ec251654cb67e483e22bb417a2ef49d35b169c
Opcode Fuzzy Hash: a7a3077baa2f95853782cab798f794634b66fae93efadf64e57ae21c422a6640
Instruction Fuzzy Hash: 95E0BF3114820C7BDA153B65EC47F993F1D9B30750F544028FE08199E2EFE2E99159D6

Uniqueness

Uniqueness Score: -1.00%

Function 001BFD50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 001BFDC4
_memmove.LIBCMT ref: 001BFDF0

Strings

<, xrefs: 001BFD9C

Memory Dump Source

Source File: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmp, Offset: 001A6000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_5U5ouw7ryf.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: <
API String ID: 4104443479-4251816714
Opcode ID: 0cfcdfd955ee6ad5e269472e585358fb2bc1e0c9dba8433a708036f624016ebb
Instruction ID: 49d65bed9fafcca3d29c1be7e85c09791422eba24254d58a5313d38dc671a60b
Opcode Fuzzy Hash: 0cfcdfd955ee6ad5e269472e585358fb2bc1e0c9dba8433a708036f624016ebb
Instruction Fuzzy Hash: 89411B70500B05DFD724CF69C884B96BBF4FF14315F20CA2DE49A86662E771E986CB80

Uniqueness

Uniqueness Score: -1.00%

Function 001BAB31 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 001BAB54
_memset.LIBCMT ref: 001BABA9

Strings

., xrefs: 001BABCF

Memory Dump Source

Source File: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmp, Offset: 001A6000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_5U5ouw7ryf.jbxd

Yara matches

Similarity

API ID: _memset
String ID: .
API String ID: 2102423945-248832578
Opcode ID: 54ec065f2a4c71b6b9a413a083f7d9a175bb04fdad41ea0af342cb6b2f33332f
Instruction ID: 7864450de68de5dfe330b835ee3ec592fb700c15c578c5d14d87ec39ce3f8a30
Opcode Fuzzy Hash: 54ec065f2a4c71b6b9a413a083f7d9a175bb04fdad41ea0af342cb6b2f33332f
Instruction Fuzzy Hash: 4831C13150062CAFE711AB94DCCCEEE7BBCEF45351F900455F90992060EB309D9A8B55

Uniqueness

Uniqueness Score: -1.00%

Function 001A29BE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,LoadLibraryA,001A2F0F,00000000,00000000,?,?,001A1A5A,?,?,0000012C), ref: 001A29D1

Part of subcall function 001A2E54: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,00000008,00000000,001A1A5A,?,?,0000012C), ref: 001A2EAA
Part of subcall function 001A2E54: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,00000000), ref: 001A2EBD
Part of subcall function 001A2E54: ReadFile.KERNEL32(00000000,?,00000004,?,00000000,?,?,?,?,?,?,00000000), ref: 001A2ED4
Part of subcall function 001A2E54: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 001A2EEA
Part of subcall function 001A2E54: LocalFree.KERNEL32(?,00000008,00000000,001A1A5A,?,?,0000012C,?,?,?,?,?,?,00000000), ref: 001A2EF4

Strings

LoadLibraryA, xrefs: 001A29C7
KERNEL32.DLL, xrefs: 001A29CC

Memory Dump Source

Source File: 00000000.00000002.1392785835.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.1392766312.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392802939.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392869504.0000000000227000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1392884959.0000000000228000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_5U5ouw7ryf.jbxd

Yara matches

Similarity

API ID: File$Handle$CloseCreateFreeLocalModulePointerRead
String ID: KERNEL32.DLL$LoadLibraryA
API String ID: 1464854441-1423781741
Opcode ID: ab341c7bdd54cdb9c21248557484c5b7edd834fcf171c74c190a4674debbdbee
Instruction ID: 8859dddf33f2d3cc452f3c83d2e7dab2d8a66fad7e0424c7d9ff9b64ac60ace3
Opcode Fuzzy Hash: ab341c7bdd54cdb9c21248557484c5b7edd834fcf171c74c190a4674debbdbee
Instruction Fuzzy Hash: B6D012FD7CD701AB9B245BF8BD0AA5732997763F157000956F400D50B1EB30C8818611

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: svchost.exePID: 7292, Parent PID: 7260COMMON

Execution Graph

Execution Coverage:	0.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.1%
Total number of Nodes:	214
Total number of Limit Nodes:	17

Executed Functions

Function 000D970C Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 223
filememorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserObjectInformationA.USER32 ref: 000D9752
CreateEventA.KERNEL32 ref: 000D9851
CreateEventA.KERNEL32 ref: 000D9874
CreateMutexExA.KERNEL32 ref: 000D9893
GetLastError.KERNEL32 ref: 000D98B2
CreateFileMappingA.KERNEL32 ref: 000D98E3
MapViewOfFile.KERNEL32 ref: 000D990A
lstrcpyA.KERNEL32 ref: 000D9947
CreateFileMappingA.KERNEL32 ref: 000D996F
MapViewOfFile.KERNEL32 ref: 000D9990
GetLastError.KERNEL32 ref: 000D99A3
HeapFree.KERNEL32 ref: 000D99C8
HeapFree.KERNEL32 ref: 000D99DF
HeapFree.KERNEL32 ref: 000D99F6
HeapFree.KERNEL32 ref: 000D9A0D
HeapFree.KERNEL32 ref: 000D9A24

Part of subcall function 000D8CE4: lstrlenA.KERNEL32(?,?,?,?,00000000,000D9783), ref: 000D8D35
Part of subcall function 000D8CE4: lstrlenA.KERNEL32(?,?,?,?,00000000,000D9783), ref: 000D8D45
Part of subcall function 000D8CE4: HeapAlloc.KERNEL32(?,?,?,?,00000000,000D9783), ref: 000D8D59
Part of subcall function 000D8CE4: lstrcpyA.KERNEL32(?,?,?,?,00000000,000D9783), ref: 000D8D75
Part of subcall function 000D8CE4: lstrcatA.KERNEL32(?,?,?,?,00000000,000D9783), ref: 000D8D81
Part of subcall function 000D8CE4: lstrcatA.KERNEL32(?,?,?,?,00000000,000D9783), ref: 000D8D92
Part of subcall function 000D8CE4: HeapFree.KERNEL32(?,?,?,?,00000000,000D9783), ref: 000D8DA4

OpenFileMappingA.KERNEL32 ref: 000D9A4E
MapViewOfFile.KERNEL32 ref: 000D9A72

Strings

Local\, xrefs: 000D9768, 000D978F, 000D97B2, 000D97D5, 000D97FD, 000D9821

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$FileFree$Create$MappingView$ErrorEventLastlstrcatlstrcpylstrlen$AllocInformationMutexObjectOpenUser
String ID: Local\
API String ID: 1659859712-422136742
Opcode ID: 21d25384ef8ac94fc53ebe13d4df63cde49abb530ce435d0267b99e9f985d58c
Instruction ID: bdb86c328a809c83a0825edd3b65f98f6d1e0e8525c2b8c0e3ccc2d9135e41ca
Opcode Fuzzy Hash: 21d25384ef8ac94fc53ebe13d4df63cde49abb530ce435d0267b99e9f985d58c
Instruction Fuzzy Hash: F191B276311B5282EF71DF29E860BAA73A0FB88BA8F44512ADE4D07B54EF39C545C710

Uniqueness

Uniqueness Score: -1.00%

Function 000CBE18 Relevance: 12.1, APIs: 8, Instructions: 94
networkmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000CBCE8: lstrlenA.KERNEL32(?,?,?,000CBE4C), ref: 000CBD04
Part of subcall function 000CBCE8: HeapAlloc.KERNEL32(?,?,?,000CBE4C), ref: 000CBD21

socket.WS2_32 ref: 000CBE67
connect.WS2_32 ref: 000CBE86
setsockopt.WS2_32 ref: 000CBEB3

Part of subcall function 000CD5FC: setsockopt.WS2_32 ref: 000CD620
Part of subcall function 000CD5FC: setsockopt.WS2_32 ref: 000CD641

send.WS2_32 ref: 000CBED6
recv.WS2_32 ref: 000CBEEF
shutdown.WS2_32 ref: 000CBF43
closesocket.WS2_32 ref: 000CBF4C
HeapFree.KERNEL32 ref: 000CBF62

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: setsockopt$Heap$AllocFreeclosesocketconnectlstrlenrecvsendshutdownsocket
String ID:
API String ID: 663077859-0
Opcode ID: 04bf4809d294e2649107319d59ad620b4acea41649cc230794add19c082763da
Instruction ID: a09b051f15ac90ccc4b4a55f8e4513c5d73162e6e47741aaf0d04691b9770909
Opcode Fuzzy Hash: 04bf4809d294e2649107319d59ad620b4acea41649cc230794add19c082763da
Instruction Fuzzy Hash: C7419E3221174186DB608F22E951B6D73A0F784FA0F188639EE6A47BE5DF3CC446CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0010C001 Relevance: 1.8, APIs: 1, Instructions: 268
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL ref: 0010C0F5

Memory Dump Source

Source File: 00000002.00000002.2631715851.000000000010C000.00000040.80000000.00040000.00000000.sdmp, Offset: 0010C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10c000_svchost.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 6ef9c6aa133bebd9088b4dc3d2e1cd98dec8cc75a7ad4a83078c79741ce85b6e
Instruction ID: 1e6916b68ad416f4ba54ca499aa05fcc4fc3f809c946193fbae5ffba5b6e9947
Opcode Fuzzy Hash: 6ef9c6aa133bebd9088b4dc3d2e1cd98dec8cc75a7ad4a83078c79741ce85b6e
Instruction Fuzzy Hash: 9881B13521C7898FD729DB68C8927A677E0FB56310F15069ED8CAC7193E774D4068B82

Uniqueness

Uniqueness Score: -1.00%

Function 000C1FC0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 97
networkthreadmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 000C1FF3

Part of subcall function 000CA37C: EnterCriticalSection.KERNEL32(?,?,?,000C2000), ref: 000CA398
Part of subcall function 000CA37C: LeaveCriticalSection.KERNEL32(?,?,?,000C2000), ref: 000CA3D7
Part of subcall function 000CA37C: UnhookWindowsHookEx.USER32 ref: 000CA3EB
Part of subcall function 000CA37C: HeapFree.KERNEL32(?,?,?,000C2000), ref: 000CA3FD

GetCurrentThreadId.KERNEL32 ref: 000C2011
WSAStartup.WS2_32 ref: 000C2074
WSAStringToAddressW.WS2_32 ref: 000C20A8
wsprintfA.USER32 ref: 000C20CC
WSACleanup.WS2_32 ref: 000C20FC
SetEvent.KERNEL32 ref: 000C2142
HeapDestroy.KERNEL32 ref: 000C216F

Strings

VNC-CLIENT-%08X%08X, xrefs: 000C20BA
141.11.93.195:1081, xrefs: 000C2087

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: CriticalCurrentHeapSectionThread$AddressCleanupDestroyEnterEventFreeHookLeaveStartupStringUnhookWindowswsprintf
String ID: 141.11.93.195:1081$VNC-CLIENT-%08X%08X
API String ID: 940211779-2723378651
Opcode ID: 3660066903aeecefd8dc23159cbfa56874e658650e07dc5e5d33368a906ff618
Instruction ID: ed87cb873dd9cb81a0fa571cf97d182c19925246f10ea2045e00bd9413574191
Opcode Fuzzy Hash: 3660066903aeecefd8dc23159cbfa56874e658650e07dc5e5d33368a906ff618
Instruction Fuzzy Hash: AE416D70606642E7FB60AF55E984BEC2360FB95744F54412EAF8542E26DFBD88C5CB01

Uniqueness

Uniqueness Score: -1.00%

Function 000D9AC0 Relevance: 10.5, APIs: 7, Instructions: 41
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

UnmapViewOfFile.KERNEL32(?,?,?,000D99B7), ref: 000D9AD2
CloseHandle.KERNEL32(?,?,?,000D99B7), ref: 000D9AE6
UnmapViewOfFile.KERNEL32(?,?,?,000D99B7), ref: 000D9AFA
CloseHandle.KERNEL32(?,?,?,000D99B7), ref: 000D9B0E
FindCloseChangeNotification.KERNELBASE(?,?,?,000D99B7), ref: 000D9B22
CloseHandle.KERNEL32(?,?,?,000D99B7), ref: 000D9B35
CloseHandle.KERNEL32(?,?,?,000D99B7), ref: 000D9B48

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Close$Handle$FileUnmapView$ChangeFindNotification
String ID:
API String ID: 326854797-0
Opcode ID: 070a84d5f6c6fa3f44eada61489d902863cfe1706fb80bb1bab69096754cd96d
Instruction ID: ec69d5c3cb38941346398e8b889d04b41d07f93893099187027cd27ccb29ace8
Opcode Fuzzy Hash: 070a84d5f6c6fa3f44eada61489d902863cfe1706fb80bb1bab69096754cd96d
Instruction Fuzzy Hash: ED110036212B04C6FF69CFA1E4A53382370FF88F49F094616CA1A4EA14CF79C454D3A5

Uniqueness

Uniqueness Score: -1.00%

Function 000C1EA8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(?,?,?,000C204A), ref: 000C1EC7
GetLastError.KERNEL32(?,?,?,000C204A), ref: 000C1FA4

Part of subcall function 000C2520: GetModuleHandleA.KERNEL32(?,?,?,000C1EEA,?,?,?,000C204A), ref: 000C2537
Part of subcall function 000C2520: GetVersion.KERNEL32(?,?,?,000C1EEA,?,?,?,000C204A), ref: 000C254A
Part of subcall function 000C2520: GetCurrentProcessId.KERNEL32(?,?,?,000C1EEA,?,?,?,000C204A), ref: 000C255C
Part of subcall function 000C2520: StrRChrA.SHLWAPI(?,?,?,000C1EEA,?,?,?,000C204A), ref: 000C25B6
Part of subcall function 000C2520: CreateEventA.KERNEL32(?,?,?,000C1EEA,?,?,?,000C204A), ref: 000C25E6
Part of subcall function 000C2520: GetLastError.KERNEL32(?,?,?,000C1EEA,?,?,?,000C204A), ref: 000C25F8

Part of subcall function 000C29CC: InitializeCriticalSection.KERNEL32(?,?,?,000C1EF9,?,?,?,000C204A), ref: 000C29FC
Part of subcall function 000C29CC: InitializeCriticalSection.KERNEL32(?,?,?,000C1EF9,?,?,?,000C204A), ref: 000C2A1E
Part of subcall function 000C29CC: GetModuleHandleA.KERNEL32(?,?,?,000C1EF9,?,?,?,000C204A), ref: 000C2A49

Part of subcall function 000C8524: GetCurrentProcess.KERNEL32(?,?,?,000C1F98,?,?,?,000C204A), ref: 000C864C

Part of subcall function 000CA41C: InitializeCriticalSection.KERNEL32(?,?,?,?,000C1F9F,?,?,?,000C204A), ref: 000CA43C

Strings

D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A;OICI;GA;;;AU)(A;OICI;GA;;;BA), xrefs: 000C1F1A
S:(ML;;NW;;;LW), xrefs: 000C1F11

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: CriticalInitializeSection$CreateCurrentErrorHandleLastModuleProcess$EventHeapVersion
String ID: D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)$S:(ML;;NW;;;LW)
API String ID: 3923076295-981555273
Opcode ID: fb1ab895eab6315e33cd7abebf85b04d130976e73dcb05f5892b1deb4420afbb
Instruction ID: 7b03d3fb7b67d2a481cbc52dde1702ca955d31176964b42a38e0943b2fb29c18
Opcode Fuzzy Hash: fb1ab895eab6315e33cd7abebf85b04d130976e73dcb05f5892b1deb4420afbb
Instruction Fuzzy Hash: 64219570704B4182FB60A765B990BEE33D5AB49790F40823DDA5843B67EFB8C552C301

Uniqueness

Uniqueness Score: -1.00%

Function 000CD574 Relevance: 6.0, APIs: 4, Instructions: 40
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000E0904: InitializeCriticalSection.KERNEL32(?,?,00000000,000CD586,?,?,?,?,00000008,000C8C91), ref: 000E0911
Part of subcall function 000E0904: GetModuleHandleA.KERNEL32(?,?,00000000,000CD586,?,?,?,?,00000008,000C8C91), ref: 000E091E
Part of subcall function 000E0904: GetProcAddress.KERNEL32(?,?,00000000,000CD586,?,?,?,?,00000008,000C8C91), ref: 000E092E

InitializeCriticalSection.KERNEL32(?,?,?,?,00000008,000C8C91), ref: 000CD597
CreateEventA.KERNEL32(?,?,?,?,00000008,000C8C91), ref: 000CD5A8
CreateThread.KERNELBASE ref: 000CD5CF
GetLastError.KERNEL32(?,?,?,?,00000008,000C8C91), ref: 000CD5E6

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: CreateCriticalInitializeSection$AddressErrorEventHandleLastModuleProcThread
String ID:
API String ID: 4241923591-0
Opcode ID: b4ddf1bb86566fb7ec652733bac249cb9c37ea60ae74b8313ff1299f0db2b80b
Instruction ID: 4a2740ddc4825329fdde5de3175bad72e5118dad9836a0c2e9a3a7bfd5d9d3b1
Opcode Fuzzy Hash: b4ddf1bb86566fb7ec652733bac249cb9c37ea60ae74b8313ff1299f0db2b80b
Instruction Fuzzy Hash: 0D019A32300F8293EB209B26E690BAD73A0FB48398F44453ADB5943E55EF38D5A4C700

Uniqueness

Uniqueness Score: -1.00%

Function 000C4598 Relevance: 3.1, APIs: 2, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(?,?,0000001B,000C259E,?,?,?,000C1EEA,?,?,?,000C204A), ref: 000C45D5
GetLastError.KERNEL32(?,?,0000001B,000C259E,?,?,?,000C1EEA,?,?,?,000C204A), ref: 000C4610

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: ErrorFileLastModuleName
String ID:
API String ID: 2776309574-0
Opcode ID: 7411bb18e2a05c3906206ffd173c1f74781775c5e83933268303e118900c1352
Instruction ID: 566ddb16ea2906c5686d48cd4b699ca762370f1d9f7be3686336d5c168400224
Opcode Fuzzy Hash: 7411bb18e2a05c3906206ffd173c1f74781775c5e83933268303e118900c1352
Instruction Fuzzy Hash: 1501B531705B5142DB259B567A60BAEA5D1BB8ABD0F08043CEE8947B4AEEB9CC418781

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 000DC288 Relevance: 57.9, APIs: 19, Strings: 14, Instructions: 108
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreatePopupMenu.USER32(?,?,?,?,?,?,?,000DC101), ref: 000DC2A4
AppendMenuA.USER32 ref: 000DC2C6
AppendMenuA.USER32 ref: 000DC2DC
AppendMenuA.USER32 ref: 000DC2F2
AppendMenuA.USER32 ref: 000DC308
AppendMenuA.USER32 ref: 000DC31E
AppendMenuA.USER32 ref: 000DC334
AppendMenuA.USER32 ref: 000DC34A
AppendMenuA.USER32 ref: 000DC360
AppendMenuA.USER32 ref: 000DC374
AppendMenuA.USER32 ref: 000DC38A
AppendMenuA.USER32 ref: 000DC3A0
AppendMenuA.USER32 ref: 000DC3B6
AppendMenuA.USER32 ref: 000DC3CA
AppendMenuA.USER32 ref: 000DC3E0
AppendMenuA.USER32 ref: 000DC3F6
AppendMenuA.USER32 ref: 000DC40C
TrackPopupMenu.USER32 ref: 000DC430
DestroyMenu.USER32 ref: 000DC439

Strings

Programs and Features, xrefs: 000DC2B8
Event Viewer, xrefs: 000DC2E4
Disk Management, xrefs: 000DC326
System, xrefs: 000DC2FA
Control Panel, xrefs: 000DC392
Power Options, xrefs: 000DC2CE
Computer Management, xrefs: 000DC33C
Shutdown, xrefs: 000DC3D2
Restart, xrefs: 000DC3E8
Task Manager, xrefs: 000DC37C
Command Prompt, xrefs: 000DC352
File Explorer, xrefs: 000DC3A8
Device Manager, xrefs: 000DC310
Logoff, xrefs: 000DC3FE

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Menu$Append$Popup$CreateDestroyTrack
String ID: Command Prompt$Computer Management$Control Panel$Device Manager$Disk Management$Event Viewer$File Explorer$Logoff$Power Options$Programs and Features$Restart$Shutdown$System$Task Manager
API String ID: 761734086-3197270845
Opcode ID: 577142901c8228ecb1b6939dc1f63f8472d33b6c0d1fde7ec6c3574532bfaa40
Instruction ID: adf6e4cb66a54d069df007e5dc33508aa25e31046ba4d735c12eca6f1ff4beb2
Opcode Fuzzy Hash: 577142901c8228ecb1b6939dc1f63f8472d33b6c0d1fde7ec6c3574532bfaa40
Instruction Fuzzy Hash: F051F175610617D2E768DF27B914BEA33A1F78AB91FC95132990607E24CE38C59EEB00

Uniqueness

Uniqueness Score: -1.00%

Function 000D751C Relevance: 54.4, APIs: 27, Strings: 4, Instructions: 189
memorystringsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000DB37C: GetTempPathW.KERNEL32(?,?,00000000,00000000,00000000,000D7557), ref: 000DB3A7
Part of subcall function 000DB37C: GetLastError.KERNEL32(?,?,00000000,00000000,00000000,000D7557), ref: 000DB3B3
Part of subcall function 000DB37C: HeapFree.KERNEL32(?,?,00000000,00000000,00000000,000D7557), ref: 000DB4DD

GetLastError.KERNEL32 ref: 000D755F
lstrcpyA.KERNEL32 ref: 000D7578
lstrcatA.KERNEL32 ref: 000D758A
lstrcatA.KERNEL32 ref: 000D75A0
CreateEventA.KERNEL32 ref: 000D75B4
GetLastError.KERNEL32 ref: 000D75C6
WaitForSingleObject.KERNEL32 ref: 000D75DB
CloseHandle.KERNEL32 ref: 000D75E8
GetLastError.KERNEL32 ref: 000D7628
SetEvent.KERNEL32 ref: 000D7762
CloseHandle.KERNEL32 ref: 000D776B
HeapFree.KERNEL32 ref: 000D7782
HeapFree.KERNEL32 ref: 000D779B
HeapFree.KERNEL32 ref: 000D77B2
HeapFree.KERNEL32 ref: 000D77CD

Strings

--no-remote -profile , xrefs: 000D7743
firefox.exe, xrefs: 000D76F2
Mozilla\Firefox, xrefs: 000D760A
APPDATA, xrefs: 000D7611

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: FreeHeap$ErrorLast$CloseEventHandlelstrcat$CreateObjectPathSingleTempWaitlstrcpy
String ID: --no-remote -profile $APPDATA$Mozilla\Firefox$firefox.exe
API String ID: 3891805355-3662271188
Opcode ID: d8420de097288b5365856b635eca4c2a52d817c6106c91ff31ca98a50d722f42
Instruction ID: c1cb72a0c9c82d048b870d5ae05a844597c2f318ba0b7e8267dcd5967bda53f8
Opcode Fuzzy Hash: d8420de097288b5365856b635eca4c2a52d817c6106c91ff31ca98a50d722f42
Instruction Fuzzy Hash: A5718B74609B42C2EB64DB67A8543B923A1BB88FC1F458832DE0E57B25EF7CC546A310

Uniqueness

Uniqueness Score: -1.00%

Function 000C8804 Relevance: 52.7, APIs: 19, Strings: 11, Instructions: 202
threadmemorysleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 000C8825
GetThreadDesktop.USER32(?,?,?,?,?,000C1F66,?,?,?,000C204A), ref: 000C882D

Part of subcall function 000CBB98: GetVersionExA.KERNEL32 ref: 000CBBAC

GetModuleHandleA.KERNEL32(?,?,?,?,?,000C1F66,?,?,?,000C204A), ref: 000C8842
GetProcAddress.KERNEL32(?,?,?,?,?,000C1F66,?,?,?,000C204A), ref: 000C8852
SetErrorMode.KERNEL32(?,?,?,?,?,000C1F66,?,?,?,000C204A), ref: 000C8893
HeapAlloc.KERNEL32(?,?,?,?,?,000C1F66,?,?,?,000C204A), ref: 000C88AD
CreateMutexA.KERNEL32(?,?,?,?,?,000C1F66,?,?,?,000C204A), ref: 000C88D6
CreateThread.KERNEL32 ref: 000C8951
CloseHandle.KERNEL32(?,?,?,?,?,000C1F66,?,?,?,000C204A), ref: 000C895A
Sleep.KERNEL32(?,?,?,?,?,000C1F66,?,?,?,000C204A), ref: 000C8980
GetCurrentProcessId.KERNEL32(?,?,?,?,?,000C1F66,?,?,?,000C204A), ref: 000C8997
FindWindowExA.USER32 ref: 000C89D2

Part of subcall function 000D9AC0: UnmapViewOfFile.KERNEL32(?,?,?,000D99B7), ref: 000D9AD2
Part of subcall function 000D9AC0: CloseHandle.KERNEL32(?,?,?,000D99B7), ref: 000D9AE6
Part of subcall function 000D9AC0: UnmapViewOfFile.KERNEL32(?,?,?,000D99B7), ref: 000D9AFA
Part of subcall function 000D9AC0: CloseHandle.KERNEL32(?,?,?,000D99B7), ref: 000D9B0E
Part of subcall function 000D9AC0: FindCloseChangeNotification.KERNELBASE(?,?,?,000D99B7), ref: 000D9B22
Part of subcall function 000D9AC0: CloseHandle.KERNEL32(?,?,?,000D99B7), ref: 000D9B35
Part of subcall function 000D9AC0: CloseHandle.KERNEL32(?,?,?,000D99B7), ref: 000D9B48

Strings

NotifyIconOverflowWindow, xrefs: 000C8A9B
Progman, xrefs: 000C89C7
UxTheme.dll, xrefs: 000C8AB3
user32, xrefs: 000C883B
SHELLDLL_DefView, xrefs: 000C89D8
Program Manager, xrefs: 000C89C0
FolderView, xrefs: 000C89EA
MessageBoxTimeoutA, xrefs: 000C8848
SetThemeAppProperties, xrefs: 000C8AD6
SysListView32, xrefs: 000C89F1
Shell_TrayWnd, xrefs: 000C8A8A

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: CloseHandle$Thread$CreateCurrentFileFindUnmapView$AddressAllocChangeDesktopErrorHeapModeModuleMutexNotificationProcProcessSleepVersionWindow
String ID: FolderView$MessageBoxTimeoutA$NotifyIconOverflowWindow$Progman$Program Manager$SHELLDLL_DefView$SetThemeAppProperties$Shell_TrayWnd$SysListView32$UxTheme.dll$user32
API String ID: 3205392655-3649642972
Opcode ID: f2c2177fc2e4326dc725829430d1218b118290ea612a626c6d79193e993adaa6
Instruction ID: 8ff842eb5b9b92a0b70490b7c53845fa28f8dd8ccc1675fb1aa44239540eb9c3
Opcode Fuzzy Hash: f2c2177fc2e4326dc725829430d1218b118290ea612a626c6d79193e993adaa6
Instruction Fuzzy Hash: 1491BC71601B4282FB24DF66A8507EC33A1FB89B94F48863ADE4E57B65DF38C595C304

Uniqueness

Uniqueness Score: -1.00%

Function 000C8FA0 Relevance: 51.1, APIs: 27, Strings: 2, Instructions: 304
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ActivateKeyboardLayout.USER32 ref: 000C9026
SetKeyboardState.USER32 ref: 000C9077
GetAncestor.USER32 ref: 000C90A8
PostMessageA.USER32 ref: 000C9118
GetMenu.USER32 ref: 000C9123
GetMenuItemCount.USER32 ref: 000C913F
GetMenuState.USER32 ref: 000C915E
HiliteMenuItem.USER32 ref: 000C9178
MenuItemFromPoint.USER32 ref: 000C919E
GetMenuState.USER32 ref: 000C91BB
EndMenu.USER32 ref: 000C91CD
HiliteMenuItem.USER32 ref: 000C91E2
GetSubMenu.USER32 ref: 000C9208
GetMenuItemRect.USER32 ref: 000C9228
TrackPopupMenuEx.USER32 ref: 000C9252
RedrawWindow.USER32 ref: 000C92AF

Strings

taskmgr, xrefs: 000C90C2
open, xrefs: 000C90C9

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Menu$Item$State$HiliteKeyboard$ActivateAncestorCountFromLayoutMessagePointPopupPostRectRedrawTrackWindow
String ID: open$taskmgr
API String ID: 3076619497-1543563666
Opcode ID: 892805890b2d72e2ba5ef02902aaa54c4fa7b878d81f089163631cb19c8770e5
Instruction ID: ed90b207e3c02831a542674ca78297e24d7ff5ec951d126a7df004298c8861c9
Opcode Fuzzy Hash: 892805890b2d72e2ba5ef02902aaa54c4fa7b878d81f089163631cb19c8770e5
Instruction Fuzzy Hash: B4C1AF7620478186EBB88F26E888BEE77A1F785B84F144129DE4A47F68DF7DC546C700

Uniqueness

Uniqueness Score: -1.00%

Function 000CC114 Relevance: 51.0, APIs: 28, Strings: 1, Instructions: 272
memorythreadnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000CBE18: socket.WS2_32 ref: 000CBE67
Part of subcall function 000CBE18: connect.WS2_32 ref: 000CBE86
Part of subcall function 000CBE18: setsockopt.WS2_32 ref: 000CBEB3
Part of subcall function 000CBE18: send.WS2_32 ref: 000CBED6
Part of subcall function 000CBE18: recv.WS2_32 ref: 000CBEEF
Part of subcall function 000CBE18: HeapFree.KERNEL32 ref: 000CBF62

htons.WS2_32 ref: 000CC18A

Part of subcall function 000CD5FC: setsockopt.WS2_32 ref: 000CD620
Part of subcall function 000CD5FC: setsockopt.WS2_32 ref: 000CD641

recv.WS2_32 ref: 000CC1B6
HeapAlloc.KERNEL32 ref: 000CC20C
InitializeCriticalSection.KERNEL32 ref: 000CC244
GetCurrentThreadId.KERNEL32 ref: 000CC277
OpenThread.KERNEL32 ref: 000CC287
EnterCriticalSection.KERNEL32 ref: 000CC2A4
LeaveCriticalSection.KERNEL32 ref: 000CC2BF
lstrcmpiA.KERNEL32 ref: 000CC319
Sleep.KERNEL32 ref: 000CC38B
ioctlsocket.WS2_32 ref: 000CC39E
WaitForSingleObject.KERNEL32 ref: 000CC3B8
GetLastError.KERNEL32 ref: 000CC3F2
CreateThread.KERNEL32 ref: 000CC41D
CloseHandle.KERNEL32 ref: 000CC42F
GetLastError.KERNEL32 ref: 000CC43A
EnterCriticalSection.KERNEL32 ref: 000CC44D
LeaveCriticalSection.KERNEL32 ref: 000CC464
GetLastError.KERNEL32 ref: 000CC470
DeleteCriticalSection.KERNEL32 ref: 000CC483
HeapFree.KERNEL32 ref: 000CC495
closesocket.WS2_32 ref: 000CC4A1
closesocket.WS2_32 ref: 000CC4B2

Part of subcall function 000CCAAC: recv.WS2_32 ref: 000CCADD
Part of subcall function 000CCAAC: GetLastError.KERNEL32 ref: 000CCB09

send.WS2_32 ref: 000CC4E7
shutdown.WS2_32 ref: 000CC4FF
closesocket.WS2_32 ref: 000CC509

Part of subcall function 000CBD78: socket.WS2_32 ref: 000CBD91
Part of subcall function 000CBD78: connect.WS2_32 ref: 000CBDAC
Part of subcall function 000CBD78: setsockopt.WS2_32 ref: 000CBDD5

WaitForSingleObject.KERNEL32 ref: 000CC521
GetLastError.KERNEL32 ref: 000CC532

Strings

RFB 003.008, xrefs: 000CC2D2, 000CC30B

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: CriticalSection$ErrorLast$setsockopt$HeapThreadclosesocketrecv$EnterFreeLeaveObjectSingleWaitconnectsendsocket$AllocCloseCreateCurrentDeleteHandleInitializeOpenSleephtonsioctlsocketlstrcmpishutdown
String ID: RFB 003.008
API String ID: 3854803202-2137906931
Opcode ID: 12ab7f7097a071bf60211596663a4aabd26d0beb669394e1021f3d6a9085876a
Instruction ID: 5c61bcf15155aa518cc2c9827c94a438cd429397dd5a97188ab456073a525def
Opcode Fuzzy Hash: 12ab7f7097a071bf60211596663a4aabd26d0beb669394e1021f3d6a9085876a
Instruction Fuzzy Hash: 12B19D32700B42C6EB24DBA6E990BAD33A1F789B99F504529DE5E43F94DF38C595C300

Uniqueness

Uniqueness Score: -1.00%

Function 000DED60 Relevance: 51.0, APIs: 11, Strings: 18, Instructions: 208
threadsleepregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(?,?,?,000E06F1,?,?,?,000CD017), ref: 000DED83
GetCurrentThreadId.KERNEL32 ref: 000DED89
GetThreadDesktop.USER32(?,?,?,000E06F1,?,?,?,000CD017), ref: 000DED94
SetThreadDesktop.USER32(?,?,?,000E06F1,?,?,?,000CD017), ref: 000DEDA1
GetLastError.KERNEL32(?,?,?,000E06F1,?,?,?,000CD017), ref: 000DEDAB
RegisterWindowMessageA.USER32(?,?,?,000E06F1,?,?,?,000CD017), ref: 000DEDBF
Sleep.KERNEL32 ref: 000DEE49

Strings

NotifyIconOverflowWindow, xrefs: 000DEF62
MSTaskListWClass, xrefs: 000DEEEE
Progman, xrefs: 000DF037
MSTaskSwWClass, xrefs: 000DEEBB
ReBarWindow32, xrefs: 000DEEAC
DV2ControlHost, xrefs: 000DF022
Start, xrefs: 000DF004, 000DF00B
SHELLDLL_DefView, xrefs: 000DF049
TrayNotifyWnd, xrefs: 000DEF05
ToolbarWindow32, xrefs: 000DEED1
Program Manager, xrefs: 000DF030
FolderView, xrefs: 000DF05F
Button, xrefs: 000DEFD7
Start menu, xrefs: 000DF01B
VisualEffects, xrefs: 000DF07F
SysListView32, xrefs: 000DF066
Shell_TrayWnd, xrefs: 000DEE7C
SysPager, xrefs: 000DEF37

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Thread$Desktop$CurrentErrorLastMessageRegisterSleepVersionWindow
String ID: Button$DV2ControlHost$FolderView$MSTaskListWClass$MSTaskSwWClass$NotifyIconOverflowWindow$Progman$Program Manager$ReBarWindow32$SHELLDLL_DefView$Shell_TrayWnd$Start$Start menu$SysListView32$SysPager$ToolbarWindow32$TrayNotifyWnd$VisualEffects
API String ID: 3572586140-3030675435
Opcode ID: f3d3582946367502292e6b64fe84bb15a48965cccbeab71878e562c33ecde83d
Instruction ID: c5c4efe21c113869ba0f17347345ea67a13778d751b9e1cb90c2993f05d1b179
Opcode Fuzzy Hash: f3d3582946367502292e6b64fe84bb15a48965cccbeab71878e562c33ecde83d
Instruction Fuzzy Hash: C7918C32211B9282EB60EF35E8557AD33E4F789B84F945136DA0E8BB16EF34C446C760

Uniqueness

Uniqueness Score: -1.00%

Function 000E1294 Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 236memorynativestringCOMMON

Download Yara Rule

APIs

GetProcessId.KERNEL32 ref: 000E12B4
lstrlenW.KERNEL32 ref: 000E12DF
HeapAlloc.KERNEL32 ref: 000E12F7
NtQuerySystemInformation.NTDLL ref: 000E1353
GetCurrentProcess.KERNEL32 ref: 000E137D
DuplicateHandle.KERNEL32 ref: 000E13A9
NtQueryObject.NTDLL ref: 000E13CE
CloseHandle.KERNEL32 ref: 000E15A1
HeapFree.KERNEL32 ref: 000E15C4
HeapFree.KERNEL32 ref: 000E15DB
HeapFree.KERNEL32 ref: 000E15ED

Strings

File, xrefs: 000E14B2

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Free$HandleProcessQuery$AllocCloseCurrentDuplicateInformationObjectSystemlstrlen
String ID: File
API String ID: 2333355087-749574446
Opcode ID: 51aa88b8a0d665945bffe2a7a05fbc4140f29d0bf2cfc4e3280d44e971433e3a
Instruction ID: 72fc212673e980006dbb92da3ee2243c533d2896646ac4c9667b510c14e6a9b4
Opcode Fuzzy Hash: 51aa88b8a0d665945bffe2a7a05fbc4140f29d0bf2cfc4e3280d44e971433e3a
Instruction Fuzzy Hash: CFA15A76701A86DAEB10CF72E9847ED37A1B788B89F044425DE0AA7B18EF39C146D700

Uniqueness

Uniqueness Score: -1.00%

Function 000E187C Relevance: 40.7, APIs: 22, Strings: 1, Instructions: 427windowtimethreadCOMMON

Download Yara Rule

APIs

GetAncestor.USER32 ref: 000E18AE

Part of subcall function 000DC8A0: GetWindowLongPtrA.USER32 ref: 000DC8D4
Part of subcall function 000DC8A0: GetLastActivePopup.USER32 ref: 000DC8E8
Part of subcall function 000DC8A0: GetWindow.USER32 ref: 000DC905
Part of subcall function 000DC8A0: GetWindow.USER32 ref: 000DC913
Part of subcall function 000DC8A0: GetWindowInfo.USER32 ref: 000DC92C
Part of subcall function 000DC8A0: GetWindow.USER32 ref: 000DC93A
Part of subcall function 000DC8A0: GetWindow.USER32 ref: 000DC987
Part of subcall function 000DC8A0: GetWindow.USER32 ref: 000DC99B

Part of subcall function 000DCDE0: GetParent.USER32 ref: 000DCDF4
Part of subcall function 000DCDE0: GetClassNameA.USER32 ref: 000DCE08
Part of subcall function 000DCDE0: lstrcmpiA.KERNEL32 ref: 000DCE1A
Part of subcall function 000DCDE0: GetParent.USER32 ref: 000DCE27

SendMessageTimeoutA.USER32 ref: 000E1965
PostMessageA.USER32 ref: 000E19F6
GetAncestor.USER32 ref: 000E1A56
GetWindow.USER32 ref: 000E1A67
GetWindowInfo.USER32 ref: 000E1A80

Part of subcall function 000DCE48: GetWindowLongPtrA.USER32 ref: 000DCE60
Part of subcall function 000DCE48: GetWindowLongPtrA.USER32 ref: 000DCE72

SendMessageTimeoutA.USER32 ref: 000E1AD6
GetClassNameA.USER32 ref: 000E1B17
PostMessageA.USER32 ref: 000E1B38
PostMessageA.USER32 ref: 000E1B7B
GetWindowThreadProcessId.USER32 ref: 000E1BF6

Part of subcall function 000D9B68: PostMessageA.USER32 ref: 000D9C07

GetSystemMenu.USER32 ref: 000E1C60
GetMenuDefaultItem.USER32 ref: 000E1C7B
GetMenuItemInfoA.USER32 ref: 000E1CA4
GetAncestor.USER32 ref: 000E1D18
PostMessageA.USER32 ref: 000E1D2F
GetAncestor.USER32 ref: 000E1D8F
GetWindowThreadProcessId.USER32 ref: 000E1D9D
GetAncestor.USER32 ref: 000E1DE0
GetAncestor.USER32 ref: 000E1E61
GetAncestor.USER32 ref: 000E1E91

Part of subcall function 000D9C4C: GetTickCount.KERNEL32 ref: 000D9CDC
Part of subcall function 000D9C4C: GetClassLongPtrA.USER32 ref: 000D9D2C

GetAncestor.USER32 ref: 000E1EE0

Strings

d, xrefs: 000E1AC6

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Window$Ancestor$Message$Post$Long$ClassInfoMenu$ItemNameParentProcessSendThreadTimeout$ActiveCountDefaultLastPopupSystemTicklstrcmpi
String ID: d
API String ID: 1640956133-2564639436
Opcode ID: 6509d130af45ff45ecc04345e230fea28ab74033cf3d61ad3cf902a1c8a7d15d
Instruction ID: 2c12f753f162a5e15a45a26dad1ac38c777f8ce719c73b77a7c46326e1f1b9ce
Opcode Fuzzy Hash: 6509d130af45ff45ecc04345e230fea28ab74033cf3d61ad3cf902a1c8a7d15d
Instruction Fuzzy Hash: 1EE1D0313047C08AEB748F27D9947FE63A2E789BD4F644136DE4AA7B99CB39C8419311

Uniqueness

Uniqueness Score: -1.00%

Function 000D77FC Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 178memorystringfileCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 000D7844
lstrlenW.KERNEL32 ref: 000D784D
HeapAlloc.KERNEL32 ref: 000D7864
SetLastError.KERNEL32 ref: 000D7875
lstrcpyW.KERNEL32 ref: 000D7886
lstrcatW.KERNEL32 ref: 000D7896
CreateFileW.KERNEL32 ref: 000D78C0
HeapAlloc.KERNEL32 ref: 000D78EC
lstrcpyW.KERNEL32 ref: 000D7904
HeapFree.KERNEL32 ref: 000D7AAC

Strings

IsRelative=1, xrefs: 000D7A43
Profiles\Default, xrefs: 000D78FA
Path=, xrefs: 000D7984
[Profile, xrefs: 000D7946
Default=1, xrefs: 000D7A1D
\profiles.ini, xrefs: 000D788C

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$AllocErrorLastlstrcpy$CreateFileFreelstrcatlstrlen
String ID: Default=1$IsRelative=1$Path=$Profiles\Default$[Profile$\profiles.ini
API String ID: 732051534-3061325931
Opcode ID: 7fc2b4e0f29facd0c85f9e2ce4eec37000d16cef82b9e90dca1ad9b320e44357
Instruction ID: efb9bbfd9760a662e5ba7cbdbcb480470251d6c6279d63693519cd062a8f8249
Opcode Fuzzy Hash: 7fc2b4e0f29facd0c85f9e2ce4eec37000d16cef82b9e90dca1ad9b320e44357
Instruction Fuzzy Hash: F071CE75308B82C6EB64DF26E8547AA73A0FB89BD4F404026DE5E03B64EF78C649D711

Uniqueness

Uniqueness Score: -1.00%

Function 000E0C40 Relevance: 40.4, APIs: 22, Strings: 1, Instructions: 120stringfilememoryCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 000E0C79
lstrlenW.KERNEL32 ref: 000E0C84
HeapAlloc.KERNEL32 ref: 000E0CA4
lstrcpyW.KERNEL32 ref: 000E0CBC
lstrcatW.KERNEL32 ref: 000E0CCC
lstrcatW.KERNEL32 ref: 000E0CD8
FindFirstFileW.KERNEL32 ref: 000E0CF8
lstrcmpW.KERNEL32 ref: 000E0D19
lstrcmpW.KERNEL32 ref: 000E0D33
lstrcpyW.KERNEL32 ref: 000E0D4A
lstrcatW.KERNEL32 ref: 000E0D5A
lstrcatW.KERNEL32 ref: 000E0D68
lstrcpyW.KERNEL32 ref: 000E0D85
lstrcatW.KERNEL32 ref: 000E0D95
lstrcatW.KERNEL32 ref: 000E0DA3
DeleteFileW.KERNEL32 ref: 000E0DAC
FindNextFileW.KERNEL32 ref: 000E0DC0
FindClose.KERNEL32 ref: 000E0DD1
lstrcpyW.KERNEL32 ref: 000E0DDD
lstrcatW.KERNEL32 ref: 000E0DED
lstrcatW.KERNEL32 ref: 000E0DFE
RemoveDirectoryW.KERNEL32 ref: 000E0E2B

Strings

APPDATA, xrefs: 000E0C4F

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$FileFind$lstrcmplstrlen$AllocCloseDeleteDirectoryFirstHeapNextRemove
String ID: APPDATA
API String ID: 3033888512-4054820676
Opcode ID: b6cafadcbd749c263cc4421600bf60ead4b00a265f8e2b36336f52cdc146de19
Instruction ID: 5b1aa72d73534e808c78e4cfdbd7463dfe7ef95038af038c3960aa169c547629
Opcode Fuzzy Hash: b6cafadcbd749c263cc4421600bf60ead4b00a265f8e2b36336f52cdc146de19
Instruction Fuzzy Hash: 3A517C71304A43C6EB649B67FC583AA6361BB89BC9F4842319D5A47B68DF7CC189D700

Uniqueness

Uniqueness Score: -1.00%

Function 000D9DA8 Relevance: 38.9, APIs: 20, Strings: 2, Instructions: 422windowtimethreadCOMMON

Download Yara Rule

APIs

GetAncestor.USER32 ref: 000D9DD5

Part of subcall function 000DC8A0: GetWindowLongPtrA.USER32 ref: 000DC8D4
Part of subcall function 000DC8A0: GetLastActivePopup.USER32 ref: 000DC8E8
Part of subcall function 000DC8A0: GetWindow.USER32 ref: 000DC905
Part of subcall function 000DC8A0: GetWindow.USER32 ref: 000DC913
Part of subcall function 000DC8A0: GetWindowInfo.USER32 ref: 000DC92C
Part of subcall function 000DC8A0: GetWindow.USER32 ref: 000DC93A
Part of subcall function 000DC8A0: GetWindow.USER32 ref: 000DC987
Part of subcall function 000DC8A0: GetWindow.USER32 ref: 000DC99B

Part of subcall function 000DCDE0: GetParent.USER32 ref: 000DCDF4
Part of subcall function 000DCDE0: GetClassNameA.USER32 ref: 000DCE08
Part of subcall function 000DCDE0: lstrcmpiA.KERNEL32 ref: 000DCE1A
Part of subcall function 000DCDE0: GetParent.USER32 ref: 000DCE27

SendMessageTimeoutA.USER32 ref: 000D9EAC
PostMessageA.USER32 ref: 000D9F77
GetAncestor.USER32 ref: 000D9FDC
GetWindow.USER32 ref: 000D9FED

Part of subcall function 000DCE48: GetWindowLongPtrA.USER32 ref: 000DCE60
Part of subcall function 000DCE48: GetWindowLongPtrA.USER32 ref: 000DCE72

GetWindowInfo.USER32 ref: 000DA008
SendMessageTimeoutA.USER32 ref: 000DA060
PostMessageA.USER32 ref: 000DA0B6
GetWindowThreadProcessId.USER32 ref: 000DA175
GetSystemMenu.USER32 ref: 000DA1DE
GetMenuDefaultItem.USER32 ref: 000DA1F8
GetMenuItemInfoA.USER32 ref: 000DA224
GetAncestor.USER32 ref: 000DA295
PostMessageA.USER32 ref: 000DA2AC
GetAncestor.USER32 ref: 000DA2DF
GetWindowThreadProcessId.USER32 ref: 000DA2ED
GetAncestor.USER32 ref: 000DA32A
GetAncestor.USER32 ref: 000DA3A7
GetAncestor.USER32 ref: 000DA3D5
GetAncestor.USER32 ref: 000DA423

Strings

d, xrefs: 000DA050
P, xrefs: 000DA218

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Window$Ancestor$Message$InfoLongMenuPost$ItemParentProcessSendThreadTimeout$ActiveClassDefaultLastNamePopupSystemlstrcmpi
String ID: P$d
API String ID: 2910538575-684372805
Opcode ID: bd27c203feacc3321753cc79d1d006d4eee5f811e612e0114a017fa3bea1468e
Instruction ID: 5881cf7747b0c7bda7820ac1ce2ee49f965925ad177fc10b4d6707b793417217
Opcode Fuzzy Hash: bd27c203feacc3321753cc79d1d006d4eee5f811e612e0114a017fa3bea1468e
Instruction Fuzzy Hash: 96E1F63130478082EB749B26D5447BE63A2F78ABD0F144137DD8A87B99DF7EC9819722

Uniqueness

Uniqueness Score: -1.00%

Function 000E0E4C Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 136memorystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 000E0E80
HeapAlloc.KERNEL32 ref: 000E0E9D
lstrcpyW.KERNEL32 ref: 000E0EB9
lstrcatW.KERNEL32 ref: 000E0EC9
lstrlenW.KERNEL32 ref: 000E0ED2
HeapAlloc.KERNEL32 ref: 000E0EEF
HeapFree.KERNEL32 ref: 000E1044

Strings

, xrefs: 000E1008
., xrefs: 000E0F69

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Alloclstrlen$Freelstrcatlstrcpy
String ID: $.
API String ID: 2556313450-3929174939
Opcode ID: 98062f2a8e7ac983c0e8073c3073f34ed94d19ae4ad44381ae9fc0c4de9ab433
Instruction ID: 4f4120fc6abb96f4c448d7580bc1c79edd0f2e8b47dc7172af71a90ff2e2eb87
Opcode Fuzzy Hash: 98062f2a8e7ac983c0e8073c3073f34ed94d19ae4ad44381ae9fc0c4de9ab433
Instruction Fuzzy Hash: F3519E353047C2CAEB60DB67E4843EA73A1FB88B94F448131DA5A57B64DFBCC9899700

Uniqueness

Uniqueness Score: -1.00%

Function 000C94F8 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 176windowsynchronizationtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 000DCED0: IsWindow.USER32 ref: 000DCEEA
Part of subcall function 000DCED0: GetAncestor.USER32(?,?,?,000DD01D), ref: 000DCF13

GetWindowInfo.USER32 ref: 000C9544
GetParent.USER32 ref: 000C954D

Part of subcall function 000DC9D0: GetParent.USER32 ref: 000DCB18

RedrawWindow.USER32 ref: 000C95F6
SendMessageTimeoutA.USER32 ref: 000C9624
PrintWindow.USER32 ref: 000C9637
DefWindowProcA.USER32 ref: 000C9652
WaitForSingleObject.KERNEL32 ref: 000C965E
SetViewportOrgEx.GDI32 ref: 000C9675
BitBlt.GDI32 ref: 000C96D8
ReleaseMutex.KERNEL32 ref: 000C96E1
GetClassLongPtrA.USER32 ref: 000C96F4
DefWindowProcA.USER32 ref: 000C9713
PrintWindow.USER32 ref: 000C9725
ScreenToClient.USER32 ref: 000C973E
BitBlt.GDI32 ref: 000C9784
DefWindowProcA.USER32 ref: 000C979F

Part of subcall function 000C98A0: GetWindowInfo.USER32 ref: 000C98C9
Part of subcall function 000C98A0: SetWindowLongPtrA.USER32 ref: 000C98F4
Part of subcall function 000C98A0: SetLayeredWindowAttributes.USER32 ref: 000C990B

Strings

, xrefs: 000C974E

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Window$Proc$InfoLongParentPrint$AncestorAttributesClassClientLayeredMessageMutexObjectRedrawReleaseScreenSendSingleTimeoutViewportWait
String ID:
API String ID: 3861020745-3916222277
Opcode ID: 784ebb577a03033b7e3187c01b1e7644d39c41734765724c17132f8b12d929a7
Instruction ID: 0da0eefd78f169451b1a6b67f01a6673006bf0ef405ffafcff0b8bb440d9abc0
Opcode Fuzzy Hash: 784ebb577a03033b7e3187c01b1e7644d39c41734765724c17132f8b12d929a7
Instruction Fuzzy Hash: A0717776314A808BEB24DF26E444BAE77A5F788B88F044126EE4A57F58DF38D556CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000CB764 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 233encryptionCOMMON

Download Yara Rule

APIs

CryptQueryObject.CRYPT32 ref: 000CB7EE
GetLastError.KERNEL32 ref: 000CB7F8
CryptMsgGetParam.CRYPT32 ref: 000CB820
CertCloseStore.CRYPT32 ref: 000CBA52
CryptMsgClose.CRYPT32 ref: 000CBA62

Strings

1.3.6.1.4.1.311.2.1.12, xrefs: 000CB8F2, 000CB934, 000CB992

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Crypt$Close$CertErrorLastObjectParamQueryStore
String ID: 1.3.6.1.4.1.311.2.1.12
API String ID: 3517585230-2596186611
Opcode ID: a676c2689be4d0340ea86560207e1b0c7edcad85502089dc9b95761de0768933
Instruction ID: 60a54a1a4af99d2324bb2e75e67605ca26a88370f3b604c25f3e47d74d4b34d5
Opcode Fuzzy Hash: a676c2689be4d0340ea86560207e1b0c7edcad85502089dc9b95761de0768933
Instruction Fuzzy Hash: AD916F32705B81C6DB60DF66E481BAE73A5FB88B84F544129DE8D47B19EF38C985C701

Uniqueness

Uniqueness Score: -1.00%

Function 000D73C8 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 75stringmemoryfileCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 000D73F8
HeapAlloc.KERNEL32 ref: 000D740F
lstrcpyW.KERNEL32 ref: 000D7427
lstrcatW.KERNEL32 ref: 000D7437
FindFirstFileW.KERNEL32 ref: 000D7457
lstrlenW.KERNEL32 ref: 000D747E
HeapAlloc.KERNEL32 ref: 000D7495
lstrcpyW.KERNEL32 ref: 000D74AD
lstrcatW.KERNEL32 ref: 000D74BB
SetLastError.KERNEL32 ref: 000D74C8
FindNextFileW.KERNEL32 ref: 000D74D6
FindClose.KERNEL32 ref: 000D74E3
SetLastError.KERNEL32 ref: 000D74F0

Strings

\Profiles\*, xrefs: 000D742D
Profiles\, xrefs: 000D74A3
., xrefs: 000D7471

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Find$AllocErrorFileHeapLastlstrcatlstrcpylstrlen$CloseFirstNext
String ID: .$Profiles\$\Profiles\*
API String ID: 2353825821-3249454066
Opcode ID: 457fc4213fb6123bdc9d3cdf7fb54f524602f3e7ffd0c7e77abb27f927e6e244
Instruction ID: b4d12981bbc34180668d2087a86f8875614d6f39b60ad89ddfa139833a784618
Opcode Fuzzy Hash: 457fc4213fb6123bdc9d3cdf7fb54f524602f3e7ffd0c7e77abb27f927e6e244
Instruction Fuzzy Hash: 87318E30308B02D2EB25CB16E9583B963A1FB89B94F448125DD5E03BA4EF3CC54AD710

Uniqueness

Uniqueness Score: -1.00%

Function 000DBF94 Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 68libraryloaderthreadCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 000DBFB1
GetProcAddress.KERNEL32 ref: 000DBFC1
GetModuleHandleA.KERNEL32 ref: 000DBFD1
GetProcAddress.KERNEL32 ref: 000DBFE1
GetCurrentThread.KERNEL32 ref: 000DBFF0
OpenThreadToken.ADVAPI32 ref: 000DC005
GetCurrentProcess.KERNEL32 ref: 000DC011
OpenProcessToken.ADVAPI32 ref: 000DC022
GetLastError.KERNEL32 ref: 000DC06F
CloseHandle.KERNEL32 ref: 000DC07A
GetKeyState.USER32 ref: 000DC085

Strings

SeShutdownPrivilege, xrefs: 000DC031
advapi32.dll, xrefs: 000DBFAA, 000DBFC7
LookupPrivilegeValueA, xrefs: 000DBFB7
AdjustTokenPrivileges, xrefs: 000DBFD7

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Handle$AddressCurrentModuleOpenProcProcessThreadToken$CloseErrorLastState
String ID: AdjustTokenPrivileges$LookupPrivilegeValueA$SeShutdownPrivilege$advapi32.dll
API String ID: 537737460-4041583698
Opcode ID: b1dff9377605b28dc6b7c70ad9e092fba7c211b4cedd1a2554e1f4ffccfa0275
Instruction ID: cd541cb65237dc9a79dfa57b7090e5d78f43dc8c960a3f1d6cde8fd19c22bd2a
Opcode Fuzzy Hash: b1dff9377605b28dc6b7c70ad9e092fba7c211b4cedd1a2554e1f4ffccfa0275
Instruction Fuzzy Hash: E1312131604B87C2EB60DF62F8447AA77A0FB887D4F444135DA9A43B64DF78C549DB10

Uniqueness

Uniqueness Score: -1.00%

Function 000E4998 Relevance: 25.7, APIs: 17, Instructions: 154stringclipboardmemoryCOMMON

Download Yara Rule

APIs

GetWindowLongPtrA.USER32 ref: 000E49C9
SendNotifyMessageA.USER32 ref: 000E4A1F
GetClipboardOwner.USER32 ref: 000E4A35
OpenClipboard.USER32 ref: 000E4A47
GetClipboardData.USER32 ref: 000E4A5A
GlobalLock.KERNEL32 ref: 000E4A6F
lstrlenA.KERNEL32 ref: 000E4A93
lstrlenA.KERNEL32 ref: 000E4AA0
HeapAlloc.KERNEL32 ref: 000E4AB4
lstrlenA.KERNEL32 ref: 000E4AEA
lstrlenA.KERNEL32 ref: 000E4B33
HeapFree.KERNEL32 ref: 000E4B55
GlobalUnlock.KERNEL32 ref: 000E4B5E
CloseClipboard.USER32 ref: 000E4B64
SendNotifyMessageA.USER32 ref: 000E4B85
SetWindowLongPtrA.USER32 ref: 000E4B9D
DefWindowProcA.USER32 ref: 000E4BAE

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Clipboardlstrlen$Window$GlobalHeapLongMessageNotifySend$AllocCloseDataFreeLockOpenOwnerProcUnlock
String ID:
API String ID: 768402609-0
Opcode ID: 4105cf584ca7ebb5df6c86619de2584a7a0cdb46c914acb19effdbd92113a071
Instruction ID: b2a01533fb66a5cd64e82160615a2b14f8eb88bb95caf21e4bbc5900652e6060
Opcode Fuzzy Hash: 4105cf584ca7ebb5df6c86619de2584a7a0cdb46c914acb19effdbd92113a071
Instruction Fuzzy Hash: 8E51C031206BC1C9EB259F63A9543B867A1FB89FD1F098035CE0A27F21DF38C9469305

Uniqueness

Uniqueness Score: -1.00%

Function 000DF968 Relevance: 24.3, APIs: 16, Instructions: 257windowCOMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 000DF99B
GetDeviceCaps.GDI32 ref: 000DF9AE
GetDeviceCaps.GDI32 ref: 000DF9C7
GetDeviceCaps.GDI32 ref: 000DF9D9
CreateCompatibleBitmap.GDI32 ref: 000DF9FC
GetLastError.KERNEL32(?,?,?,?,?,?,00000088,?,?,000DF1D6,?,?,?,00000000,00000000,000C88F8), ref: 000DFA11
ReleaseDC.USER32 ref: 000DFCA3

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: CapsDevice$BitmapCompatibleCreateErrorLastRelease
String ID:
API String ID: 3333975890-0
Opcode ID: 62dfcdfd1fcfe5bff474c2f995dfdf003b963af0bf5730060819e093426c7bfd
Instruction ID: 71128bcaee33c8074d210b28ecc82f565b7c82293ab9074b71a6e8728200b472
Opcode Fuzzy Hash: 62dfcdfd1fcfe5bff474c2f995dfdf003b963af0bf5730060819e093426c7bfd
Instruction Fuzzy Hash: E491017631438687D7688F36E91073A7AA1F785B89F48D03ACE8787B48DB39D861D710

Uniqueness

Uniqueness Score: -1.00%

Function 000E0974 Relevance: 21.2, APIs: 14, Instructions: 158memorystringCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000000,00000000,?,00000000,?,00000000,00000000,000D7707), ref: 000E09B3
StrTrimW.SHLWAPI(?,00000000,?,00000000,00000000,000D7707), ref: 000E09D3
StrTrimW.SHLWAPI(?,00000000,?,00000000,00000000,000D7707), ref: 000E09E3
lstrlenW.KERNEL32(?,00000000,?,00000000,00000000,000D7707), ref: 000E09ED
lstrlenW.KERNEL32(?,00000000,?,00000000,00000000,000D7707), ref: 000E09FD
HeapFree.KERNEL32(?,00000000,?,00000000,00000000,000D7707), ref: 000E0ACD
HeapAlloc.KERNEL32(?,00000000,?,00000000,00000000,000D7707), ref: 000E0AE5
CloseHandle.KERNEL32(?,00000000,?,00000000,00000000,000D7707), ref: 000E0B34
HeapFree.KERNEL32(?,00000000,?,00000000,00000000,000D7707), ref: 000E0B51
HeapFree.KERNEL32(?,00000000,?,00000000,00000000,000D7707), ref: 000E0B63

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Free$AllocTrimlstrlen$CloseHandle
String ID:
API String ID: 3944168048-0
Opcode ID: ad53c97b9800d773c28abed3c8ea3f7c0fdfaa754fac454ee9f223ee3ce0ea50
Instruction ID: 5fa19e7d714e8471525ccf3c3d8fbd80a895b5b4e76a700fd38567c2bd58c9af
Opcode Fuzzy Hash: ad53c97b9800d773c28abed3c8ea3f7c0fdfaa754fac454ee9f223ee3ce0ea50
Instruction Fuzzy Hash: 74519A75601B818AEB24DF63E9543AA77A0FB88FC8F088425DE4A67B15DFBCC591D700

Uniqueness

Uniqueness Score: -1.00%

Function 000E3E60 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 149timeregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 000D8C34: wsprintfA.USER32 ref: 000D8C84

GetModuleHandleA.KERNEL32 ref: 000E3EAB
RegisterClassA.USER32 ref: 000E3ED1
CreateFontA.GDI32 ref: 000E3F1A

Part of subcall function 000DC7A8: FindWindowExA.USER32 ref: 000DC7EE

Part of subcall function 000DC7A8: Sleep.KERNEL32(?,?,?,000C8A9B,?,?,?,?,?,000C1F66,?,?,?,000C204A), ref: 000DC7DD

GetWindowRect.USER32 ref: 000E3F82

Part of subcall function 000DCCD4: GetWindowRect.USER32 ref: 000DCCDD

CreateWindowExA.USER32 ref: 000E405D
SetTimer.USER32 ref: 000E4081
SetTimer.USER32 ref: 000E4097

Strings

gfff, xrefs: 000E3FBC
TrayNotifyWnd, xrefs: 000E3F5B
Tahoma, xrefs: 000E3ED7
ReBarWindow32, xrefs: 000E3F38
Shell_TrayWnd, xrefs: 000E3F20

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Window$CreateRectTimer$ClassFindFontHandleModuleRegisterSleepwsprintf
String ID: ReBarWindow32$Shell_TrayWnd$Tahoma$TrayNotifyWnd$gfff
API String ID: 522669638-365627327
Opcode ID: 0266721d51e35e01962cccf6b13d9d6086e0bc06077d71aeca67171613790e7c
Instruction ID: 6879dfc6cd5255c1640d9175e282fdb3ee4b4477e6221de6f75851f6e7e8c6c4
Opcode Fuzzy Hash: 0266721d51e35e01962cccf6b13d9d6086e0bc06077d71aeca67171613790e7c
Instruction Fuzzy Hash: 1F617932B28B918BE724CF65E440BAD77B4F389798F500229EA8953F18DB78D554CB40

Uniqueness

Uniqueness Score: -1.00%

Function 000C3C70 Relevance: 16.7, APIs: 11, Instructions: 208memorystringCOMMON

Download Yara Rule

APIs

StrRChrW.SHLWAPI(?,?,?,?,?,?,00000002,?,00000000,00000000,00000000,00000000,?,000C3874), ref: 000C3CBC
lstrlenA.KERNEL32(?,?,?,?,?,?,00000002,?,00000000,00000000,00000000,00000000,?,000C3874), ref: 000C3CE2
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,00000002,?,00000000,00000000,00000000,00000000,?,000C3874), ref: 000C3D2F
lstrcmpiW.KERNEL32(?,?,?,?,?,?,00000002,?,00000000,00000000,00000000,00000000,?,000C3874), ref: 000C3D3B
lstrlenW.KERNEL32(?,?,?,?,?,?,00000002,?,00000000,00000000,00000000,00000000,?,000C3874), ref: 000C3D5D
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,00000002,?,00000000,00000000,00000000,00000000,?,000C3874), ref: 000C3DB5
lstrcmpiW.KERNEL32(?,?,?,?,?,?,00000002,?,00000000,00000000,00000000,00000000,?,000C3874), ref: 000C3E28
HeapFree.KERNEL32(?,?,?,?,?,?,00000002,?,00000000,00000000,00000000,00000000,?,000C3874), ref: 000C3ED8
HeapFree.KERNEL32(?,?,?,?,?,?,00000002,?,00000000,00000000,00000000,00000000,?,000C3874), ref: 000C3EF0
HeapFree.KERNEL32(?,?,?,?,?,?,00000002,?,00000000,00000000,00000000,00000000,?,000C3874), ref: 000C3F08
HeapFree.KERNEL32(?,?,?,?,?,?,00000002,?,00000000,00000000,00000000,00000000,?,000C3874), ref: 000C3F20

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: FreeHeap$ByteCharMultiWidelstrcmpilstrlen
String ID:
API String ID: 2788117228-0
Opcode ID: 3939ca66884e88859792b080944cff59e028cff7b34352ae44dce2fcbaa9333f
Instruction ID: 503c8dd93a2a2f7e957383d076207b07a69cba1e269f8d05a688af691f81d129
Opcode Fuzzy Hash: 3939ca66884e88859792b080944cff59e028cff7b34352ae44dce2fcbaa9333f
Instruction Fuzzy Hash: 9C81D63261078186DB74DF31A844BAD77E1FB48BA8F44C62DEE6A67A94DF34C646D300

Uniqueness

Uniqueness Score: -1.00%

Function 000C4CE0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 81threadnativeinjectionCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32 ref: 000C4D38
NtGetContextThread.NTDLL ref: 000C4D53
WriteProcessMemory.KERNEL32 ref: 000C4DDF
NtSetContextThread.NTDLL ref: 000C4DF2
ResumeThread.KERNEL32 ref: 000C4E04
Sleep.KERNEL32 ref: 000C4E0F
SuspendThread.KERNEL32 ref: 000C4E19
GetLastError.KERNEL32 ref: 000C4E21

Strings

@, xrefs: 000C4D30

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Thread$Context$AllocErrorLastMemoryProcessResumeSleepSuspendVirtualWrite
String ID: @
API String ID: 3824547429-2766056989
Opcode ID: b2df469eba6077543f7367a4e7100ccc0c1251464201ac344425d315c7fd9235
Instruction ID: fc09552f50fa741e32624204e2ab50aef0be163e67977f20428cb874b795c0f6
Opcode Fuzzy Hash: b2df469eba6077543f7367a4e7100ccc0c1251464201ac344425d315c7fd9235
Instruction Fuzzy Hash: A8316B32301B85C6EB608F12F894B9EB3A4F788B85F444139DA8E43B64EF78C255C740

Uniqueness

Uniqueness Score: -1.00%

Function 000E4BD4 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemorywindowCOMMON

Download Yara Rule

APIs

IsIconic.USER32 ref: 000E4C28

Part of subcall function 000DC8A0: GetWindowLongPtrA.USER32 ref: 000DC8D4
Part of subcall function 000DC8A0: GetLastActivePopup.USER32 ref: 000DC8E8
Part of subcall function 000DC8A0: GetWindow.USER32 ref: 000DC905
Part of subcall function 000DC8A0: GetWindow.USER32 ref: 000DC913
Part of subcall function 000DC8A0: GetWindowInfo.USER32 ref: 000DC92C
Part of subcall function 000DC8A0: GetWindow.USER32 ref: 000DC93A
Part of subcall function 000DC8A0: GetWindow.USER32 ref: 000DC987
Part of subcall function 000DC8A0: GetWindow.USER32 ref: 000DC99B

Part of subcall function 000DCFF0: GetWindowLongPtrA.USER32 ref: 000DD037
Part of subcall function 000DCFF0: GetAncestor.USER32 ref: 000DD04C
Part of subcall function 000DCFF0: GetWindowThreadProcessId.USER32 ref: 000DD091
Part of subcall function 000DCFF0: GetWindowThreadProcessId.USER32 ref: 000DD0BD
Part of subcall function 000DCFF0: GetCurrentThreadId.KERNEL32 ref: 000DD0C5
Part of subcall function 000DCFF0: AttachThreadInput.USER32 ref: 000DD0DB
Part of subcall function 000DCFF0: BringWindowToTop.USER32 ref: 000DD0E4
Part of subcall function 000DCFF0: SetForegroundWindow.USER32 ref: 000DD0ED
Part of subcall function 000DCFF0: SetActiveWindow.USER32 ref: 000DD0F6
Part of subcall function 000DCFF0: SetFocus.USER32 ref: 000DD0FF
Part of subcall function 000DCFF0: AttachThreadInput.USER32 ref: 000DD110
Part of subcall function 000DCFF0: SetWindowPos.USER32 ref: 000DD13C

GetLastActivePopup.USER32 ref: 000E4C66
OpenClipboard.USER32 ref: 000E4C72
GlobalAlloc.KERNEL32 ref: 000E4C8A
GlobalLock.KERNEL32 ref: 000E4C9B
GlobalUnlock.KERNEL32 ref: 000E4CBA
EmptyClipboard.USER32 ref: 000E4CC0
SetClipboardData.USER32 ref: 000E4CD2
GlobalFree.KERNEL32 ref: 000E4CDB
CloseClipboard.USER32 ref: 000E4CE1

Part of subcall function 000DCED0: IsWindow.USER32 ref: 000DCEEA
Part of subcall function 000DCED0: GetAncestor.USER32(?,?,?,000DD01D), ref: 000DCF13

Part of subcall function 000DCFB4: IsWindowVisible.USER32 ref: 000DCFC1
Part of subcall function 000DCFB4: GetWindowLongPtrA.USER32 ref: 000DCFD3

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Window$Thread$ClipboardGlobal$ActiveLong$AncestorAttachInputLastPopupProcess$AllocBringCloseCurrentDataEmptyFocusForegroundFreeIconicInfoLockOpenUnlockVisible
String ID:
API String ID: 812413168-0
Opcode ID: 876156a701fb6562d2dea1d20bdfc9f86221f800b9ebff60b099e324cada2761
Instruction ID: c8528a0f0f6d251025468dacca23162343c97b67831e75b0bfd00bac992e8483
Opcode Fuzzy Hash: 876156a701fb6562d2dea1d20bdfc9f86221f800b9ebff60b099e324cada2761
Instruction Fuzzy Hash: E531653030278286EEA8AF23A9543B96395BB89FC0F184035DE1E57B56EF3CD445D310

Uniqueness

Uniqueness Score: -1.00%

Function 000E3D74 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 30memorylibrarynativeCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,?,?,?,000E094C,?,?,00000000,000CD586,?,?,?,?,00000008,000C8C91), ref: 000E3D7F
GetModuleHandleW.KERNEL32(?,?,?,?,000E094C,?,?,00000000,000CD586,?,?,?,?,00000008,000C8C91), ref: 000E3D8C
GetProcAddress.KERNEL32(?,?,?,?,000E094C,?,?,00000000,000CD586,?,?,?,?,00000008,000C8C91), ref: 000E3DA8
NtQuerySystemInformation.NTDLL ref: 000E3DD2
HeapAlloc.KERNEL32(?,?,?,?,000E094C,?,?,00000000,000CD586,?,?,?,?,00000008,000C8C91), ref: 000E3DE8
GetTickCount.KERNEL32 ref: 000E3DF5

Strings

GetSystemTimes, xrefs: 000E3D9E
KERNEL32.DLL, xrefs: 000E3D85

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: AddressAllocCountCriticalHandleHeapInformationInitializeModuleProcQuerySectionSystemTick
String ID: GetSystemTimes$KERNEL32.DLL
API String ID: 3912391235-2746141200
Opcode ID: 482fa49afa81c2610b7c06ed2ca2967acee1142feb6b9e524ac8f1b3589a2b92
Instruction ID: 0caf7b77346fda64a8430ad15275986e241f047279bbdf5e02dfeab37efca79b
Opcode Fuzzy Hash: 482fa49afa81c2610b7c06ed2ca2967acee1142feb6b9e524ac8f1b3589a2b92
Instruction Fuzzy Hash: 6C01FB74616B42D6FB24DF26FC843E433A0BB89741F854425CA4A03B74EFBD829AD700

Uniqueness

Uniqueness Score: -1.00%

Function 000E4364 Relevance: 13.6, APIs: 9, Instructions: 85threadCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 000E43A4
GetWindowRect.USER32 ref: 000E43B2
GetWindowRect.USER32 ref: 000E43C0

Part of subcall function 000DCCD4: GetWindowRect.USER32 ref: 000DCCDD

RedrawWindow.USER32 ref: 000E4411
GetWindowThreadProcessId.USER32 ref: 000E4444
GetKeyboardLayout.USER32 ref: 000E444C
GetLocaleInfoW.KERNEL32 ref: 000E4482
CharUpperBuffW.USER32 ref: 000E4492
RedrawWindow.USER32 ref: 000E44C8

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Window$Rect$Redraw$BuffCharInfoKeyboardLayoutLocaleProcessThreadUpper
String ID:
API String ID: 2299096587-0
Opcode ID: 75d0cb8daacfd5a5f3c394af94cccb74c4407bd58bc6db63cd1474566960a2c1
Instruction ID: 730083445de45af20f288d282498710efd26616283fd72341089b9dbf1f676f8
Opcode Fuzzy Hash: 75d0cb8daacfd5a5f3c394af94cccb74c4407bd58bc6db63cd1474566960a2c1
Instruction Fuzzy Hash: 75318D36305B95C6EB60DB26E5887AD63A1F388BC4F584031EE4A57B58CF79C54ACB40

Uniqueness

Uniqueness Score: -1.00%

Function 000C5048 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 162nativeCOMMON

Download Yara Rule

APIs

ZwQueryInformationProcess.NTDLL(?,?,KERNEL32.DLL,?,?,?,00000000,00000002,00000000,00000000,000C4933,00000000,?,LoadLibraryA,?,00000000), ref: 000C5095
ReadProcessMemory.KERNEL32(?,?,KERNEL32.DLL,?,?,?,00000000,00000002,00000000,00000000,000C4933,00000000,?,LoadLibraryA,?,00000000), ref: 000C50EB
ReadProcessMemory.KERNEL32(?,?,KERNEL32.DLL,?,?,?,00000000,00000002,00000000,00000000,000C4933,00000000,?,LoadLibraryA,?,00000000), ref: 000C5111
ReadProcessMemory.KERNEL32(?,?,KERNEL32.DLL,?,?,?,00000000,00000002,00000000,00000000,000C4933,00000000,?,LoadLibraryA,?,00000000), ref: 000C515D
ReadProcessMemory.KERNEL32(?,?,KERNEL32.DLL,?,?,?,00000000,00000002,00000000,00000000,000C4933,00000000,?,LoadLibraryA,?,00000000), ref: 000C51D6
StrRChrA.SHLWAPI(?,?,KERNEL32.DLL,?,?,?,00000000,00000002,00000000,00000000,000C4933,00000000,?,LoadLibraryA,?,00000000), ref: 000C5210

Strings

KERNEL32.DLL, xrefs: 000C5065

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Process$MemoryRead$InformationQuery
String ID: KERNEL32.DLL
API String ID: 3059065599-2576044830
Opcode ID: 2f5648a4cca8d8b0f93b11c7269ae9d8438874ba0debbec14128ccfd9d803080
Instruction ID: 3544035bb0f4be3f4ed3065e9791605efac5462be0e146b318e461c90e34a860
Opcode Fuzzy Hash: 2f5648a4cca8d8b0f93b11c7269ae9d8438874ba0debbec14128ccfd9d803080
Instruction Fuzzy Hash: CC518C36304B859BDB60CF12E940BAE77A1F789B85F444128EF4D53B54EB38E9A5CB40

Uniqueness

Uniqueness Score: -1.00%

Function 000D9004 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

DllGetClassObject, xrefs: 000D9171

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID: DllGetClassObject
API String ID: 0-1075368562
Opcode ID: 139fa7875b837ea684f7e089ae013570b05eb3c3029066d07220fb6f4bccb79e
Instruction ID: 7162ca720b49b48f8db45aa1d1b5da969db88cdf22437b1fd248b776fb9c81c7
Opcode Fuzzy Hash: 139fa7875b837ea684f7e089ae013570b05eb3c3029066d07220fb6f4bccb79e
Instruction Fuzzy Hash: C8516A39304B4682DB249B12E9483A9A7A1FB89FD8F184123DE4E07B64EF78C545C750

Uniqueness

Uniqueness Score: -1.00%

Function 000DE68C Relevance: 12.1, APIs: 8, Instructions: 94stringCOMMON

Download Yara Rule

APIs

CreateDesktopA.USER32 ref: 000DE6D0
GetLastError.KERNEL32 ref: 000DE6DE
GetDC.USER32 ref: 000DE6ED
GetDeviceCaps.GDI32 ref: 000DE6FE
GetDeviceCaps.GDI32 ref: 000DE713
ReleaseDC.USER32 ref: 000DE725
lstrcpyA.KERNEL32 ref: 000DE783
CloseDesktop.USER32 ref: 000DE7E1

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: CapsDesktopDevice$CloseCreateErrorLastReleaselstrcpy
String ID:
API String ID: 4025149134-0
Opcode ID: b455291752f2a18bc02e1329fa7aa837cdbdcddf3a8ff03b869f3b865b6dbfb7
Instruction ID: cd1892e57146eed95289ace1ad58607eb79060275c767577c162032b6a5f8de1
Opcode Fuzzy Hash: b455291752f2a18bc02e1329fa7aa837cdbdcddf3a8ff03b869f3b865b6dbfb7
Instruction Fuzzy Hash: B831D23631978197D7A8DF26E9047AAB3A0F748B90F044025EF9E43B54EF38D465CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000DA82C Relevance: 10.9, APIs: 7, Instructions: 403windowthreadtimeCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 000DA8BF
GetWindowLongPtrA.USER32 ref: 000DAA9C
GetParent.USER32 ref: 000DAAB8
GetWindowThreadProcessId.USER32 ref: 000DAAF1
GetWindowInfo.USER32 ref: 000DAB84
SendMessageTimeoutA.USER32 ref: 000DAC07

Part of subcall function 000DCED0: IsWindow.USER32 ref: 000DCEEA
Part of subcall function 000DCED0: GetAncestor.USER32(?,?,?,000DD01D), ref: 000DCF13

PostMessageA.USER32 ref: 000DADF0

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Window$Message$AncestorInfoLongParentPostProcessRectSendThreadTimeout
String ID:
API String ID: 1491194875-0
Opcode ID: 4d978422dc4087d926fd22392df8262ceeccf5bfd1366db9e3ff25c24fcb4860
Instruction ID: 26c30a4c7e2439dd2fb17265f186f42c9b2e7b810deb95589980d9a45f704e4d
Opcode Fuzzy Hash: 4d978422dc4087d926fd22392df8262ceeccf5bfd1366db9e3ff25c24fcb4860
Instruction Fuzzy Hash: 5BE122327147908BEB64DF62D5407AEB7A1FB86B98F044127EE4A47F59DB38C442CB21

Uniqueness

Uniqueness Score: -1.00%

Function 000C4644 Relevance: 6.1, APIs: 4, Instructions: 72nativeCOMMON

Download Yara Rule

APIs

ZwQueryInformationProcess.NTDLL ref: 000C4698
ReadProcessMemory.KERNEL32 ref: 000C46C3
ReadProcessMemory.KERNEL32 ref: 000C46EB
ReadProcessMemory.KERNEL32 ref: 000C4724

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Process$MemoryRead$InformationQuery
String ID:
API String ID: 3059065599-0
Opcode ID: 57d17b80258498ddeb1f09b28b28e017fa15e7063673d640c84d3d6491c51952
Instruction ID: ceff108b964c16081c4252df12ee39dabbdaf0c0be2ce56b37f7fad920610007
Opcode Fuzzy Hash: 57d17b80258498ddeb1f09b28b28e017fa15e7063673d640c84d3d6491c51952
Instruction Fuzzy Hash: 86315E72314B9686DB20CF66E940BEE73A9F789BC8F4441259B8D43B18EF38D605C740

Uniqueness

Uniqueness Score: -1.00%

Function 000C36AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

NtMapViewOfSection.NTDLL ref: 000C36E6
RtlNtStatusToDosError.NTDLL ref: 000C36EE

Strings

@, xrefs: 000C36B6

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: ErrorSectionStatusView
String ID: @
API String ID: 1313840181-2766056989
Opcode ID: 75f294754d1db1666e45303d5cdcecfa951a8ab3db78348f2e026a0d9003a705
Instruction ID: f7694f44483c850da4696da2f2caaf130d22dea0dd971dd8ff80f5f026f8d000
Opcode Fuzzy Hash: 75f294754d1db1666e45303d5cdcecfa951a8ab3db78348f2e026a0d9003a705
Instruction Fuzzy Hash: A7E0C976B14B44D6D7609F10E48DB9C36A8F354384FA20239C7AD06B10DB3A8965CB50

Uniqueness

Uniqueness Score: -1.00%

Function 000DDC68 Relevance: 4.6, APIs: 3, Instructions: 54windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000DCED0: IsWindow.USER32 ref: 000DCEEA
Part of subcall function 000DCED0: GetAncestor.USER32(?,?,?,000DD01D), ref: 000DCF13

IsIconic.USER32 ref: 000DDCA2

Part of subcall function 000DDB20: GetWindowRect.USER32 ref: 000DDB8B

Part of subcall function 000DDE40: GetWindowRect.USER32 ref: 000DDE58
Part of subcall function 000DDE40: GetWindowLongPtrA.USER32 ref: 000DDE89
Part of subcall function 000DDE40: GetScrollBarInfo.USER32(?,?,?,?,?,?,?,?,?,000DDCF7), ref: 000DDEAC
Part of subcall function 000DDE40: GetScrollBarInfo.USER32(?,?,?,?,?,?,?,?,?,000DDCF7), ref: 000DDEDE

GetWindow.USER32 ref: 000DDD14
GetWindow.USER32 ref: 000DDD22

Part of subcall function 000DDD50: GetWindow.USER32 ref: 000DDDEA
Part of subcall function 000DDD50: GetWindow.USER32 ref: 000DDDF8
Part of subcall function 000DDD50: GetWindow.USER32 ref: 000DDE13

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Window$InfoRectScroll$AncestorIconicLong
String ID:
API String ID: 3196784018-0
Opcode ID: f5b5f012bf67587a4e69552582b4904db17d8484939b433055d904d6f4c3edea
Instruction ID: acfb7dbc590b58e552024f5fd563a6a20005f666c8e741dc961b85f577ac25f2
Opcode Fuzzy Hash: f5b5f012bf67587a4e69552582b4904db17d8484939b433055d904d6f4c3edea
Instruction Fuzzy Hash: 2B117F72A1478582EB50DF22E5457AE73A5F799BC4F948036AE8907B09DF3CC446CB50

Uniqueness

Uniqueness Score: -1.00%

Function 000E2308 Relevance: 3.1, APIs: 2, Instructions: 58windowCOMMON

Download Yara Rule

APIs

GetLastActivePopup.USER32 ref: 000E239A

Part of subcall function 000DCED0: IsWindow.USER32 ref: 000DCEEA
Part of subcall function 000DCED0: GetAncestor.USER32(?,?,?,000DD01D), ref: 000DCF13

Part of subcall function 000DCFB4: IsWindowVisible.USER32 ref: 000DCFC1
Part of subcall function 000DCFB4: GetWindowLongPtrA.USER32 ref: 000DCFD3

IsIconic.USER32 ref: 000E235C

Part of subcall function 000DC8A0: GetWindowLongPtrA.USER32 ref: 000DC8D4
Part of subcall function 000DC8A0: GetLastActivePopup.USER32 ref: 000DC8E8
Part of subcall function 000DC8A0: GetWindow.USER32 ref: 000DC905
Part of subcall function 000DC8A0: GetWindow.USER32 ref: 000DC913
Part of subcall function 000DC8A0: GetWindowInfo.USER32 ref: 000DC92C
Part of subcall function 000DC8A0: GetWindow.USER32 ref: 000DC93A
Part of subcall function 000DC8A0: GetWindow.USER32 ref: 000DC987
Part of subcall function 000DC8A0: GetWindow.USER32 ref: 000DC99B

Part of subcall function 000DCFF0: GetWindowLongPtrA.USER32 ref: 000DD037
Part of subcall function 000DCFF0: GetAncestor.USER32 ref: 000DD04C
Part of subcall function 000DCFF0: GetWindowThreadProcessId.USER32 ref: 000DD091
Part of subcall function 000DCFF0: GetWindowThreadProcessId.USER32 ref: 000DD0BD
Part of subcall function 000DCFF0: GetCurrentThreadId.KERNEL32 ref: 000DD0C5
Part of subcall function 000DCFF0: AttachThreadInput.USER32 ref: 000DD0DB
Part of subcall function 000DCFF0: BringWindowToTop.USER32 ref: 000DD0E4
Part of subcall function 000DCFF0: SetForegroundWindow.USER32 ref: 000DD0ED
Part of subcall function 000DCFF0: SetActiveWindow.USER32 ref: 000DD0F6
Part of subcall function 000DCFF0: SetFocus.USER32 ref: 000DD0FF
Part of subcall function 000DCFF0: AttachThreadInput.USER32 ref: 000DD110
Part of subcall function 000DCFF0: SetWindowPos.USER32 ref: 000DD13C

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Window$Thread$ActiveLong$AncestorAttachInputLastPopupProcess$BringCurrentFocusForegroundIconicInfoVisible
String ID:
API String ID: 87036876-0
Opcode ID: 2957a20a8d6b8d9bd2b77e9e010890580a237c38ee9d46390aae5e3c362c03fb
Instruction ID: 56646592e91a243d91393f35279ad793aa25f8ad7f8fca7f4a70ed09b4bab461
Opcode Fuzzy Hash: 2957a20a8d6b8d9bd2b77e9e010890580a237c38ee9d46390aae5e3c362c03fb
Instruction Fuzzy Hash: 9A11912130478145EE58AB2799013ADE3D9BB89FC0F4840369E8D6B706EF7CC541C700

Uniqueness

Uniqueness Score: -1.00%

Function 000DC5CC Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON

Download Yara Rule

APIs

GetWindowLongPtrA.USER32 ref: 000DC5DE

Part of subcall function 000DCFB4: IsWindowVisible.USER32 ref: 000DCFC1
Part of subcall function 000DCFB4: GetWindowLongPtrA.USER32 ref: 000DCFD3

IsIconic.USER32 ref: 000DC5FC

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Window$Long$IconicVisible
String ID:
API String ID: 2647208561-0
Opcode ID: 29720fceca7533c6625c77576111f3fc7366996410b82099d1d4acfe448dcd62
Instruction ID: fb66efbc5d8c07c285bd1b1baaecf7c41fd0965428ac40761c5859c5a3d38d9f
Opcode Fuzzy Hash: 29720fceca7533c6625c77576111f3fc7366996410b82099d1d4acfe448dcd62
Instruction Fuzzy Hash: F7E0DF2170434382FB205B6BB68877A6292AB48BD0F549132E92086B49EF28C88AD310

Uniqueness

Uniqueness Score: -1.00%

Function 000E30CC Relevance: 1.6, APIs: 1, Instructions: 70windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000DCFB4: IsWindowVisible.USER32 ref: 000DCFC1
Part of subcall function 000DCFB4: GetWindowLongPtrA.USER32 ref: 000DCFD3

IsIconic.USER32 ref: 000E3125

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Window$IconicLongVisible
String ID:
API String ID: 2848875483-0
Opcode ID: b66c6ab18d07ce6c512e135e58bb2a15adf3f9d5e62622afa7b3c4c3b16822e6
Instruction ID: c5b015b1033a787e780faa4b4cb1f16cbc5e9a86aa1ba1df8efcc019ecd6192c
Opcode Fuzzy Hash: b66c6ab18d07ce6c512e135e58bb2a15adf3f9d5e62622afa7b3c4c3b16822e6
Instruction Fuzzy Hash: 86217C73605A80AEDB60CF27D8042697BB4F788FC8B19816ACF4967315DB34D982CB04

Uniqueness

Uniqueness Score: -1.00%

Function 000E39CC Relevance: 1.6, APIs: 1, Instructions: 68nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 000E3A30

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 2bccd0f96bb62b441e7422e4bc7b16036e1f3b838ae934a9e498a7ae5685d7e4
Instruction ID: 119cd756615aaae06883fb0c63965ace6b50dcb639d91b408d2aeb7fa368a118
Opcode Fuzzy Hash: 2bccd0f96bb62b441e7422e4bc7b16036e1f3b838ae934a9e498a7ae5685d7e4
Instruction Fuzzy Hash: 51219071701B958ADA14CF0BB984355BBA0F788FC4F599425DE8C17B14DF39C6928700

Uniqueness

Uniqueness Score: -1.00%

Function 000E44E8 Relevance: 49.2, APIs: 26, Strings: 2, Instructions: 159
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColor.USER32 ref: 000E4516
GetSysColor.USER32 ref: 000E4521
GetSysColor.USER32 ref: 000E452C
GetSysColor.USER32 ref: 000E4537
GetClientRect.USER32 ref: 000E4544
BeginPaint.USER32 ref: 000E4551
GetClipBox.GDI32 ref: 000E456A
CreateCompatibleDC.GDI32 ref: 000E4573
CreateCompatibleBitmap.GDI32 ref: 000E4596
SelectObject.GDI32 ref: 000E45AE
SetWindowOrgEx.GDI32 ref: 000E45C5
SetBkColor.GDI32 ref: 000E45D1
ExtTextOutA.GDI32 ref: 000E45FE
SelectObject.GDI32 ref: 000E460E
SetBkMode.GDI32 ref: 000E461F
CreateRectRgn.GDI32 ref: 000E463C
SelectClipRgn.GDI32 ref: 000E4650
SetTextColor.GDI32 ref: 000E465C
DrawTextW.USER32 ref: 000E4682
DeleteObject.GDI32 ref: 000E4690
BitBlt.GDI32 ref: 000E46C7
SelectObject.GDI32 ref: 000E46EA
SelectObject.GDI32 ref: 000E46FB
DeleteObject.GDI32 ref: 000E4709
DeleteDC.GDI32 ref: 000E4717
EndPaint.USER32 ref: 000E4729

Strings

%, xrefs: 000E467A
, xrefs: 000E46A4

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: ColorObject$Select$CreateDeleteText$ClipCompatiblePaintRect$BeginBitmapClientDrawModeWindow
String ID: $%
API String ID: 1692378535-2111875603
Opcode ID: 6a0e807c42144805917cb51e62f45373c23988a938c5d86f71cb3b7981471eb0
Instruction ID: e30abecb8062e172b3d9d18c00d1cc230a5435f7b5f5d4bef249aa9ad9886b08
Opcode Fuzzy Hash: 6a0e807c42144805917cb51e62f45373c23988a938c5d86f71cb3b7981471eb0
Instruction Fuzzy Hash: 89614636701A82CBEB24DF66E814BAD73A1FB89BC8F044125DE4A17B18DF78C449D740

Uniqueness

Uniqueness Score: -1.00%

Function 000D83A8 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 166stringmemorysynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 000DB37C: GetTempPathW.KERNEL32(?,?,00000000,00000000,00000000,000D7557), ref: 000DB3A7
Part of subcall function 000DB37C: GetLastError.KERNEL32(?,?,00000000,00000000,00000000,000D7557), ref: 000DB3B3
Part of subcall function 000DB37C: HeapFree.KERNEL32(?,?,00000000,00000000,00000000,000D7557), ref: 000DB4DD

GetLastError.KERNEL32 ref: 000D83ED
lstrcpyA.KERNEL32 ref: 000D8404
lstrcatA.KERNEL32 ref: 000D8416
lstrcatA.KERNEL32 ref: 000D842C
CreateEventA.KERNEL32 ref: 000D8440
GetLastError.KERNEL32 ref: 000D844E
WaitForSingleObject.KERNEL32 ref: 000D8463
CloseHandle.KERNEL32 ref: 000D8470
lstrcatW.KERNEL32 ref: 000D8580
SetEvent.KERNEL32 ref: 000D8598
CloseHandle.KERNEL32 ref: 000D85A1
HeapFree.KERNEL32 ref: 000D85B8
HeapFree.KERNEL32 ref: 000D85CF
SetLastError.KERNEL32 ref: 000D85DB

Strings

LOCALAPPDATA, xrefs: 000D8557
\opera.exe, xrefs: 000D8576
\Local Settings\Application Data, xrefs: 000D8544
OPR, xrefs: 000D83CC
APPDATA, xrefs: 000D851F
USERPROFILE, xrefs: 000D854B

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: ErrorLast$FreeHeaplstrcat$CloseEventHandle$CreateObjectPathSingleTempWaitlstrcpy
String ID: APPDATA$LOCALAPPDATA$OPR$USERPROFILE$\Local Settings\Application Data$\opera.exe
API String ID: 1059675241-2210929480
Opcode ID: 249498877ca080cfcf10094ce492587ed441dc1d83aff9eff70c64083940f8d5
Instruction ID: d537169b0b53ce11d2c71486da1016eae7acf13c0a065e77f427ef79e6fb9f11
Opcode Fuzzy Hash: 249498877ca080cfcf10094ce492587ed441dc1d83aff9eff70c64083940f8d5
Instruction Fuzzy Hash: 87518275300B42C2EB65DB27A8543B963A1FB89FD5F888436DD0A47B19EF3DC94A9310

Uniqueness

Uniqueness Score: -1.00%

Function 000DD2FC Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 254windowtimeCOMMON

Download Yara Rule

APIs

WindowFromPoint.USER32(?,?,?,?,?,?,?,?,?,00000000,?,00008001,00000000,000DA80B), ref: 000DD335
SendMessageTimeoutA.USER32 ref: 000DD377
RealChildWindowFromPoint.USER32(?,?,?,?,?,?,?,?,?,00000000,?,00008001,00000000,000DA80B), ref: 000DD405
SendMessageTimeoutA.USER32 ref: 000DD442
GetWindowLongPtrA.USER32 ref: 000DD471
SetWindowLongPtrA.USER32 ref: 000DD487
GetWindowLongPtrA.USER32 ref: 000DD4BF
SetWindowLongPtrA.USER32 ref: 000DD4D2
ScreenToClient.USER32 ref: 000DD4FA
SendMessageTimeoutA.USER32 ref: 000DD540
GetAncestor.USER32 ref: 000DD56E
GetWindowLongPtrA.USER32 ref: 000DD5B4
GetWindowInfo.USER32 ref: 000DD5D4
PtInRect.USER32 ref: 000DD5FC
GetWindowLongPtrA.USER32 ref: 000DD62C
SendMessageTimeoutA.USER32 ref: 000DD674
MapWindowPoints.USER32 ref: 000DD6A5
MapWindowPoints.USER32 ref: 000DD6CC
RealChildWindowFromPoint.USER32 ref: 000DD6D9
SendMessageTimeoutA.USER32 ref: 000DD733

Strings

d, xrefs: 000DD723

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Window$Long$MessageSendTimeout$FromPoint$ChildPointsReal$AncestorClientInfoRectScreen
String ID: d
API String ID: 4017282500-2564639436
Opcode ID: c56459b6421c9cb443c0577c71b23e9de1ba6136f69f322b1de6c3933ae2bbeb
Instruction ID: ecf38e1757dc7152f2660e4287aeafb83d72b53d798c38724a6cb9f1f55e832c
Opcode Fuzzy Hash: c56459b6421c9cb443c0577c71b23e9de1ba6136f69f322b1de6c3933ae2bbeb
Instruction Fuzzy Hash: 62B15B36315B81CAEB608F66E0447AD73A2E748B98F044227EE5E47F98DF38D549D320

Uniqueness

Uniqueness Score: -1.00%

Function 000D8018 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 133memorystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 000D804C
GetEnvironmentVariableW.KERNEL32 ref: 000D805C
GetLastError.KERNEL32 ref: 000D8069
HeapAlloc.KERNEL32 ref: 000D808C
GetEnvironmentVariableW.KERNEL32 ref: 000D80AB
GetLastError.KERNEL32 ref: 000D80B5
HeapFree.KERNEL32 ref: 000D81EF

Strings

\Opera, xrefs: 000D80D3, 000D811C
_OPR, xrefs: 000D81AD
opera.exe, xrefs: 000D81BD

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: EnvironmentErrorHeapLastVariable$AllocFreelstrlen
String ID: \Opera$_OPR$opera.exe
API String ID: 2673498452-2944665979
Opcode ID: d729f8cc14217e1d29d73d6ea2cee2cb96f70c3811ccd2d6da612f574740092c
Instruction ID: 9cbe326a0cbe53b41abcfcafaa5a5c8fb106091ceee0c77d21b84a1e607f12e0
Opcode Fuzzy Hash: d729f8cc14217e1d29d73d6ea2cee2cb96f70c3811ccd2d6da612f574740092c
Instruction Fuzzy Hash: 5351C075700B42C2EB64CF23EC447A923A5BB89FE5F488622DE1A43B64DF38C54A9310

Uniqueness

Uniqueness Score: -1.00%

Function 000DF64C Relevance: 35.1, APIs: 15, Strings: 5, Instructions: 117windowCOMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 000DF683
CreateCompatibleDC.GDI32 ref: 000DF698
CreateCompatibleBitmap.GDI32 ref: 000DF6B2
SelectObject.GDI32 ref: 000DF6CA

Part of subcall function 000DC7A8: FindWindowExA.USER32 ref: 000DC7EE

DeleteObject.GDI32 ref: 000DF7D4

Part of subcall function 000DC7A8: Sleep.KERNEL32(?,?,?,000C8A9B,?,?,?,?,?,000C1F66,?,?,?,000C204A), ref: 000DC7DD

SendMessageA.USER32 ref: 000DF746
GetWindowLongA.USER32 ref: 000DF756
SetWindowLongA.USER32 ref: 000DF76C
GetWindowLongA.USER32 ref: 000DF778
SetWindowLongA.USER32 ref: 000DF789
GetWindowLongA.USER32 ref: 000DF795
SetWindowLongA.USER32 ref: 000DF7A6
SendMessageA.USER32 ref: 000DF7C9
DeleteDC.GDI32 ref: 000DF7DD
ReleaseDC.USER32 ref: 000DF7E8

Strings

Progman, xrefs: 000DF6D7
SHELLDLL_DefView, xrefs: 000DF6F1
FolderView, xrefs: 000DF70F
Program Manager, xrefs: 000DF6D0
SysListView32, xrefs: 000DF716

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Window$Long$CompatibleCreateDeleteMessageObjectSend$BitmapFindReleaseSelectSleep
String ID: FolderView$Progman$Program Manager$SHELLDLL_DefView$SysListView32
API String ID: 1173873091-1763248648
Opcode ID: ffc4588b35b568cc0e1bb523402bab1ebf8c7a17d40e0a8ef32b6d515534a16d
Instruction ID: 37ab72483b6e3625c8cea5e6b19535018145a411097e6aff3c5cbe1800b69600
Opcode Fuzzy Hash: ffc4588b35b568cc0e1bb523402bab1ebf8c7a17d40e0a8ef32b6d515534a16d
Instruction Fuzzy Hash: BB419135316B4282EF24EB26A8287A963A0FB89FD4F848536DD1E47B14DF7DC44AD740

Uniqueness

Uniqueness Score: -1.00%

Function 000DAE0C Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 120stringsynchronizationCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32 ref: 000DAE50
lstrcatA.KERNEL32 ref: 000DAE61
lstrcatA.KERNEL32 ref: 000DAE76
CreateEventA.KERNEL32 ref: 000DAE88
GetLastError.KERNEL32 ref: 000DAE9A
WaitForSingleObject.KERNEL32 ref: 000DAEAF
CloseHandle.KERNEL32 ref: 000DAEBC
lstrlenW.KERNEL32 ref: 000DAED9
WideCharToMultiByte.KERNEL32 ref: 000DAF34
lstrcpyA.KERNEL32 ref: 000DAF44
lstrcatA.KERNEL32 ref: 000DAF58
lstrcatA.KERNEL32 ref: 000DAF70
OpenEventA.KERNEL32 ref: 000DAF82
CloseHandle.KERNEL32 ref: 000DAF90
SetEvent.KERNEL32 ref: 000DAFC2
CloseHandle.KERNEL32 ref: 000DAFCB

Strings

LOCALAPPDATA, xrefs: 000DAE0C
chrome.exe, xrefs: 000DAE0E

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: lstrcat$CloseEventHandle$lstrcpy$ByteCharCreateErrorLastMultiObjectOpenSingleWaitWidelstrlen
String ID: LOCALAPPDATA$chrome.exe
API String ID: 2873254647-1937607147
Opcode ID: 99eb7ad2cade20c79007e13dbd83e5c08c43f2d8e3a8c2d55d8461d716d3eea5
Instruction ID: 4fd810e5a138d74b3764ec7612e8048c92147f31a99129210e0f7b14e78af9ca
Opcode Fuzzy Hash: 99eb7ad2cade20c79007e13dbd83e5c08c43f2d8e3a8c2d55d8461d716d3eea5
Instruction Fuzzy Hash: B0515C32201A86D5DF74DF66E8547ED3361F789BE9F444222DA2A47BA8DF39C609D300

Uniqueness

Uniqueness Score: -1.00%

Function 000DEA58 Relevance: 30.1, APIs: 20, Instructions: 116windowCOMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 000DEA7E

Part of subcall function 000DF934: CreateDIBSection.GDI32 ref: 000DF953

SelectObject.GDI32 ref: 000DEA9A
DeleteObject.GDI32 ref: 000DEAA7
DeleteDC.GDI32 ref: 000DEAB4
CreateCompatibleDC.GDI32 ref: 000DEABD
GetLastError.KERNEL32(?,?,00000088,000DF1E4,?,?,?,00000000,00000000,000C88F8,?,?,?,?,?,000C1F66), ref: 000DEACF
SelectObject.GDI32 ref: 000DEB08
SelectObject.GDI32 ref: 000DEB28
DeleteObject.GDI32 ref: 000DEB35
DeleteDC.GDI32 ref: 000DEB42
CreateCompatibleDC.GDI32 ref: 000DEB4B
CreateCompatibleBitmap.GDI32 ref: 000DEB71
SelectObject.GDI32 ref: 000DEB91
SelectObject.GDI32 ref: 000DEBB9
DeleteObject.GDI32 ref: 000DEBD3
DeleteDC.GDI32 ref: 000DEBED
SelectObject.GDI32 ref: 000DEC20
DeleteObject.GDI32 ref: 000DEC3A
DeleteDC.GDI32 ref: 000DEC54
ReleaseDC.USER32 ref: 000DEC6C

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Object$Delete$Select$Create$Compatible$BitmapErrorLastReleaseSection
String ID:
API String ID: 3938452263-0
Opcode ID: 8fc296eb48066671c4c2912a47a47d08753e5558cc8fb3272568d771b3684f1c
Instruction ID: 0a39a2f74d5c53b042ce3a2ff4c93f45cb55a55c9dc3d88b8ce6275477c74df2
Opcode Fuzzy Hash: 8fc296eb48066671c4c2912a47a47d08753e5558cc8fb3272568d771b3684f1c
Instruction Fuzzy Hash: 0D51EE76202B81C5EB95EF66E4543B933A2FB84F84F184536DE4A4F718DF3AC4959320

Uniqueness

Uniqueness Score: -1.00%

Function 000DE828 Relevance: 28.6, APIs: 19, Instructions: 112windowCOMMON

Download Yara Rule

APIs

SelectObject.GDI32 ref: 000DE84D
DeleteObject.GDI32 ref: 000DE85A
DeleteDC.GDI32 ref: 000DE867
SelectObject.GDI32 ref: 000DE87B
DeleteObject.GDI32 ref: 000DE888
DeleteDC.GDI32 ref: 000DE895
GetDC.USER32 ref: 000DE89D
CreateCompatibleDC.GDI32 ref: 000DE8B0
GetLastError.KERNEL32(?,?,?,?,?,?,?,000E06F1,?,?,?,000CD017), ref: 000DE8C2
CreateCompatibleDC.GDI32 ref: 000DE8D0
CreateCompatibleBitmap.GDI32 ref: 000DE8F2
SelectObject.GDI32 ref: 000DE90E
SelectObject.GDI32 ref: 000DE952
SelectObject.GDI32 ref: 000DE99C
DeleteObject.GDI32 ref: 000DE9C8
SelectObject.GDI32 ref: 000DE9E9
DeleteObject.GDI32 ref: 000DEA03
DeleteDC.GDI32 ref: 000DEA1D
DeleteDC.GDI32 ref: 000DEA37

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Object$Delete$Select$CompatibleCreate$BitmapErrorLast
String ID:
API String ID: 3176934299-0
Opcode ID: 6c6611a76a6398a5ec2c13c64e61095f688a134cb59831910ea0339ac878d7d4
Instruction ID: 947b6728fff31754d6be45bcbad22b0cfd9758f43df5c565fabab857df13edf6
Opcode Fuzzy Hash: 6c6611a76a6398a5ec2c13c64e61095f688a134cb59831910ea0339ac878d7d4
Instruction Fuzzy Hash: 3551D936202BC1C5EB54AF62E8543A96366FB85F89F084136CE4E5FB18CF3AC465D320

Uniqueness

Uniqueness Score: -1.00%

Function 000E2D18 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 216synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 000E08A0: EnterCriticalSection.KERNEL32 ref: 000E08BC
Part of subcall function 000E08A0: LeaveCriticalSection.KERNEL32 ref: 000E08E6

WaitForSingleObject.KERNEL32 ref: 000E2D64
GetWindowInfo.USER32 ref: 000E2DED
EnterCriticalSection.KERNEL32 ref: 000E2DFD
LeaveCriticalSection.KERNEL32 ref: 000E2FA1
EnterCriticalSection.KERNEL32 ref: 000E301B
LeaveCriticalSection.KERNEL32 ref: 000E302C

Part of subcall function 000E3448: UnhookWinEvent.USER32 ref: 000E3470
Part of subcall function 000E3448: UnhookWinEvent.USER32 ref: 000E348A
Part of subcall function 000E3448: UnhookWinEvent.USER32 ref: 000E34A4

Strings

<, xrefs: 000E2DE5

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterEventLeaveUnhook$InfoObjectSingleWaitWindow
String ID: <
API String ID: 4134715937-4251816714
Opcode ID: c72adb188eedb047c67afa2ce6460a25ba8df680b12341c3fad65c3d81eaaa6e
Instruction ID: 8b6eebdbd41225c754de744641be7c10cdff97fb803c86fc4fe4a36beedac53e
Opcode Fuzzy Hash: c72adb188eedb047c67afa2ce6460a25ba8df680b12341c3fad65c3d81eaaa6e
Instruction Fuzzy Hash: 8C717F213057D189EEAC9F2399683B967A9FB85FC0F485432CE0727B15DF38CA929341

Uniqueness

Uniqueness Score: -1.00%

Function 000D9368 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 111registrynetworklibraryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 000D93BB
htons.WS2_32 ref: 000D93D0
htonl.WS2_32 ref: 000D93DD
htons.WS2_32 ref: 000D93EA
wsprintfW.USER32 ref: 000D941B
RegOpenKeyExW.ADVAPI32 ref: 000D943B
GetModuleHandleW.KERNEL32 ref: 000D947F
LoadLibraryW.KERNEL32 ref: 000D9491
GetLastError.KERNEL32 ref: 000D949F
HeapFree.KERNEL32 ref: 000D94C8
RegCloseKey.ADVAPI32 ref: 000D94D7
RegCloseKey.ADVAPI32 ref: 000D94E6
SetLastError.KERNEL32 ref: 000D94F2

Strings

{%08X-%04X-%04X-%04X-%08X%04X}, xrefs: 000D9408
InprocServer32, xrefs: 000D9457
SOFTWARE\Classes\CLSID, xrefs: 000D939D

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: CloseErrorLastOpenhtons$FreeHandleHeapLibraryLoadModulehtonlwsprintf
String ID: InprocServer32$SOFTWARE\Classes\CLSID${%08X-%04X-%04X-%04X-%08X%04X}
API String ID: 4070548535-1088679775
Opcode ID: a066de7a21009abbf1c8a65ad96fe5dba158a3d36621a9183a2e101d19e41a7d
Instruction ID: bedbe0884d2be146ba72f9edebc57e91b63c3a810b0b6568b122a3d81fb0f354
Opcode Fuzzy Hash: a066de7a21009abbf1c8a65ad96fe5dba158a3d36621a9183a2e101d19e41a7d
Instruction Fuzzy Hash: 0C415B36712B56CAEB20CFA6E484BBD33A0F748B99F014126EE4A42F55EF78C549D710

Uniqueness

Uniqueness Score: -1.00%

Function 000DB7F0 Relevance: 26.3, APIs: 12, Strings: 3, Instructions: 82memorystringCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32(?,?,00000000,000DB2C9,?,?,?,000D7620), ref: 000DB809
HeapAlloc.KERNEL32(?,?,00000000,000DB2C9,?,?,?,000D7620), ref: 000DB824
GetEnvironmentVariableW.KERNEL32(?,?,00000000,000DB2C9,?,?,?,000D7620), ref: 000DB83F
GetLastError.KERNEL32(?,?,00000000,000DB2C9,?,?,?,000D7620), ref: 000DB851
HeapFree.KERNEL32(?,?,00000000,000DB2C9,?,?,?,000D7620), ref: 000DB865
GetLastError.KERNEL32(?,?,00000000,000DB2C9,?,?,?,000D7620), ref: 000DB882
lstrcmpW.KERNEL32(?,?,00000000,000DB2C9,?,?,?,000D7620), ref: 000DB89D
GetEnvironmentVariableW.KERNEL32(?,?,00000000,000DB2C9,?,?,?,000D7620), ref: 000DB8B3
HeapAlloc.KERNEL32(?,?,00000000,000DB2C9,?,?,?,000D7620), ref: 000DB8D0
GetEnvironmentVariableW.KERNEL32(?,?,00000000,000DB2C9,?,?,?,000D7620), ref: 000DB8EB
lstrcatW.KERNEL32 ref: 000DB90B
SetLastError.KERNEL32(?,?,00000000,000DB2C9,?,?,?,000D7620), ref: 000DB918

Strings

LOCALAPPDATA, xrefs: 000DB893
\Local Settings\Application Data, xrefs: 000DB901
USERPROFILE, xrefs: 000DB8A7, 000DB8DE

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: EnvironmentVariable$ErrorHeapLast$Alloc$Freelstrcatlstrcmp
String ID: LOCALAPPDATA$USERPROFILE$\Local Settings\Application Data
API String ID: 3280976171-1870292887
Opcode ID: 9bd22e435003f99f3697b352907e4d71ee6f0b962192fb3c62d3f3edc6056fd0
Instruction ID: 9054b643011b18b81668452b9f6bf69d9c3d6dce6b185a6506c5d2e1e04b3c3e
Opcode Fuzzy Hash: 9bd22e435003f99f3697b352907e4d71ee6f0b962192fb3c62d3f3edc6056fd0
Instruction Fuzzy Hash: 60313024700F83C2FB749B6BA99537963A1BBC8FD1F454436CA0A83B64DF68C649E310

Uniqueness

Uniqueness Score: -1.00%

Function 000DF260 Relevance: 25.6, APIs: 17, Instructions: 108threadmemoryCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000DF27A
GetThreadDesktop.USER32(?,?,?,000C87C4,?,?,?,?,000C2152), ref: 000DF292
SetThreadDesktop.USER32(?,?,?,000C87C4,?,?,?,?,000C2152), ref: 000DF2A0
HeapFree.KERNEL32(?,?,?,000C87C4,?,?,?,?,000C2152), ref: 000DF2BB
SelectObject.GDI32 ref: 000DF2EB
DeleteObject.GDI32 ref: 000DF304
SelectObject.GDI32 ref: 000DF324
DeleteObject.GDI32 ref: 000DF33D
DeleteDC.GDI32 ref: 000DF356
DeleteDC.GDI32 ref: 000DF36F
SelectObject.GDI32 ref: 000DF38F
DeleteObject.GDI32 ref: 000DF3A8
DeleteDC.GDI32 ref: 000DF3C1
SelectObject.GDI32 ref: 000DF3F1
DeleteObject.GDI32 ref: 000DF40A
DeleteDC.GDI32 ref: 000DF423
CloseDesktop.USER32(?,?,?,000C87C4,?,?,?,?,000C2152), ref: 000DF438

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: DeleteObject$Select$DesktopThread$CloseCurrentFreeHeap
String ID:
API String ID: 3677096374-0
Opcode ID: cde0001d6b284be4ae39bbf48f8542b4f781cde5a676b6c8eadc3dbc0f57ca88
Instruction ID: a7c24e38a9cc7332056d8fbe0e960dd3d2bb87caae179629f74aaaaabd4eaeb3
Opcode Fuzzy Hash: cde0001d6b284be4ae39bbf48f8542b4f781cde5a676b6c8eadc3dbc0f57ca88
Instruction Fuzzy Hash: F551D076202B81C9EB549F61E4543B933A6FB84F88F4C8535CE4A5B718CF36C4A0D324

Uniqueness

Uniqueness Score: -1.00%

Function 000DBA04 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 103memorythreadCOMMON

Download Yara Rule

APIs

SetThreadDesktop.USER32 ref: 000DBA2E
GlobalAlloc.KERNEL32 ref: 000DBA41
GlobalLock.KERNEL32 ref: 000DBA5D
MultiByteToWideChar.KERNEL32 ref: 000DBAA9
GlobalUnlock.KERNEL32 ref: 000DBB1A
CreateDialogIndirectParamW.USER32 ref: 000DBB34
GlobalFree.KERNEL32 ref: 000DBB40
ShowWindow.USER32 ref: 000DBB4C

Strings

My Dialog, xrefs: 000DBA69
VNC is starting your browser..., xrefs: 000DBAC0
2, xrefs: 000DBA9C

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Global$AllocByteCharCreateDesktopDialogFreeIndirectLockMultiParamShowThreadUnlockWideWindow
String ID: 2$My Dialog$VNC is starting your browser...
API String ID: 750254547-148222065
Opcode ID: 1d34853430a6931be9ca336457949ccccc395af489f9bffeb9316f8e78494ddd
Instruction ID: fd15fcccdb53312216b4eba039e17d9cc14c53a20fd94a26ce0efc247c32eb34
Opcode Fuzzy Hash: 1d34853430a6931be9ca336457949ccccc395af489f9bffeb9316f8e78494ddd
Instruction Fuzzy Hash: BF41B032210B42C2EB24DF12E8587A977A0F788FA8F558126DE4A07B64DF3DC54AC740

Uniqueness

Uniqueness Score: -1.00%

Function 000E3668 Relevance: 22.6, APIs: 15, Instructions: 91windowsynchronizationmemoryCOMMON

Download Yara Rule

APIs

SetThreadDesktop.USER32 ref: 000E3681
CoInitialize.OLE32 ref: 000E36A4
SetWinEventHook.USER32 ref: 000E36CE
SetWinEventHook.USER32 ref: 000E36F7
SetWinEventHook.USER32 ref: 000E371F
SetEvent.KERNEL32 ref: 000E3733
WaitForSingleObject.KERNEL32 ref: 000E373F
GetMessageA.USER32 ref: 000E3759
TranslateMessage.USER32 ref: 000E3768
DispatchMessageA.USER32 ref: 000E3773
WaitForSingleObject.KERNEL32 ref: 000E377F
CoUninitialize.OLE32 ref: 000E3799
EnterCriticalSection.KERNEL32 ref: 000E37A9
HeapFree.KERNEL32 ref: 000E37CB
LeaveCriticalSection.KERNEL32 ref: 000E37E0

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Event$HookMessage$CriticalObjectSectionSingleWait$DesktopDispatchEnterFreeHeapInitializeLeaveThreadTranslateUninitialize
String ID:
API String ID: 3930758508-0
Opcode ID: f2802b2b6d8688c455d2d247c76bcaa7e982dedd5a4cf256e5419f0327919d4b
Instruction ID: fedda36890513c2e755f21b2ab913e1a78db44b5123246cb3df57d43401974dc
Opcode Fuzzy Hash: f2802b2b6d8688c455d2d247c76bcaa7e982dedd5a4cf256e5419f0327919d4b
Instruction Fuzzy Hash: B9417D76614A81C7E7608F22E4587AE33B1F788FEAF584135DE8A57A58CF39C549CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000DE404 Relevance: 19.7, APIs: 13, Instructions: 154synchronizationmemorythreadCOMMON

Download Yara Rule

APIs

SetThreadDesktop.USER32 ref: 000DE438

Part of subcall function 000DE650: GetSystemTime.KERNEL32(?,?,?,?,?,?,000DE443), ref: 000DE659
Part of subcall function 000DE650: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,000DE443), ref: 000DE669

WaitForMultipleObjects.KERNEL32 ref: 000DE46E
WaitForSingleObject.KERNEL32 ref: 000DE4E7
WaitForSingleObject.KERNEL32 ref: 000DE502
ReleaseMutex.KERNEL32 ref: 000DE51B
WaitForSingleObject.KERNEL32 ref: 000DE563

Part of subcall function 000DFE9C: CreateRectRgn.GDI32 ref: 000DFF04
Part of subcall function 000DFE9C: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 000E00A7
Part of subcall function 000DFE9C: DeleteObject.GDI32 ref: 000E00DC

ReleaseMutex.KERNEL32 ref: 000DE585
GetRegionData.GDI32 ref: 000DE598
HeapAlloc.KERNEL32 ref: 000DE5B1
GetRegionData.GDI32 ref: 000DE5C8
HeapFree.KERNEL32 ref: 000DE5F2

Part of subcall function 000CCCB0: EnterCriticalSection.KERNEL32 ref: 000CCCDA
Part of subcall function 000CCCB0: LeaveCriticalSection.KERNEL32 ref: 000CCDA4

DeleteObject.GDI32 ref: 000DE5FF
WaitForMultipleObjects.KERNEL32 ref: 000DE624

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: ObjectWait$SingleTime$CriticalDataDeleteHeapMultipleMutexObjectsRegionReleaseSectionSystem$AllocCreateDesktopEnterFileFreeLeaveRectSleepThread
String ID:
API String ID: 1144057579-0
Opcode ID: 72513c8a88893b04139f566b148b8878ba1c2176f219d215704b8529b0e5df7d
Instruction ID: b4731492d5994ba8f9f06aee3c6cd82ee1c2d19836768e19365773707471fd0c
Opcode Fuzzy Hash: 72513c8a88893b04139f566b148b8878ba1c2176f219d215704b8529b0e5df7d
Instruction Fuzzy Hash: 4F51A036700B9186EB60EF76D8447AD23A1F788BD8F185532DE4A9BB58EF38C545C710

Uniqueness

Uniqueness Score: -1.00%

Function 000DB558 Relevance: 19.6, APIs: 13, Instructions: 125memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 000DB37C: GetTempPathW.KERNEL32(?,?,00000000,00000000,00000000,000D7557), ref: 000DB3A7
Part of subcall function 000DB37C: GetLastError.KERNEL32(?,?,00000000,00000000,00000000,000D7557), ref: 000DB3B3
Part of subcall function 000DB37C: HeapFree.KERNEL32(?,?,00000000,00000000,00000000,000D7557), ref: 000DB4DD

GetLastError.KERNEL32(?,?,?,?,?,000D7C99), ref: 000DB59E
lstrlenW.KERNEL32(?,?,?,?,?,000D7C99), ref: 000DB5F6
lstrlenW.KERNEL32(?,?,?,?,?,000D7C99), ref: 000DB60F
lstrlenW.KERNEL32(?,?,?,?,?,000D7C99), ref: 000DB620
HeapAlloc.KERNEL32(?,?,?,?,?,000D7C99), ref: 000DB63C
HeapFree.KERNEL32(?,?,?,?,?,000D7C99), ref: 000DB6BB
HeapFree.KERNEL32(?,?,?,?,?,000D7C99), ref: 000DB6DF
HeapFree.KERNEL32(?,?,?,?,?,000D7C99), ref: 000DB6F6

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Free$lstrlen$ErrorLast$AllocPathTemp
String ID:
API String ID: 547147443-0
Opcode ID: 707b8142a734768b7b5827cab40c583a51b66865c7063c0d75e4b8c26e5db918
Instruction ID: 184fb3dc4625aee56abfe11153cde9915c706e780306027ddf723fb38729f2ed
Opcode Fuzzy Hash: 707b8142a734768b7b5827cab40c583a51b66865c7063c0d75e4b8c26e5db918
Instruction Fuzzy Hash: E741B275704B42C2EB649F13A9543BAB7A1BB88FC4F0A8532DE4957B28DF3CC5469310

Uniqueness

Uniqueness Score: -1.00%

Function 000CBF88 Relevance: 19.6, APIs: 13, Instructions: 79sleepmemoryCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?,?,000C8DB4,?,?,00000000,000C212E), ref: 000CBFB7
shutdown.WS2_32 ref: 000CBFD0
closesocket.WS2_32 ref: 000CBFDA
EnterCriticalSection.KERNEL32(?,?,?,000C8DB4,?,?,00000000,000C212E), ref: 000CBFE8
shutdown.WS2_32 ref: 000CC002
CloseHandle.KERNEL32(?,?,?,000C8DB4,?,?,00000000,000C212E), ref: 000CC00C
LeaveCriticalSection.KERNEL32(?,?,?,000C8DB4,?,?,00000000,000C212E), ref: 000CC01A
Sleep.KERNEL32(?,?,?,000C8DB4,?,?,00000000,000C212E), ref: 000CC027
CloseHandle.KERNEL32(?,?,?,000C8DB4,?,?,00000000,000C212E), ref: 000CC040
CloseHandle.KERNEL32(?,?,?,000C8DB4,?,?,00000000,000C212E), ref: 000CC04F
HeapFree.KERNEL32 ref: 000E3E21
FreeLibrary.KERNEL32 ref: 000E3E33
FreeLibrary.KERNEL32 ref: 000E3E45

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: CloseFreeHandle$CriticalLibrarySectionshutdown$EnterEventHeapLeaveSleepclosesocket
String ID:
API String ID: 2847004285-0
Opcode ID: 169f69094205cbb64f1046c6b18045401df381bc59cfeeb7daa211528fe95867
Instruction ID: fd7a17659a800c95aa612a2926a1c2bdfb6605bb385004c003595da0f364796a
Opcode Fuzzy Hash: 169f69094205cbb64f1046c6b18045401df381bc59cfeeb7daa211528fe95867
Instruction Fuzzy Hash: 9F313A35312A81C6EB68DF62E9947BD2370FB88B85F144125DB4A47F64CF79C5A5D300

Uniqueness

Uniqueness Score: -1.00%

Function 000C14F8 Relevance: 18.2, APIs: 12, Instructions: 189threadsleepinjectionCOMMON

Download Yara Rule

APIs

Part of subcall function 000C4E44: GetModuleHandleW.KERNEL32 ref: 000C4E6B
Part of subcall function 000C4E44: GetProcAddress.KERNEL32 ref: 000C4E7B
Part of subcall function 000C4E44: OpenProcess.KERNEL32 ref: 000C4E9B
Part of subcall function 000C4E44: CloseHandle.KERNEL32 ref: 000C4EC9

ReadProcessMemory.KERNEL32 ref: 000C15BB
ReadProcessMemory.KERNEL32 ref: 000C15E6
ReadProcessMemory.KERNEL32 ref: 000C163E
ReadProcessMemory.KERNEL32 ref: 000C1678
ReadProcessMemory.KERNEL32 ref: 000C16BB
ResumeThread.KERNEL32 ref: 000C16FA
Sleep.KERNEL32 ref: 000C1705
SuspendThread.KERNEL32 ref: 000C170F
GetThreadContext.KERNEL32 ref: 000C1723
SwitchToThread.KERNEL32 ref: 000C1771
GetLastError.KERNEL32 ref: 000C1792
ResumeThread.KERNEL32 ref: 000C17A7

Part of subcall function 000C4868: ZwQueryInformationProcess.NTDLL ref: 000C48AB
Part of subcall function 000C4868: ReadProcessMemory.KERNEL32 ref: 000C48D5

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Process$MemoryRead$Thread$HandleResume$AddressCloseContextErrorInformationLastModuleOpenProcQuerySleepSuspendSwitch
String ID:
API String ID: 2676369898-0
Opcode ID: c82658f51e30c50bf3085d017e3c592c60a9f72f27bd6e3004e42d19cc6accfb
Instruction ID: c52f8e10e661f4a20c393810fdd00fa1fa1e79dfe3dc4ef2d4e33cc5c961a269
Opcode Fuzzy Hash: c82658f51e30c50bf3085d017e3c592c60a9f72f27bd6e3004e42d19cc6accfb
Instruction Fuzzy Hash: 6071F472301B8186EB60DF22E954BEE73A4FB8ABD8F444129EE4947B5ADF38C545C740

Uniqueness

Uniqueness Score: -1.00%

Function 000C3784 Relevance: 18.2, APIs: 12, Instructions: 180stringmemoryCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32 ref: 000C3815
MultiByteToWideChar.KERNEL32 ref: 000C3862
lstrlenA.KERNEL32 ref: 000C38B3
lstrlenA.KERNEL32 ref: 000C38C5
HeapAlloc.KERNEL32 ref: 000C38DA
lstrcpyA.KERNEL32 ref: 000C3900
lstrcatA.KERNEL32 ref: 000C3910
lstrcatA.KERNEL32 ref: 000C391D
HeapFree.KERNEL32 ref: 000C398B

Part of subcall function 000D86C4: lstrlenA.KERNEL32(?,?,?,000C3744), ref: 000D86F6
Part of subcall function 000D86C4: StrRChrA.SHLWAPI(?,?,?,000C3744), ref: 000D8708
Part of subcall function 000D86C4: HeapAlloc.KERNEL32(?,?,?,000C3744), ref: 000D875A
Part of subcall function 000D86C4: SetLastError.KERNEL32(?,?,?,000C3744), ref: 000D876B

HeapFree.KERNEL32 ref: 000C39A5
HeapFree.KERNEL32 ref: 000C39CA
SetLastError.KERNEL32 ref: 000C39D6

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$lstrlen$Free$AllocErrorLastlstrcat$ByteCharMultiWidelstrcpy
String ID:
API String ID: 1035199531-0
Opcode ID: df8b7cfe1abd96a6fed8b26ab24832b9080b7a2beaae370d9abad745f86d0438
Instruction ID: b92d0a2aa27b39cd2bce006b8fb7b3cb592ab7ca96ea0a614f02d9911cd47aa6
Opcode Fuzzy Hash: df8b7cfe1abd96a6fed8b26ab24832b9080b7a2beaae370d9abad745f86d0438
Instruction Fuzzy Hash: CD716E76211B8186DB64CFA6E8807ED37A0F788BD8F04852AEE5D87B58DF78C645D340

Uniqueness

Uniqueness Score: -1.00%

Function 000E3AC0 Relevance: 18.2, APIs: 12, Instructions: 157COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,000001F4,00000000,?,?,000DE4AC), ref: 000E3AED
GetTickCount.KERNEL32 ref: 000E3B0A
LeaveCriticalSection.KERNEL32(?,?,?,?,?,000001F4,00000000,?,?,000DE4AC), ref: 000E3B31

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: CriticalSection$CountEnterLeaveTick
String ID:
API String ID: 1056156058-0
Opcode ID: 681cdf90e9d5dd8e6dc7492bbae39486890c03ffcdc4e4ad372bcb7618c315bc
Instruction ID: 6cd983319c6a256d28a35f0accf4969e1b57c55fb386affc1bc05cc4b1c56df2
Opcode Fuzzy Hash: 681cdf90e9d5dd8e6dc7492bbae39486890c03ffcdc4e4ad372bcb7618c315bc
Instruction Fuzzy Hash: 6F716BB6610B89CAEB50DF6AF8843E837A4F704785F540026EA8963B20DFBCC595C740

Uniqueness

Uniqueness Score: -1.00%

Function 000DCFF0 Relevance: 18.1, APIs: 12, Instructions: 103threadwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 000DCED0: IsWindow.USER32 ref: 000DCEEA
Part of subcall function 000DCED0: GetAncestor.USER32(?,?,?,000DD01D), ref: 000DCF13

GetWindowLongPtrA.USER32 ref: 000DD037
GetAncestor.USER32 ref: 000DD04C
GetWindowThreadProcessId.USER32 ref: 000DD091
GetWindowThreadProcessId.USER32 ref: 000DD0BD
GetCurrentThreadId.KERNEL32 ref: 000DD0C5
AttachThreadInput.USER32 ref: 000DD0DB
BringWindowToTop.USER32 ref: 000DD0E4
SetForegroundWindow.USER32 ref: 000DD0ED
SetActiveWindow.USER32 ref: 000DD0F6
SetFocus.USER32 ref: 000DD0FF
AttachThreadInput.USER32 ref: 000DD110
SetWindowPos.USER32 ref: 000DD13C

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Window$Thread$AncestorAttachInputProcess$ActiveBringCurrentFocusForegroundLong
String ID:
API String ID: 371883717-0
Opcode ID: 4e6f4331a2a7f2106c98cb8d7aa6b1762e68db09d2269ff7d017330862a2c5d2
Instruction ID: a096b6c6533d42a3ef3785d3c09b3eae552a482f83f6a8b92405bb7eb18d969b
Opcode Fuzzy Hash: 4e6f4331a2a7f2106c98cb8d7aa6b1762e68db09d2269ff7d017330862a2c5d2
Instruction Fuzzy Hash: 0C31BE3530474286EB64EF26B8147AA63A6FBC9FC0F484536DE4A47B19DF3DC5428B10

Uniqueness

Uniqueness Score: -1.00%

Function 000DB37C Relevance: 18.1, APIs: 12, Instructions: 102stringmemoryCOMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(?,?,00000000,00000000,00000000,000D7557), ref: 000DB3A7
GetLastError.KERNEL32(?,?,00000000,00000000,00000000,000D7557), ref: 000DB3B3
HeapAlloc.KERNEL32(?,?,00000000,00000000,00000000,000D7557), ref: 000DB3D1
GetTempPathW.KERNEL32(?,?,00000000,00000000,00000000,000D7557), ref: 000DB3E9
GetLongPathNameW.KERNEL32 ref: 000DB40E
lstrcatW.KERNEL32 ref: 000DB42E
lstrcatW.KERNEL32 ref: 000DB49F
lstrcatW.KERNEL32 ref: 000DB4B4
lstrcatW.KERNEL32 ref: 000DB4C0
HeapFree.KERNEL32(?,?,00000000,00000000,00000000,000D7557), ref: 000DB4DD

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: lstrcat$Path$HeapTemp$AllocErrorFreeLastLongName
String ID:
API String ID: 1976455836-0
Opcode ID: 0fe277ad4bd0e30aea2945b1610881bd1d7873d9866c24cd0f95772d5120cd9e
Instruction ID: 1e817e90245bfa6adb2168893907cab046034101eaff95e20192817692f269fe
Opcode Fuzzy Hash: 0fe277ad4bd0e30aea2945b1610881bd1d7873d9866c24cd0f95772d5120cd9e
Instruction Fuzzy Hash: 98417C72701B42C6EB64CF23A8443A973A1BB48BE5F4A8336DE2A47B95DF38D1559310

Uniqueness

Uniqueness Score: -1.00%

Function 000E1060 Relevance: 18.1, APIs: 12, Instructions: 99fileCOMMON

Download Yara Rule

APIs

GetFileInformationByHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 000E10C0
CreateFileW.KERNEL32 ref: 000E10E9
GetLastError.KERNEL32 ref: 000E10F8
SetFilePointerEx.KERNEL32 ref: 000E1114
SetFilePointerEx.KERNEL32 ref: 000E1127
ReadFile.KERNEL32 ref: 000E1160
SetFilePointerEx.KERNEL32 ref: 000E1184
SetEndOfFile.KERNEL32 ref: 000E118D
CloseHandle.KERNEL32 ref: 000E1196
DeleteFileW.KERNEL32 ref: 000E11A3

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: File$Pointer$Handle$CloseCreateDeleteErrorInformationLastRead
String ID:
API String ID: 203480122-0
Opcode ID: 83d59bc664bac4421c87887aa7e4115e9560e43cc3b5ef045d655124aa1d8f60
Instruction ID: b251537918ca9b3a9124156a8a47ad6ba10ae1fa0c5d1ab115c0f1fbac69a5d7
Opcode Fuzzy Hash: 83d59bc664bac4421c87887aa7e4115e9560e43cc3b5ef045d655124aa1d8f60
Instruction Fuzzy Hash: 8D413836714A42DBE7209FA2E944BED33A1F789BD9F008126DE1A57F54DF39C24A9700

Uniqueness

Uniqueness Score: -1.00%

Function 000E1738 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 77stringmemoryCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 000E178A
lstrlenW.KERNEL32 ref: 000E179F
HeapAlloc.KERNEL32 ref: 000E17B4
lstrcpyW.KERNEL32 ref: 000E17CC
lstrcatW.KERNEL32 ref: 000E17E1
lstrcatW.KERNEL32 ref: 000E17ED
CloseHandle.KERNEL32 ref: 000E183B
CloseHandle.KERNEL32 ref: 000E1846
HeapFree.KERNEL32 ref: 000E1858

Strings

h, xrefs: 000E1770

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: CloseHandleHeaplstrcatlstrlen$AllocFreelstrcpy
String ID: h
API String ID: 3201425327-2439710439
Opcode ID: bca777a916f1b63ede7038d97a65ef3a4add9b19ec5e45d935d7424350bbc5fd
Instruction ID: 14c2c0b4a41c53900b366b993390576657c0ba0b00a93ec89454494d7954c45f
Opcode Fuzzy Hash: bca777a916f1b63ede7038d97a65ef3a4add9b19ec5e45d935d7424350bbc5fd
Instruction Fuzzy Hash: 35313A36604B81C6EB209F62F9443AEB3A5F788FC4F444135EA8953B18DF79C556CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000D7F20 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72memorystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,00000000,00000000,000D7ECA), ref: 000D7F4D
GetEnvironmentVariableW.KERNEL32(00000000,00000000,00000000,000D7ECA), ref: 000D7F5D
GetLastError.KERNEL32 ref: 000D7F6A
HeapAlloc.KERNEL32 ref: 000D7F8A
GetEnvironmentVariableW.KERNEL32 ref: 000D7FA6
lstrcatW.KERNEL32 ref: 000D7FBB
lstrcatW.KERNEL32 ref: 000D7FCB
GetLastError.KERNEL32 ref: 000D7FE3
HeapFree.KERNEL32 ref: 000D7FF7

Strings

\Opera, xrefs: 000D7FC1

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: EnvironmentErrorHeapLastVariablelstrcat$AllocFreelstrlen
String ID: \Opera
API String ID: 3093186349-313673050
Opcode ID: 608224af4b2ed724d85e7c6f9f0b2884cf980ac4a0ff165c134f0c2c6b7684bd
Instruction ID: 80001c362d519971a87ee8f24adfd85402c0f2ccf9864ce1ba440d8e1732d387
Opcode Fuzzy Hash: 608224af4b2ed724d85e7c6f9f0b2884cf980ac4a0ff165c134f0c2c6b7684bd
Instruction Fuzzy Hash: 4E21A131704B52C6EB74DF67A99477A62E1BB88FD1F084031DE0A83F24EE39C84A8710

Uniqueness

Uniqueness Score: -1.00%

Function 000E23D4 Relevance: 16.8, APIs: 11, Instructions: 313keyboardwindowtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 000DCD44: GetClassNameA.USER32 ref: 000DCD56
Part of subcall function 000DCD44: lstrcmpiA.KERNEL32 ref: 000DCD68

GetWindowThreadProcessId.USER32 ref: 000E2496
GetKeyboardLayout.USER32 ref: 000E249E
VkKeyScanExA.USER32 ref: 000E24F0
MapVirtualKeyA.USER32 ref: 000E2574
MapVirtualKeyA.USER32 ref: 000E25F3
MapVirtualKeyA.USER32 ref: 000E2672
VkKeyScanExW.USER32 ref: 000E273F
SendMessageTimeoutA.USER32 ref: 000E279C
GetTickCount.KERNEL32 ref: 000E27DD
SendMessageTimeoutA.USER32 ref: 000E282F
PostMessageA.USER32 ref: 000E2852

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: MessageVirtual$ScanSendTimeout$ClassCountKeyboardLayoutNamePostProcessThreadTickWindowlstrcmpi
String ID:
API String ID: 2135802322-0
Opcode ID: 19f81f2346ad4c883fac8127c1485e95e1405d06f77743536acd309a18e92368
Instruction ID: 34bbe301da280c76f5dedf24d3e94bdd5c4c66b293dd2d62c1d786726f85bba8
Opcode Fuzzy Hash: 19f81f2346ad4c883fac8127c1485e95e1405d06f77743536acd309a18e92368
Instruction Fuzzy Hash: 79B111727087C18AEBA89B2796903BD7799F784B84F184135DF8A677A0CF78C895C300

Uniqueness

Uniqueness Score: -1.00%

Function 000CCFDC Relevance: 16.7, APIs: 11, Instructions: 156memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000E05F4: GetTickCount.KERNEL32 ref: 000E0617
Part of subcall function 000E05F4: lstrlenA.KERNEL32(?,?,?,000CD017), ref: 000E0643
Part of subcall function 000E05F4: HeapAlloc.KERNEL32(?,?,?,000CD017), ref: 000E065F
Part of subcall function 000E05F4: CreateMutexA.KERNEL32(?,?,?,000CD017), ref: 000E068C
Part of subcall function 000E05F4: GetLastError.KERNEL32(?,?,?,000CD017), ref: 000E0715
Part of subcall function 000E05F4: HeapFree.KERNEL32(?,?,?,000CD017), ref: 000E072E

HeapAlloc.KERNEL32 ref: 000CD05E
GetLastError.KERNEL32 ref: 000CD172
EnterCriticalSection.KERNEL32 ref: 000CD181
LeaveCriticalSection.KERNEL32 ref: 000CD199
shutdown.WS2_32 ref: 000CD1A8
closesocket.WS2_32 ref: 000CD1B2
HeapFree.KERNEL32 ref: 000CD1DA
HeapFree.KERNEL32 ref: 000CD1F5
CloseHandle.KERNEL32 ref: 000CD204
DeleteCriticalSection.KERNEL32 ref: 000CD213
HeapFree.KERNEL32 ref: 000CD225

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Free$CriticalSection$AllocErrorLast$CloseCountCreateDeleteEnterHandleLeaveMutexTickclosesocketlstrlenshutdown
String ID:
API String ID: 3991168169-0
Opcode ID: b4032fc7bfa8bcf15bad98de0a6582d8405026e7d63186a2731c4f517da1b61a
Instruction ID: c8a5c93936b34e7866c4ed5d9a6f281abb277b815c6aa5fcf91c7912d93e8cc6
Opcode Fuzzy Hash: b4032fc7bfa8bcf15bad98de0a6582d8405026e7d63186a2731c4f517da1b61a
Instruction Fuzzy Hash: 2761A976600A8182DB24DF26DA947AD37A0FB99FC4F08812ADF9D87B25DF38C552C750

Uniqueness

Uniqueness Score: -1.00%

Function 000E758C Relevance: 16.3, APIs: 13, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 000E75AA

Part of subcall function 000E567C: HeapFree.KERNEL32(?,?,00000000,000E67F6,?,?,00000000,000E6773,?,?,?,000E4DE7,?,?,?,000E50F5), ref: 000E5692
Part of subcall function 000E567C: _errno.LIBCMT ref: 000E569C
Part of subcall function 000E567C: GetLastError.KERNEL32(?,?,00000000,000E67F6,?,?,00000000,000E6773,?,?,?,000E4DE7,?,?,?,000E50F5), ref: 000E56A4

free.LIBCMT ref: 000E75BC
free.LIBCMT ref: 000E75CE
free.LIBCMT ref: 000E75E0
free.LIBCMT ref: 000E75F2
free.LIBCMT ref: 000E7604
free.LIBCMT ref: 000E7616
free.LIBCMT ref: 000E7628
free.LIBCMT ref: 000E763A
free.LIBCMT ref: 000E764C
free.LIBCMT ref: 000E7661
free.LIBCMT ref: 000E7676
free.LIBCMT ref: 000E768B

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: free$ErrorFreeHeapLast_errno
String ID:
API String ID: 1012874770-0
Opcode ID: 6e761a835e05843b1ba5ce2806947a95c0053ceeb78bdc966a0a245ec9bbdbf1
Instruction ID: 6a2c0a2873b62a604f0925e44821602a36ac47748fa41c4b6166d56287c5cd3b
Opcode Fuzzy Hash: 6e761a835e05843b1ba5ce2806947a95c0053ceeb78bdc966a0a245ec9bbdbf1
Instruction Fuzzy Hash: B82186B3304C809BEA95EB67E8913BC2361A7D878DF850513E74E67526CFA4D8C08365

Uniqueness

Uniqueness Score: -1.00%

Function 000E37F8 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

ChildWindowFromPointEx.USER32 ref: 000E3837
EnterCriticalSection.KERNEL32 ref: 000E384A
LeaveCriticalSection.KERNEL32 ref: 000E38C3

Part of subcall function 000DC9D0: GetParent.USER32 ref: 000DCB18

PtInRect.USER32 ref: 000E38AA
WindowFromPoint.USER32 ref: 000E3904
GetAncestor.USER32 ref: 000E391A
GetWindowInfo.USER32 ref: 000E3947
PtInRect.USER32 ref: 000E395E

Strings

<, xrefs: 000E393F

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Window$CriticalFromPointRectSection$AncestorChildEnterInfoLeaveParent
String ID: <
API String ID: 3358615102-4251816714
Opcode ID: 781bc68854c436ced176d105f64d52e0ac83d52a36e7e8b606aa1152a819710a
Instruction ID: bb92165280e3d218be013879881e28220ed78478850eee0a0b792bdf4b819904
Opcode Fuzzy Hash: 781bc68854c436ced176d105f64d52e0ac83d52a36e7e8b606aa1152a819710a
Instruction Fuzzy Hash: D5413C32301B8589EFA49F13D6487A9BBA4F754F84F089026EE4D57714DF39C559D700

Uniqueness

Uniqueness Score: -1.00%

Function 000DBD3C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 92stringmemoryCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(?,?,?,000DBCD3), ref: 000DBD7B
StrCmpNIW.SHLWAPI(?,?,?,000DBCD3), ref: 000DBDB5
StrCmpNIW.SHLWAPI(?,?,?,000DBCD3), ref: 000DBDDB
StrChrW.SHLWAPI(?,?,?,000DBCD3), ref: 000DBDF5
StrCmpNIW.SHLWAPI(?,?,?,000DBCD3), ref: 000DBE18
lstrcmpiW.KERNEL32(?,?,?,000DBCD3), ref: 000DBE20
HeapFree.KERNEL32(?,?,?,000DBCD3), ref: 000DBE53

Strings

\Registry\USER, xrefs: 000DBDCB
\Registry\Machine, xrefs: 000DBDA5

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: lstrcmpi$FreeHeap
String ID: \Registry\Machine$\Registry\USER
API String ID: 4129639105-1053235272
Opcode ID: 97b5d980acabfa29b6b7f2c32ce291114e1d03e8ffa0e8546630bf3413b96a6e
Instruction ID: c931f43a887c56bfa1eab0d1abd2c0c3e68c15e477e901cdb62bda9c3745a36b
Opcode Fuzzy Hash: 97b5d980acabfa29b6b7f2c32ce291114e1d03e8ffa0e8546630bf3413b96a6e
Instruction Fuzzy Hash: 83315832301B55C2EB659F22E8003AA77A5FB98FC4F4A8026CF4947B58DF79C946D360

Uniqueness

Uniqueness Score: -1.00%

Function 000DC8A0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 000DCED0: IsWindow.USER32 ref: 000DCEEA
Part of subcall function 000DCED0: GetAncestor.USER32(?,?,?,000DD01D), ref: 000DCF13

GetWindowLongPtrA.USER32 ref: 000DC8D4
GetLastActivePopup.USER32 ref: 000DC8E8
GetWindow.USER32 ref: 000DC905
GetWindow.USER32 ref: 000DC913
GetWindowInfo.USER32 ref: 000DC92C
GetWindow.USER32 ref: 000DC93A
GetWindow.USER32 ref: 000DC987
GetWindow.USER32 ref: 000DC99B

Strings

<, xrefs: 000DC924

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Window$ActiveAncestorInfoLastLongPopup
String ID: <
API String ID: 906851337-4251816714
Opcode ID: fdbf31e343d519392eecb34934d4ad843e63fc6a6ac0e569f89ba47cc4f7a0d1
Instruction ID: 3d5af61900f30ee775525166107837fd4162d92318540174da38b1f2ce13706d
Opcode Fuzzy Hash: fdbf31e343d519392eecb34934d4ad843e63fc6a6ac0e569f89ba47cc4f7a0d1
Instruction Fuzzy Hash: 73218F2120574282FE709B16E668B69A396AB56BD4F184032DE8A57B98DF7CC842C760

Uniqueness

Uniqueness Score: -1.00%

Function 000D87F4 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 82stringmemoryCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,000C377C), ref: 000D8821
StrRChrW.SHLWAPI(?,?,?,000C377C), ref: 000D8833
HeapAlloc.KERNEL32(?,?,?,000C377C), ref: 000D8888
SetLastError.KERNEL32(?,?,?,000C377C), ref: 000D8899
wsprintfW.USER32 ref: 000D88C6
lstrcmpiW.KERNEL32(?,?,?,000C377C), ref: 000D88D9
lstrcatW.KERNEL32 ref: 000D88ED
lstrcatW.KERNEL32 ref: 000D88F9

Strings

Default, xrefs: 000D88CF

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: lstrcat$AllocErrorHeapLastlstrcmpilstrlenwsprintf
String ID: Default
API String ID: 401938395-753088835
Opcode ID: c8d5837e54163e08cbdecffc8a61398b78463c96512369ed8b1e3d3a7d45e18e
Instruction ID: 6a9030d01e14e6a91aa15397285f7eb78ee0ab840ff00c0fc3e0a832030b592b
Opcode Fuzzy Hash: c8d5837e54163e08cbdecffc8a61398b78463c96512369ed8b1e3d3a7d45e18e
Instruction Fuzzy Hash: 9D315E65304B8196EB249B13ED543B9A3A6FB88FD4F488036CE5A87F59DE3DC6458700

Uniqueness

Uniqueness Score: -1.00%

Function 000E160C Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 81stringmemoryCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32 ref: 000E166D
OpenProcess.KERNEL32 ref: 000E1683
OpenProcess.KERNEL32 ref: 000E169D
lstrcmpiW.KERNEL32 ref: 000E16C5
HeapFree.KERNEL32 ref: 000E16DE
CloseHandle.KERNEL32 ref: 000E16EB
Process32NextW.KERNEL32 ref: 000E16FC
CloseHandle.KERNEL32 ref: 000E170F

Strings

Winsta0\Default, xrefs: 000E16BB

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: CloseHandleOpenProcesslstrcmpi$FreeHeapNextProcess32
String ID: Winsta0\Default
API String ID: 1597940222-2867368725
Opcode ID: d777dd47f3d005c1d2d3c1c4d4e4e8689cfcbbb39deb4f553ed2f47cb5515248
Instruction ID: f7cb47769542550f03a81170e0981e8fa0633ac4c6a4a39d3f51f104783e8dbe
Opcode Fuzzy Hash: d777dd47f3d005c1d2d3c1c4d4e4e8689cfcbbb39deb4f553ed2f47cb5515248
Instruction Fuzzy Hash: E0219E35305B818AEB64DB23A8443AA63E5BB88FD4F488635DE6D93B55EF38C506D700

Uniqueness

Uniqueness Score: -1.00%

Function 000D86C4 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 80stringmemoryCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,?,?,000C3744), ref: 000D86F6
StrRChrA.SHLWAPI(?,?,?,000C3744), ref: 000D8708

Part of subcall function 000E531C: _errno.LIBCMT ref: 000E532E
Part of subcall function 000E531C: _invalid_parameter_noinfo.LIBCMT ref: 000E5339

HeapAlloc.KERNEL32(?,?,?,000C3744), ref: 000D875A
SetLastError.KERNEL32(?,?,?,000C3744), ref: 000D876B
lstrcpyA.KERNEL32(?,?,?,000C3744), ref: 000D878A
lstrcmpiA.KERNEL32(?,?,?,000C3744), ref: 000D879A
lstrcatA.KERNEL32(?,?,?,000C3744), ref: 000D87AE
lstrcatA.KERNEL32(?,?,?,000C3744), ref: 000D87BA

Strings

Default, xrefs: 000D8790

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: lstrcat$AllocErrorHeapLast_errno_invalid_parameter_noinfolstrcmpilstrcpylstrlen
String ID: Default
API String ID: 2146732506-753088835
Opcode ID: 533bc8413560060e3945c9489f65788b9b1f4503048aa6775da957f8a4f15abf
Instruction ID: 93b787515978c0f3a398512a237388f99a629fdbce6fd0dd985d4252cb689d91
Opcode Fuzzy Hash: 533bc8413560060e3945c9489f65788b9b1f4503048aa6775da957f8a4f15abf
Instruction Fuzzy Hash: C6316B75310B41D6EA28DB23A8447AAA3A2FB88FC0F488036CE0A8BB14DE7DD145D700

Uniqueness

Uniqueness Score: -1.00%

Function 000C569C Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 73threadstringCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 000C56EC
GetMappedFileNameA.PSAPI ref: 000C5703
PathStripPathA.SHLWAPI ref: 000C5711
lstrcmpiA.KERNEL32 ref: 000C5723
GetTickCount.KERNEL32 ref: 000C5759
GetTickCount.KERNEL32 ref: 000C5765
GetCurrentThread.KERNEL32 ref: 000C5789
TerminateThread.KERNEL32 ref: 000C5794

Strings

windows.immersiveshell.serviceprovider.dll, xrefs: 000C5717

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: CountCurrentPathThreadTick$FileMappedNameProcessStripTerminatelstrcmpi
String ID: windows.immersiveshell.serviceprovider.dll
API String ID: 84710471-1793758754
Opcode ID: 70a62bfd31ec4618ba6a11a4e5f11d25799d0a963605efb87c5f9db9165249b7
Instruction ID: ecab9b9ee312915e5feea08dc9f2169aa44f34d2110f1263d9885ad3754a44b1
Opcode Fuzzy Hash: 70a62bfd31ec4618ba6a11a4e5f11d25799d0a963605efb87c5f9db9165249b7
Instruction Fuzzy Hash: 65315A79215A81C7FB609F12FD84BA933A0F748B81F45512ADA8A83760CF7CD4D5DB40

Uniqueness

Uniqueness Score: -1.00%

Function 000DF458 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 72memorystringCOMMON

Download Yara Rule

APIs

GetSystemWindowsDirectoryA.KERNEL32 ref: 000DF48F
HeapAlloc.KERNEL32 ref: 000DF4B0
GetSystemWindowsDirectoryA.KERNEL32 ref: 000DF4C7
lstrcatA.KERNEL32 ref: 000DF4DA
GetLastError.KERNEL32 ref: 000DF531

Strings

\explorer.exe, xrefs: 000DF4CD
h, xrefs: 000DF520

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: DirectorySystemWindows$AllocErrorHeapLastlstrcat
String ID: \explorer.exe$h
API String ID: 943360442-2845133803
Opcode ID: 0a6e117c620a5bcecb7d15b4684ba9f5e0bbc86734f8ff968ca36f925ccc78c2
Instruction ID: 90eb8ff0a81cd58bccb6151706a138bdd74538b580f7c8d066ea03f199b9d461
Opcode Fuzzy Hash: 0a6e117c620a5bcecb7d15b4684ba9f5e0bbc86734f8ff968ca36f925ccc78c2
Instruction Fuzzy Hash: 57318B72204B42C6E7208F26F8447AE77A4F788B88F148136EB9E83B58DF39C509C740

Uniqueness

Uniqueness Score: -1.00%

Function 000C9C88 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 69stringCOMMON

Download Yara Rule

APIs

IsBadStringPtrA.KERNEL32 ref: 000C9CE0

Part of subcall function 000C9B74: GetWindowLongPtrA.USER32 ref: 000C9BE2
Part of subcall function 000C9B74: EnterCriticalSection.KERNEL32 ref: 000C9C12
Part of subcall function 000C9B74: LeaveCriticalSection.KERNEL32 ref: 000C9C3F
Part of subcall function 000C9B74: SetWindowLongPtrA.USER32 ref: 000C9C4E
Part of subcall function 000C9B74: GetWindowLongPtrA.USER32 ref: 000C9C5D

GetClassNameA.USER32 ref: 000C9D1B
lstrcmpiA.KERNEL32 ref: 000C9D34
lstrcmpiA.KERNEL32 ref: 000C9D56
lstrcmpiA.KERNEL32 ref: 000C9D6A
lstrcmpiA.KERNEL32 ref: 000C9D7E

Strings

#32770, xrefs: 000C9D2A
TrayNotifyWnd, xrefs: 000C9D74
MSTaskSwWClass, xrefs: 000C9D4C, 000C9D60

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: lstrcmpi$LongWindow$CriticalSection$ClassEnterLeaveNameString
String ID: #32770$MSTaskSwWClass$TrayNotifyWnd
API String ID: 1160596247-1364136895
Opcode ID: 727dfee50d881250758814ef2f8706402c95aaf9847aa36d78383d0030f246d7
Instruction ID: 697d0ed3080e2d1bf8bc1c0471cd1c8b00d055fa4002fd5e3e716453cee12518
Opcode Fuzzy Hash: 727dfee50d881250758814ef2f8706402c95aaf9847aa36d78383d0030f246d7
Instruction Fuzzy Hash: EA217F3530468285EB708F26F8547AAB3A0FB9ABC0F48413ADD8AC7B65DF2CC544D754

Uniqueness

Uniqueness Score: -1.00%

Function 000C3A1C Relevance: 15.2, APIs: 10, Instructions: 153memorystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 000C3AEC
lstrlenW.KERNEL32 ref: 000C3B02
HeapAlloc.KERNEL32 ref: 000C3B1A
lstrcpyW.KERNEL32 ref: 000C3B3D
lstrcatW.KERNEL32 ref: 000C3B4D
lstrcatW.KERNEL32 ref: 000C3B5E
HeapFree.KERNEL32 ref: 000C3BD7

Part of subcall function 000D87F4: lstrlenW.KERNEL32(?,?,?,000C377C), ref: 000D8821
Part of subcall function 000D87F4: StrRChrW.SHLWAPI(?,?,?,000C377C), ref: 000D8833
Part of subcall function 000D87F4: HeapAlloc.KERNEL32(?,?,?,000C377C), ref: 000D8888
Part of subcall function 000D87F4: SetLastError.KERNEL32(?,?,?,000C377C), ref: 000D8899

HeapFree.KERNEL32 ref: 000C3BF3
HeapFree.KERNEL32 ref: 000C3C18
SetLastError.KERNEL32 ref: 000C3C24

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Freelstrlen$AllocErrorLastlstrcat$lstrcpy
String ID:
API String ID: 895481724-0
Opcode ID: 617fa7814f67a6f464a2346e53475d5d337d29870868ac165ae1b229f18cfce6
Instruction ID: b9f4b10703055ffabf47ddef6291b10b7f0182f0143423d3e4de1482597d9b32
Opcode Fuzzy Hash: 617fa7814f67a6f464a2346e53475d5d337d29870868ac165ae1b229f18cfce6
Instruction Fuzzy Hash: 43516D76311B8586EB65DF56A880BAE73A4FB88FC0F098429DF8D57B15DF38C9518700

Uniqueness

Uniqueness Score: -1.00%

Function 000E34C0 Relevance: 15.1, APIs: 10, Instructions: 72COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32 ref: 000E34F6
GetWindow.USER32 ref: 000E3511
GetWindow.USER32 ref: 000E3531
CreateEventA.KERNEL32 ref: 000E3558
GetLastError.KERNEL32 ref: 000E356A

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Window$CreateCriticalErrorEventInitializeLastSection
String ID:
API String ID: 1676008072-0
Opcode ID: 66cf835e03d6ce3c1a1ed7ed2e2ada2d4a9ce9efce1ed914353d74988d096cd3
Instruction ID: 05c8562dd375a861d6acb646ecd69b3aa1d221558d7cc496b79f83c9abe90359
Opcode Fuzzy Hash: 66cf835e03d6ce3c1a1ed7ed2e2ada2d4a9ce9efce1ed914353d74988d096cd3
Instruction Fuzzy Hash: 51317332605BC1C6EB609F27E4583AE27A1F788F88F188535DE5A5BB29DF39C5858310

Uniqueness

Uniqueness Score: -1.00%

Function 000C48F8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 112memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 000C5048: ZwQueryInformationProcess.NTDLL(?,?,KERNEL32.DLL,?,?,?,00000000,00000002,00000000,00000000,000C4933,00000000,?,LoadLibraryA,?,00000000), ref: 000C5095
Part of subcall function 000C5048: ReadProcessMemory.KERNEL32(?,?,KERNEL32.DLL,?,?,?,00000000,00000002,00000000,00000000,000C4933,00000000,?,LoadLibraryA,?,00000000), ref: 000C50EB
Part of subcall function 000C5048: ReadProcessMemory.KERNEL32(?,?,KERNEL32.DLL,?,?,?,00000000,00000002,00000000,00000000,000C4933,00000000,?,LoadLibraryA,?,00000000), ref: 000C5111
Part of subcall function 000C5048: ReadProcessMemory.KERNEL32(?,?,KERNEL32.DLL,?,?,?,00000000,00000002,00000000,00000000,000C4933,00000000,?,LoadLibraryA,?,00000000), ref: 000C515D

VirtualAlloc.KERNEL32(00000000,?,LoadLibraryA,?,00000000,000C4797,?,?,?,?,00000000,?,?,00000000,00000000,000C4C5E), ref: 000C4947
VirtualFree.KERNEL32(?,?,?,?,00000000,?,?,00000000,00000000,000C4C5E,00000000,?,00000000,000C176F), ref: 000C4A3C

Part of subcall function 000C5048: ReadProcessMemory.KERNEL32(?,?,KERNEL32.DLL,?,?,?,00000000,00000002,00000000,00000000,000C4933,00000000,?,LoadLibraryA,?,00000000), ref: 000C51D6
Part of subcall function 000C5048: StrRChrA.SHLWAPI(?,?,KERNEL32.DLL,?,?,?,00000000,00000002,00000000,00000000,000C4933,00000000,?,LoadLibraryA,?,00000000), ref: 000C5210

VirtualFree.KERNEL32(?,?,?,?,00000000,?,?,00000000,00000000,000C4C5E,00000000,?,00000000,000C176F), ref: 000C4985
VirtualAlloc.KERNEL32(?,?,?,?,00000000,?,?,00000000,00000000,000C4C5E,00000000,?,00000000,000C176F), ref: 000C4999
lstrcmpiA.KERNEL32(?,?,?,?,00000000,?,?,00000000,00000000,000C4C5E,00000000,?,00000000,000C176F), ref: 000C49D0
StrChrA.SHLWAPI(?,?,?,?,00000000,?,?,00000000,00000000,000C4C5E,00000000,?,00000000,000C176F), ref: 000C49E2
lstrcmpiA.KERNEL32(?,?,?,?,00000000,?,?,00000000,00000000,000C4C5E,00000000,?,00000000,000C176F), ref: 000C49F6

Strings

LoadLibraryA, xrefs: 000C490A

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Process$MemoryReadVirtual$AllocFreelstrcmpi$InformationQuery
String ID: LoadLibraryA
API String ID: 3835057325-1069661581
Opcode ID: 7052597e2fb3d141916387a99492ce711ef5f636cb5ca54d186e0213a6184b8b
Instruction ID: 98619e41c06afe905562de24687f40653facb01d44472f69a337e349c55631ea
Opcode Fuzzy Hash: 7052597e2fb3d141916387a99492ce711ef5f636cb5ca54d186e0213a6184b8b
Instruction Fuzzy Hash: 5C31F232700B5183EB768F66A810B6EB6D1FB88F80F488029DE0987B10EF7DD951D745

Uniqueness

Uniqueness Score: -1.00%

Function 000D7E00 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 63stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32 ref: 000D7E3F
MultiByteToWideChar.KERNEL32 ref: 000D7E8D
lstrcpyW.KERNEL32 ref: 000D7E9D
lstrcatW.KERNEL32 ref: 000D7EAE

Strings

LOCALAPPDATA, xrefs: 000D7EEE
\Local Settings\Application Data, xrefs: 000D7EDB
APPDATA, xrefs: 000D7EB8
USERPROFILE, xrefs: 000D7EE2

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWidelstrcatlstrcpylstrlen
String ID: APPDATA$LOCALAPPDATA$USERPROFILE$\Local Settings\Application Data
API String ID: 3312154097-664161059
Opcode ID: 3e6b4c658a72920e03016bd943eadcf2ec7a697c26d9a8c92478e8336afa8ece
Instruction ID: 74dea79252957d653da897193f92e80089543ce3dd527a6e675b12cf18a8bcc8
Opcode Fuzzy Hash: 3e6b4c658a72920e03016bd943eadcf2ec7a697c26d9a8c92478e8336afa8ece
Instruction Fuzzy Hash: 87214F32214AC6D5DB309F65D8947D83361F708BA8F844322DA2D1BFA9DF34C64AC710

Uniqueness

Uniqueness Score: -1.00%

Function 000D8A00 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 55stringmemoryCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,000D890C,?,?,?,000C377C), ref: 000D8A4A
HeapAlloc.KERNEL32(?,?,?,000D890C,?,?,?,000C377C), ref: 000D8A6A
SetLastError.KERNEL32(?,?,?,000D890C,?,?,?,000C377C), ref: 000D8A7B
wsprintfW.USER32 ref: 000D8A92
lstrcmpW.KERNEL32(?,?,?,000D890C,?,?,?,000C377C), ref: 000D8AA2
lstrcatW.KERNEL32 ref: 000D8AB6
lstrcatW.KERNEL32 ref: 000D8AC2

Strings

Default, xrefs: 000D8A98

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: lstrcat$AllocErrorHeapLastlstrcmplstrlenwsprintf
String ID: Default
API String ID: 4106241528-753088835
Opcode ID: ea9e675ee0f60606f371aaea1c70caf293ca704d6ee0e7549cab46cd597e27e4
Instruction ID: c62bd5093f5ef3757fc6958815ba46edd6fd145a75b12c09498abd49beb7af30
Opcode Fuzzy Hash: ea9e675ee0f60606f371aaea1c70caf293ca704d6ee0e7549cab46cd597e27e4
Instruction Fuzzy Hash: 111149B8705B82D6EB64DB17E9443A96361BB88FD0F488432DE4A47B28DF3DD5968700

Uniqueness

Uniqueness Score: -1.00%

Function 000D892C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 53stringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000E531C: _errno.LIBCMT ref: 000E532E
Part of subcall function 000E531C: _invalid_parameter_noinfo.LIBCMT ref: 000E5339

lstrlenA.KERNEL32(?,?,?,000D87CD,?,?,?,000C3744), ref: 000D8972
HeapAlloc.KERNEL32(?,?,?,000D87CD,?,?,?,000C3744), ref: 000D898F
SetLastError.KERNEL32(?,?,?,000D87CD,?,?,?,000C3744), ref: 000D89A0
lstrcpyA.KERNEL32(?,?,?,000D87CD,?,?,?,000C3744), ref: 000D89B0
lstrcmpA.KERNEL32(?,?,?,000D87CD,?,?,?,000C3744), ref: 000D89C0
lstrcatA.KERNEL32(?,?,?,000D87CD,?,?,?,000C3744), ref: 000D89D4
lstrcatA.KERNEL32(?,?,?,000D87CD,?,?,?,000C3744), ref: 000D89E0

Strings

Default, xrefs: 000D89B6

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: lstrcat$AllocErrorHeapLast_errno_invalid_parameter_noinfolstrcmplstrcpylstrlen
String ID: Default
API String ID: 1492962387-753088835
Opcode ID: 454ea94882dbfe3c84a6b33c52f229790f75d96ab900be1c4ee0b7a7cda4ab9d
Instruction ID: 0da2e4f29273d91e2c35c818a0028597cce2b3751a205a287896dbcaba0b15e0
Opcode Fuzzy Hash: 454ea94882dbfe3c84a6b33c52f229790f75d96ab900be1c4ee0b7a7cda4ab9d
Instruction Fuzzy Hash: 18114674305B82C6EA64DB23F9183B9A761BB88FC0F488032DE8A47B28DE3DC545C700

Uniqueness

Uniqueness Score: -1.00%

Function 000D7CFC Relevance: 14.0, APIs: 2, Strings: 6, Instructions: 34COMMON

Download Yara Rule

APIs

PathRemoveBlanksW.SHLWAPI ref: 000D7D28
PathRemoveArgsW.SHLWAPI ref: 000D7D31

Strings

OPRN, xrefs: 000D7D5B
--user-data-dir=, xrefs: 000D7D48
Opera Software\Opera Stable, xrefs: 000D7D4F
APPDATA, xrefs: 000D7D62
--no-sandbox --allow-no-sandbox-job --disable-3d-apis --disable-gpu --disable-d3d11, xrefs: 000D7D3C
opera.exe, xrefs: 000D7D69

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: PathRemove$ArgsBlanks
String ID: --no-sandbox --allow-no-sandbox-job --disable-3d-apis --disable-gpu --disable-d3d11$ --user-data-dir=$APPDATA$OPRN$Opera Software\Opera Stable$opera.exe
API String ID: 3367427818-3321430093
Opcode ID: 699916a4dcf65d450c207d3851f764266fd88a848173e39d01778f30773f382f
Instruction ID: 1c85e974315e0c07ed72e606d29e6f310107dc062c401f1ecbfbd52cf6927b0e
Opcode Fuzzy Hash: 699916a4dcf65d450c207d3851f764266fd88a848173e39d01778f30773f382f
Instruction Fuzzy Hash: C201D631608F86D1EB219B15F9403AA73A4F788BE4F444126EA8E07B29EF38C255D750

Uniqueness

Uniqueness Score: -1.00%

Function 000C7730 Relevance: 13.6, APIs: 9, Instructions: 104synchronizationCOMMON

Download Yara Rule

APIs

WindowFromDC.USER32 ref: 000C775B
WaitForSingleObject.KERNEL32 ref: 000C7784
CreateRectRgn.GDI32 ref: 000C7797
GetClipRgn.GDI32 ref: 000C77A6
SelectClipRgn.GDI32 ref: 000C77B8
DeleteObject.GDI32 ref: 000C77C1
GetViewportOrgEx.GDI32 ref: 000C77CF
SetViewportOrgEx.GDI32 ref: 000C77E5
ReleaseMutex.KERNEL32 ref: 000C785F

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: ClipObjectViewport$CreateDeleteFromMutexRectReleaseSelectSingleWaitWindow
String ID:
API String ID: 3315380975-0
Opcode ID: 93611d19cd4074ff6330dac70336fe6cffb242f110c228f130af1fd565161583
Instruction ID: c3dc69fb5756f89a9ac260c8ffa30be8afd60f4179f8486b1ede3389a07159c4
Opcode Fuzzy Hash: 93611d19cd4074ff6330dac70336fe6cffb242f110c228f130af1fd565161583
Instruction Fuzzy Hash: DF41A576609B818BD760CF5AF484B5AB7A1F789B90F144126EE8D93B28DF38D4858F00

Uniqueness

Uniqueness Score: -1.00%

Function 000C78F8 Relevance: 13.6, APIs: 9, Instructions: 94synchronizationCOMMON

Download Yara Rule

APIs

WindowFromDC.USER32 ref: 000C7923
WaitForSingleObject.KERNEL32 ref: 000C794C
CreateRectRgn.GDI32 ref: 000C7965
GetClipRgn.GDI32 ref: 000C7974
SelectClipRgn.GDI32 ref: 000C7986
DeleteObject.GDI32 ref: 000C798F
GetViewportOrgEx.GDI32 ref: 000C799D
SetViewportOrgEx.GDI32 ref: 000C79B3
ReleaseMutex.KERNEL32 ref: 000C7A0A

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: ClipObjectViewport$CreateDeleteFromMutexRectReleaseSelectSingleWaitWindow
String ID:
API String ID: 3315380975-0
Opcode ID: c783c415bf906a881a554ebfdb13ba65d7b1c5e2017bd86698bfc110eaa970dc
Instruction ID: 2cbbfe0494adf0f66343ae0dfa8c89ffd00764fa5d5c8b82cf03dfdc26fc932e
Opcode Fuzzy Hash: c783c415bf906a881a554ebfdb13ba65d7b1c5e2017bd86698bfc110eaa970dc
Instruction Fuzzy Hash: F141E836714B81CBDB60CF16E844B5EB7A1F789B90F144525EE9983B28DF38D485CB40

Uniqueness

Uniqueness Score: -1.00%

Function 000DFD50 Relevance: 13.6, APIs: 9, Instructions: 91windowCOMMON

Download Yara Rule

APIs

GetSystemPaletteEntries.GDI32 ref: 000DFD7D
CreateCompatibleDC.GDI32 ref: 000DFE12
SelectObject.GDI32 ref: 000DFE2A
DeleteDC.GDI32 ref: 000DFE3B
SetDIBColorTable.GDI32 ref: 000DFE50
SelectObject.GDI32 ref: 000DFE5C
DeleteObject.GDI32 ref: 000DFE6A
DeleteObject.GDI32 ref: 000DFE75
DeleteDC.GDI32 ref: 000DFE7E

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: DeleteObject$Select$ColorCompatibleCreateEntriesPaletteSystemTable
String ID:
API String ID: 4035217877-0
Opcode ID: 3e9076dbc31fd3705bec7ff79a0f0781ab171b071f8c75de7ea5ef414fd1cd3c
Instruction ID: 1cb6b5acf773592db6afdbd49a2e258b6306766492126f2d8b341e515a1ff3bf
Opcode Fuzzy Hash: 3e9076dbc31fd3705bec7ff79a0f0781ab171b071f8c75de7ea5ef414fd1cd3c
Instruction Fuzzy Hash: 9E31E8323157C184EB258B25A4143F967A1E759FC8F588536CA8B43B66DE2DC14ACB24

Uniqueness

Uniqueness Score: -1.00%

Function 000E03EC Relevance: 13.6, APIs: 9, Instructions: 82stringmemoryCOMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32 ref: 000E041A
HeapAlloc.KERNEL32 ref: 000E043F
GetTempPathW.KERNEL32 ref: 000E0457
lstrcatW.KERNEL32 ref: 000E046F
lstrlenA.KERNEL32 ref: 000E0484
MultiByteToWideChar.KERNEL32 ref: 000E04D1
lstrcpyW.KERNEL32 ref: 000E04E1
lstrcatW.KERNEL32 ref: 000E04F2
HeapFree.KERNEL32 ref: 000E0513

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: HeapPathTemplstrcat$AllocByteCharFreeMultiWidelstrcpylstrlen
String ID:
API String ID: 2712064585-0
Opcode ID: 403a12673f3b9ad80ad6fd25dce0c9d7cb8597514e576a7ab5c284740027203c
Instruction ID: 2ced9caa62a54045c806106d3a6217081f46ff8ee241d39912f638e063b8945a
Opcode Fuzzy Hash: 403a12673f3b9ad80ad6fd25dce0c9d7cb8597514e576a7ab5c284740027203c
Instruction Fuzzy Hash: 4D319672310A86D5DB209F63D8947E92361F748BE8F448225DA2D5BB94DF38C249C700

Uniqueness

Uniqueness Score: -1.00%

Function 000DB2A8 Relevance: 13.6, APIs: 9, Instructions: 59memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 000DB7F0: GetEnvironmentVariableW.KERNEL32(?,?,00000000,000DB2C9,?,?,?,000D7620), ref: 000DB809
Part of subcall function 000DB7F0: HeapAlloc.KERNEL32(?,?,00000000,000DB2C9,?,?,?,000D7620), ref: 000DB824
Part of subcall function 000DB7F0: GetEnvironmentVariableW.KERNEL32(?,?,00000000,000DB2C9,?,?,?,000D7620), ref: 000DB83F
Part of subcall function 000DB7F0: GetLastError.KERNEL32(?,?,00000000,000DB2C9,?,?,?,000D7620), ref: 000DB851
Part of subcall function 000DB7F0: HeapFree.KERNEL32(?,?,00000000,000DB2C9,?,?,?,000D7620), ref: 000DB865
Part of subcall function 000DB7F0: SetLastError.KERNEL32(?,?,00000000,000DB2C9,?,?,?,000D7620), ref: 000DB918

GetLastError.KERNEL32(?,?,?,000D7620), ref: 000DB2D1
lstrlenW.KERNEL32(?,?,?,000D7620), ref: 000DB2DE
lstrlenW.KERNEL32(?,?,?,000D7620), ref: 000DB2E9
HeapAlloc.KERNEL32(?,?,?,000D7620), ref: 000DB303
HeapFree.KERNEL32(?,?,?,000D7620), ref: 000DB351
SetLastError.KERNEL32(?,?,?,000D7620), ref: 000DB35D

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: ErrorHeapLast$AllocEnvironmentFreeVariablelstrlen
String ID:
API String ID: 2453418766-0
Opcode ID: ee387e15b1e35a478968b5a98ca8b01960ff8cbba0a00393fe1ce24734623859
Instruction ID: 6c19ecea3283f1f666892d541b03798d89760e6c85589c82c560f2aa6cf79544
Opcode Fuzzy Hash: ee387e15b1e35a478968b5a98ca8b01960ff8cbba0a00393fe1ce24734623859
Instruction Fuzzy Hash: 97116A35704B81C2EB68DBA7A9943BA73A1BB88FC1F494435DE4A07B15DF38C645A210

Uniqueness

Uniqueness Score: -1.00%

Function 000C19AC Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 197COMMON

Download Yara Rule

APIs

Part of subcall function 000C3448: NtCreateSection.NTDLL ref: 000C34CE
Part of subcall function 000C3448: ZwClose.NTDLL ref: 000C352B

CloseHandle.KERNEL32(?,00000000,00000000,00000000,?,000C1762), ref: 000C1CB9

Part of subcall function 000C36AC: NtMapViewOfSection.NTDLL ref: 000C36E6
Part of subcall function 000C36AC: RtlNtStatusToDosError.NTDLL ref: 000C36EE

GetModuleHandleW.KERNEL32(?,00000000,00000000,00000000,?,000C1762), ref: 000C1BF9

Strings

LdrGetProcedureAddress, xrefs: 000C1B80, 000C1C22
NTDLL.DLL, xrefs: 000C1BED
LdrLoadDll, xrefs: 000C1B59, 000C1C07
NtProtectVirtualMemory, xrefs: 000C1BA2, 000C1C3D
NTDLL.DLL, xrefs: 000C1B52

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: CloseHandleSection$CreateErrorModuleStatusView
String ID: LdrGetProcedureAddress$LdrLoadDll$NTDLL.DLL$NTDLL.DLL$NtProtectVirtualMemory
API String ID: 2058107117-2923435655
Opcode ID: 0a614c6b25047f6eb4c2312f6251e534bba85a3bdbe669460370227170dfad60
Instruction ID: 48e1bf3aacd0c3799040867244a75abbf55791895c18ffafa91ca7cf65739781
Opcode Fuzzy Hash: 0a614c6b25047f6eb4c2312f6251e534bba85a3bdbe669460370227170dfad60
Instruction Fuzzy Hash: 1C818CB5301B4186EB64EF56E8E0BE833A2FB49798F45452AEE5C43756EF78C494C340

Uniqueness

Uniqueness Score: -1.00%

Function 000DDF6C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

BitBlt.GDI32 ref: 000DE009
EnterCriticalSection.KERNEL32 ref: 000DE021
GetWindowLongPtrA.USER32 ref: 000DE06E
GetParent.USER32 ref: 000DE07E
LeaveCriticalSection.KERNEL32 ref: 000DE0F4
SendMessageTimeoutA.USER32 ref: 000DE138

Part of subcall function 000DCFB4: IsWindowVisible.USER32 ref: 000DCFC1
Part of subcall function 000DCFB4: GetWindowLongPtrA.USER32 ref: 000DCFD3

Strings

, xrefs: 000DDFE6

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Window$CriticalLongSection$EnterLeaveMessageParentSendTimeoutVisible
String ID:
API String ID: 401506982-3916222277
Opcode ID: d3cb3be62c767927be01acff220b3097c6f601df6a33f9389ee711c0e3afbb65
Instruction ID: 84cc7c95b41ef7d2e865257a6750bf53c6f81f70c0953d840517a5624d21e958
Opcode Fuzzy Hash: d3cb3be62c767927be01acff220b3097c6f601df6a33f9389ee711c0e3afbb65
Instruction Fuzzy Hash: B0619C76300B8182DB60EF26E8447ADBBA5F784B88F049033EE4A4BB18DF78C485C710

Uniqueness

Uniqueness Score: -1.00%

Function 000CB58C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 87libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,7AFE00006BEB0604,00000000,000DB0D9,?,?,?,?,?,00000000,?,?,?,000C8A8A), ref: 000CB5CA
GetLastError.KERNEL32(?,?,?,7AFE00006BEB0604,00000000,000DB0D9,?,?,?,?,?,00000000,?,?,?,000C8A8A), ref: 000CB5D8
GetProcAddress.KERNEL32(?,?,?,7AFE00006BEB0604,00000000,000DB0D9,?,?,?,?,?,00000000,?,?,?,000C8A8A), ref: 000CB5EF
GetProcAddress.KERNEL32(?,?,?,7AFE00006BEB0604,00000000,000DB0D9,?,?,?,?,?,00000000,?,?,?,000C8A8A), ref: 000CB60B

Strings

GetFileVersionInfoSizeW, xrefs: 000CB5E5
version.dll, xrefs: 000CB5C3
GetFileVersionInfoW, xrefs: 000CB601

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorLastLibraryLoad
String ID: GetFileVersionInfoSizeW$GetFileVersionInfoW$version.dll
API String ID: 856020675-3712324480
Opcode ID: a130bb1e5eadff178e6ed09c34642a9d545639ab9e3584509a5bf66917e970df
Instruction ID: d96d790f555d06f4d4837587ccb19eb100922e8e2804db20aed994dd0027be20
Opcode Fuzzy Hash: a130bb1e5eadff178e6ed09c34642a9d545639ab9e3584509a5bf66917e970df
Instruction Fuzzy Hash: 12315875202B5182EA25EF66E9517BC73E0FB88B81F484029EE4983B64EF38C891D300

Uniqueness

Uniqueness Score: -1.00%

Function 000DD758 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 81windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32 ref: 000DD7C2
FillRect.USER32 ref: 000DD7FF
DrawEdge.USER32 ref: 000DD816
RedrawWindow.USER32 ref: 000DD82C
GdiFlush.GDI32 ref: 000DD840
BitBlt.GDI32 ref: 000DD880

Strings

, xrefs: 000DD853

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: DrawEdgeFillFlushMessageRectRedrawSendTimeoutWindow
String ID:
API String ID: 3441529251-3916222277
Opcode ID: b45327febe18618d00dc1cb16e22fb89e530859979a5b5c91baf0961bde501a1
Instruction ID: bb95d5bc69054a7084f5f87eebb6ab7060cfbdf5f9963a41d2ee1b2d7b3a24ff
Opcode Fuzzy Hash: b45327febe18618d00dc1cb16e22fb89e530859979a5b5c91baf0961bde501a1
Instruction Fuzzy Hash: 64314A76B10791CAE720CF66E844BAD37B0F348B88F645626DE5953F08DB38D545CB50

Uniqueness

Uniqueness Score: -1.00%

Function 000C55A8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 52threadstringCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 000C55E0
PathStripPathA.SHLWAPI ref: 000C5605
lstrcmpiA.KERNEL32 ref: 000C5617
SleepEx.KERNEL32 ref: 000C564E
GetCurrentThread.KERNEL32 ref: 000C5665
TerminateThread.KERNEL32 ref: 000C5670

Strings

windows.immersiveshell.serviceprovider.dll, xrefs: 000C560B

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: CurrentPathThread$ProcessSleepStripTerminatelstrcmpi
String ID: windows.immersiveshell.serviceprovider.dll
API String ID: 193402735-1793758754
Opcode ID: 39b2948003ffa3d29f336edc8a55e066a61323e5556c0f10a85a902e9ad28d33
Instruction ID: 35bab0197cbcb3892596dddae93d7c4a904d4fcbc8e8f95fb08a5225a1572298
Opcode Fuzzy Hash: 39b2948003ffa3d29f336edc8a55e066a61323e5556c0f10a85a902e9ad28d33
Instruction Fuzzy Hash: F5212CB5211A42C7FB609B12FD847E963A1FB48BCAF848025DA8987674DFBCC589D740

Uniqueness

Uniqueness Score: -1.00%

Function 000D7C18 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 34COMMON

Download Yara Rule

APIs

PathRemoveBlanksW.SHLWAPI ref: 000D7C44
PathRemoveArgsW.SHLWAPI ref: 000D7C4D

Strings

LOCALAPPDATA, xrefs: 000D7C7E
Google\Chrome\User Data, xrefs: 000D7C6B
--user-data-dir=, xrefs: 000D7C64
chrome.exe, xrefs: 000D7C85
--no-sandbox --allow-no-sandbox-job --disable-3d-apis --disable-gpu --disable-d3d11, xrefs: 000D7C58

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: PathRemove$ArgsBlanks
String ID: --no-sandbox --allow-no-sandbox-job --disable-3d-apis --disable-gpu --disable-d3d11$ --user-data-dir=$Google\Chrome\User Data$LOCALAPPDATA$chrome.exe
API String ID: 3367427818-2742134296
Opcode ID: d8d11a012c8f2f25010ad28a7d70f3d778c6cad76e5bc4adbec1cc3368adbafe
Instruction ID: 7fe190946dfd5333bbb9ee339c88fa50a6014fd3e595175c9b2bc96b8dd64b05
Opcode Fuzzy Hash: d8d11a012c8f2f25010ad28a7d70f3d778c6cad76e5bc4adbec1cc3368adbafe
Instruction Fuzzy Hash: B0011A31618F86D1EB21DB11F9403AA73A4F788BE4F444136EA8D03B28EF38D255D700

Uniqueness

Uniqueness Score: -1.00%

Function 000DC618 Relevance: 12.1, APIs: 8, Instructions: 90windowCOMMON

Download Yara Rule

APIs

GetAncestor.USER32 ref: 000DC66E
GetWindow.USER32 ref: 000DC6A3
GetWindow.USER32 ref: 000DC6B1
GetWindowLongPtrA.USER32 ref: 000DC6CE
GetAncestor.USER32 ref: 000DC6EC
PostMessageA.USER32 ref: 000DC720
GetWindow.USER32 ref: 000DC742

Part of subcall function 000DC9D0: GetParent.USER32 ref: 000DCB18

ShowWindow.USER32 ref: 000DC734

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Window$Ancestor$LongMessageParentPostShow
String ID:
API String ID: 841378396-0
Opcode ID: a9eb0fde2bac285861922dbac9fd4381424ba20ca2e2a04ad569d526335c0cd3
Instruction ID: 9fe16c9267ba30fbe2e5b38d3aa4e1fd75317adb2fa233d40f15074c9cc7b3ad
Opcode Fuzzy Hash: a9eb0fde2bac285861922dbac9fd4381424ba20ca2e2a04ad569d526335c0cd3
Instruction Fuzzy Hash: E531D53170474382FF64AB62A959BAEA2A5FB95FD0F185032DE0647B56DF3DC802C750

Uniqueness

Uniqueness Score: -1.00%

Function 000DF0C4 Relevance: 12.1, APIs: 8, Instructions: 85stringthreadsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 000D9A9C: WaitForSingleObject.KERNEL32(?,?,00000000,000DF0EA,?,?,?,00000000,00000000,000C88F8,?,?,?,?,?,000C1F66), ref: 000D9AAA

GetCurrentThreadId.KERNEL32 ref: 000DF110
GetThreadDesktop.USER32(?,?,?,00000000,00000000,000C88F8,?,?,?,?,?,000C1F66,?,?,?,000C204A), ref: 000DF118
GetDesktopWindow.USER32 ref: 000DF121
lstrcpyA.KERNEL32(?,?,?,00000000,00000000,000C88F8,?,?,?,?,?,000C1F66,?,?,?,000C204A), ref: 000DF185
lstrlenA.KERNEL32(?,?,?,00000000,00000000,000C88F8,?,?,?,?,?,000C1F66,?,?,?,000C204A), ref: 000DF192
CreateMutexA.KERNEL32(?,?,?,00000000,00000000,000C88F8,?,?,?,?,?,000C1F66,?,?,?,000C204A), ref: 000DF1A5
GetLastError.KERNEL32(?,?,?,00000000,00000000,000C88F8,?,?,?,?,?,000C1F66,?,?,?,000C204A), ref: 000DF1B7

Part of subcall function 000DF968: GetDC.USER32 ref: 000DF99B
Part of subcall function 000DF968: GetDeviceCaps.GDI32 ref: 000DF9AE
Part of subcall function 000DF968: ReleaseDC.USER32 ref: 000DFCA3

Part of subcall function 000DEA58: GetDC.USER32 ref: 000DEA7E
Part of subcall function 000DEA58: SelectObject.GDI32 ref: 000DEA9A
Part of subcall function 000DEA58: DeleteObject.GDI32 ref: 000DEAA7
Part of subcall function 000DEA58: DeleteDC.GDI32 ref: 000DEAB4
Part of subcall function 000DEA58: CreateCompatibleDC.GDI32 ref: 000DEABD
Part of subcall function 000DEA58: GetLastError.KERNEL32(?,?,00000088,000DF1E4,?,?,?,00000000,00000000,000C88F8,?,?,?,?,?,000C1F66), ref: 000DEACF
Part of subcall function 000DEA58: SelectObject.GDI32 ref: 000DEBB9
Part of subcall function 000DEA58: DeleteObject.GDI32 ref: 000DEBD3
Part of subcall function 000DEA58: DeleteDC.GDI32 ref: 000DEBED
Part of subcall function 000DEA58: SelectObject.GDI32 ref: 000DEC20
Part of subcall function 000DEA58: DeleteObject.GDI32 ref: 000DEC3A
Part of subcall function 000DEA58: DeleteDC.GDI32 ref: 000DEC54
Part of subcall function 000DEA58: ReleaseDC.USER32 ref: 000DEC6C

CloseHandle.KERNEL32(?,?,?,00000000,00000000,000C88F8,?,?,?,?,?,000C1F66,?,?,?,000C204A), ref: 000DF1F1

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Object$Delete$Select$CreateDesktopErrorLastReleaseThread$CapsCloseCompatibleCurrentDeviceHandleMutexSingleWaitWindowlstrcpylstrlen
String ID:
API String ID: 3932841243-0
Opcode ID: 4b9ca5749c03d8a45885787996a6833924b9d2e670c1c74391e1049c296c5ad5
Instruction ID: 347be9f03025b104e7caa8f82ae660eb26f51b5f95dcd3efc574be09f3890a3e
Opcode Fuzzy Hash: 4b9ca5749c03d8a45885787996a6833924b9d2e670c1c74391e1049c296c5ad5
Instruction Fuzzy Hash: 4C316836700B82D3D718DF26E9543A9B7A1F788B80F0481369B6A87B11DF38E0758740

Uniqueness

Uniqueness Score: -1.00%

Function 000C7DA8 Relevance: 12.0, APIs: 4, Strings: 4, Instructions: 49stringCOMMON

Download Yara Rule

APIs

lstrcmpiA.KERNEL32 ref: 000C7DEC
lstrcmpiA.KERNEL32 ref: 000C7E00
lstrcmpiA.KERNEL32 ref: 000C7E14
lstrcmpiA.KERNEL32 ref: 000C7E28

Strings

Direct3DCreate9, xrefs: 000C7E0A
CreateDXGIFactory1, xrefs: 000C7DE2
Direct3DCreate9Ex, xrefs: 000C7E1E
D3D10CreateDevice1, xrefs: 000C7DF6

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID: CreateDXGIFactory1$D3D10CreateDevice1$Direct3DCreate9$Direct3DCreate9Ex
API String ID: 1586166983-74941414
Opcode ID: 6c6379793dd3f41e305fd82e93387772fb41a5ffdfd6c560011c3e772898b384
Instruction ID: 2a3f7b3e8da75b9e39c8ecfdf5ad9283a8b0ccabe5aeba1a67a053a605879536
Opcode Fuzzy Hash: 6c6379793dd3f41e305fd82e93387772fb41a5ffdfd6c560011c3e772898b384
Instruction Fuzzy Hash: F6115B75318B4282FF609BA6BA503BA23A5BB48BC0F849065DD5987B65DF3CC846DB10

Uniqueness

Uniqueness Score: -1.00%

Function 000DFE9C Relevance: 10.7, APIs: 7, Instructions: 175sleepCOMMON

Download Yara Rule

APIs

CreateRectRgn.GDI32 ref: 000DFF04
IntersectRect.USER32 ref: 000DFFFF
CreateRectRgn.GDI32 ref: 000E0017
CombineRgn.GDI32 ref: 000E003C
DeleteObject.GDI32 ref: 000E0074
Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 000E00A7
DeleteObject.GDI32 ref: 000E00DC

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Rect$CreateDeleteObject$CombineIntersectSleep
String ID:
API String ID: 1191493533-0
Opcode ID: 50ad730735717c25ee22c944d0c381a7489849a06b7cee71c1e337e86d640126
Instruction ID: c02ac92ebe82947412d31ae1f4c72967594e4cfc758a2dad1c73e918b1b69771
Opcode Fuzzy Hash: 50ad730735717c25ee22c944d0c381a7489849a06b7cee71c1e337e86d640126
Instruction Fuzzy Hash: F4616836B01A518FEB14CFBAE4547AD37B5F78878CF14403AEE0AA7B48DA759446CB40

Uniqueness

Uniqueness Score: -1.00%

Function 000C2DAC Relevance: 10.6, APIs: 7, Instructions: 146memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32 ref: 000C2E17
VirtualProtect.KERNEL32 ref: 000C2EED
VirtualProtect.KERNEL32 ref: 000C2F30
VirtualProtect.KERNEL32 ref: 000C2F52
EnterCriticalSection.KERNEL32 ref: 000C2F66
LeaveCriticalSection.KERNEL32 ref: 000C2F93

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$CriticalSection$EnterLeave
String ID:
API String ID: 1801948497-0
Opcode ID: e927bb774d20c9f8a09ccf847871a5c6d821a64bcd3ecc9c36b7dacc2c7d593d
Instruction ID: f8ad89e2cc5cfa9eaa950d63313ba9d3f59f88650aaae6ad1886774382f4b868
Opcode Fuzzy Hash: e927bb774d20c9f8a09ccf847871a5c6d821a64bcd3ecc9c36b7dacc2c7d593d
Instruction Fuzzy Hash: 54513832215B44C6DB64CF16E544BAEB7E4F788B84F50412AEF8A47F64DB38D552CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000E5124 Relevance: 10.6, APIs: 7, Instructions: 122COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000E514F
_errno.LIBCMT ref: 000E5144

Part of subcall function 000E6944: _getptd_noexit.LIBCMT ref: 000E6948

_errno.LIBCMT ref: 000E51F2
_invalid_parameter_noinfo.LIBCMT ref: 000E51FD

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: _errno_invalid_parameter_noinfo$_getptd_noexit
String ID:
API String ID: 1573762532-0
Opcode ID: d264d70ac494c9bd6ef9a1067b8c1b738c4293bdfa377bd244700c1b85ca8b76
Instruction ID: 0bc47ecbadede344f21ccb4fe9f7915101b82db37234b516adf9d65a9a0f5ef0
Opcode Fuzzy Hash: d264d70ac494c9bd6ef9a1067b8c1b738c4293bdfa377bd244700c1b85ca8b76
Instruction Fuzzy Hash: 28413672A00AD18EDFA4AB23A9403BD73E0F791B9EF88451AEB9577685D738C941C700

Uniqueness

Uniqueness Score: -1.00%

Function 000E531C Relevance: 10.6, APIs: 7, Instructions: 83COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000E5339
_errno.LIBCMT ref: 000E532E

Part of subcall function 000E6944: _getptd_noexit.LIBCMT ref: 000E6948

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 000E5399
_errno.LIBCMT ref: 000E53B2
_invalid_parameter_noinfo.LIBCMT ref: 000E53BD

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Locale_errno_invalid_parameter_noinfo$UpdateUpdate::__getptd_noexit
String ID:
API String ID: 781512312-0
Opcode ID: 5452b0bc42a660a39930c5958dc8168b32e58204a08721f8b2057175ee29e919
Instruction ID: 7b1d68ecb203b2a7f621f4dbf194cbe313a89da129b06658344540e5c95cc965
Opcode Fuzzy Hash: 5452b0bc42a660a39930c5958dc8168b32e58204a08721f8b2057175ee29e919
Instruction Fuzzy Hash: 4A213B62704FC08DCF605B739D8137D66E0A744BEEF184625EB652B796DAA8CAC1C700

Uniqueness

Uniqueness Score: -1.00%

Function 000CA248 Relevance: 10.6, APIs: 7, Instructions: 81memoryCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,000C201E), ref: 000CA26F
GetVersion.KERNEL32(?,?,?,000C201E), ref: 000CA28B
SetWindowsHookExA.USER32 ref: 000CA2CF
EnterCriticalSection.KERNEL32(?,?,?,000C201E), ref: 000CA2E5
LeaveCriticalSection.KERNEL32(?,?,?,000C201E), ref: 000CA328
HeapFree.KERNEL32(?,?,?,000C201E), ref: 000CA33E
GetLastError.KERNEL32(?,?,?,000C201E), ref: 000CA355

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: CriticalHeapSection$AllocEnterErrorFreeHookLastLeaveVersionWindows
String ID:
API String ID: 1643053347-0
Opcode ID: 3a7bedb5b6ee4cf1c8f7db4c89bd22cec24b8dc5e22ca73e5e021392583330a2
Instruction ID: 6c1ccad227eb941d26a8d580b0cda951950c92a0b0caf4d6fe28d53c3ce5f7e9
Opcode Fuzzy Hash: 3a7bedb5b6ee4cf1c8f7db4c89bd22cec24b8dc5e22ca73e5e021392583330a2
Instruction Fuzzy Hash: 07319036701B48C2EB64DF56E8907AC33A1F799B88F548429EB4E43B24DF79C981D341

Uniqueness

Uniqueness Score: -1.00%

Function 000D8CE4 Relevance: 10.6, APIs: 7, Instructions: 64stringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000D8DC8: HeapAlloc.KERNEL32(?,?,?,?,?,?,00000000,000D8D25,?,?,?,?,00000000,000D9783), ref: 000D8DEE
Part of subcall function 000D8DC8: wsprintfA.USER32 ref: 000D8EB8

lstrlenA.KERNEL32(?,?,?,?,00000000,000D9783), ref: 000D8D35
lstrlenA.KERNEL32(?,?,?,?,00000000,000D9783), ref: 000D8D45
HeapAlloc.KERNEL32(?,?,?,?,00000000,000D9783), ref: 000D8D59
lstrcpyA.KERNEL32(?,?,?,?,00000000,000D9783), ref: 000D8D75
lstrcatA.KERNEL32(?,?,?,?,00000000,000D9783), ref: 000D8D81
lstrcatA.KERNEL32(?,?,?,?,00000000,000D9783), ref: 000D8D92
HeapFree.KERNEL32(?,?,?,?,00000000,000D9783), ref: 000D8DA4

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Alloclstrcatlstrlen$Freelstrcpywsprintf
String ID:
API String ID: 4068783096-0
Opcode ID: 0f8c2579df3f522aae54c512c061854c71589bb012ff414c1cc09ada850e30c4
Instruction ID: 70a4a878d09f22c2c09dff06b2e779440beef9b5081239ad1ceedbcc58bef8db
Opcode Fuzzy Hash: 0f8c2579df3f522aae54c512c061854c71589bb012ff414c1cc09ada850e30c4
Instruction Fuzzy Hash: BE218935701B41C2EB659F23A9443B9B7A2BB99FC0F488422CE0957B95DE3DC4018710

Uniqueness

Uniqueness Score: -1.00%

Function 000DBBB0 Relevance: 10.6, APIs: 7, Instructions: 63stringmemoryCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,00000000,000DBD99,?,?,?,000DBCD3), ref: 000DBBDB
lstrlenW.KERNEL32(?,?,00000000,000DBD99,?,?,?,000DBCD3), ref: 000DBBFA
HeapAlloc.KERNEL32(?,?,00000000,000DBD99,?,?,?,000DBCD3), ref: 000DBC1C
lstrcpyW.KERNEL32 ref: 000DBC30
lstrcatW.KERNEL32 ref: 000DBC49
lstrcatW.KERNEL32 ref: 000DBC55
HeapFree.KERNEL32(?,?,00000000,000DBD99,?,?,?,000DBCD3), ref: 000DBC67

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Heaplstrcatlstrlen$AllocFreelstrcpy
String ID:
API String ID: 3031435114-0
Opcode ID: 6537a671470d7a6c28754310b57c11c1b0682964c769e1a09eeeac0d61e013dc
Instruction ID: 481b596f71194e02271a25693d7a4a859f3b67834a978edab34075fbd6f246cb
Opcode Fuzzy Hash: 6537a671470d7a6c28754310b57c11c1b0682964c769e1a09eeeac0d61e013dc
Instruction Fuzzy Hash: 73216775601B42C2EB68DF93A9943A973A1BB89FC1F099036CE0A47B24EF78D4418300

Uniqueness

Uniqueness Score: -1.00%

Function 000D9270 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

DllGetClassObject, xrefs: 000D9324

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID: DllGetClassObject
API String ID: 0-1075368562
Opcode ID: df91d20db5cc1b4a6db5e0ed872e844c7e5860dcaaa7f4d4f019a299bd51697c
Instruction ID: ba4aca9145ddbe409ac0b90d109c4ad4f65771049e767bcd3b2e2f03487c4579
Opcode Fuzzy Hash: df91d20db5cc1b4a6db5e0ed872e844c7e5860dcaaa7f4d4f019a299bd51697c
Instruction Fuzzy Hash: 21219F30305B8192EF64DB06E5443B963E1B789B88F58442ADE5E47BA4DF7DC685C310

Uniqueness

Uniqueness Score: -1.00%

Function 000E74B4 Relevance: 10.5, APIs: 7, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_FF_MSGBANNER.LIBCMT ref: 000E74D1

Part of subcall function 000E718C: _set_error_mode.LIBCMT ref: 000E7195
Part of subcall function 000E718C: _set_error_mode.LIBCMT ref: 000E71A4
Part of subcall function 000E718C: _NMSG_WRITE.LIBCMT ref: 000E71BB
Part of subcall function 000E718C: _NMSG_WRITE.LIBCMT ref: 000E71C5

_NMSG_WRITE.LIBCMT ref: 000E74DB

Part of subcall function 000E7200: _set_error_mode.LIBCMT ref: 000E7245
Part of subcall function 000E7200: _set_error_mode.LIBCMT ref: 000E7256
Part of subcall function 000E7200: GetModuleFileNameW.KERNEL32 ref: 000E72B8
Part of subcall function 000E7200: __crtMessageBoxW.LIBCMT ref: 000E7369

Part of subcall function 000E6F54: __crtCorExitProcess.LIBCMT ref: 000E6F5C
Part of subcall function 000E6F54: ExitProcess.KERNEL32 ref: 000E6F63

_malloc_crt.LIBCMT ref: 000E7507

Part of subcall function 000E7B80: malloc.LIBCMT ref: 000E7BAB
Part of subcall function 000E7B80: Sleep.KERNEL32(?,?,?,000E750C,?,?,?,000E7493,?,?,?,?,?,?,00000000,000E67E2), ref: 000E7BBE

_errno.LIBCMT ref: 000E7514
_lock.LIBCMT ref: 000E7528
free.LIBCMT ref: 000E754B

Part of subcall function 000E567C: HeapFree.KERNEL32(?,?,00000000,000E67F6,?,?,00000000,000E6773,?,?,?,000E4DE7,?,?,?,000E50F5), ref: 000E5692
Part of subcall function 000E567C: _errno.LIBCMT ref: 000E569C
Part of subcall function 000E567C: GetLastError.KERNEL32(?,?,00000000,000E67F6,?,?,00000000,000E6773,?,?,?,000E4DE7,?,?,?,000E50F5), ref: 000E56A4

LeaveCriticalSection.KERNEL32(?,?,?,000E7493,?,?,?,?,?,?,00000000,000E67E2,?,?,00000000,000E6773), ref: 000E7558

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: _set_error_mode$ExitProcess__crt_errno$CriticalErrorFileFreeHeapLastLeaveMessageModuleNameSectionSleep_lock_malloc_crtfreemalloc
String ID:
API String ID: 3975071004-0
Opcode ID: a89c39b3d192f615507628ee657aa4be5a35b754468e6103fcee3311ace65e49
Instruction ID: 6123599dad2286accfcebe767cfae6150f3d0676fb15969030a2c10eda232b63
Opcode Fuzzy Hash: a89c39b3d192f615507628ee657aa4be5a35b754468e6103fcee3311ace65e49
Instruction Fuzzy Hash: 6711D672219BC4CAFB64AB67F4417BD2291EB80780F041034E68E677E6DFBCC8818311

Uniqueness

Uniqueness Score: -1.00%

Function 000DD178 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetWindowInfo.USER32 ref: 000DD198
PtInRect.USER32 ref: 000DD1A6
GetWindow.USER32 ref: 000DD1E1
GetWindow.USER32 ref: 000DD1EF
GetWindow.USER32 ref: 000DD208

Strings

<, xrefs: 000DD190

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Window$InfoRect
String ID: <
API String ID: 689018761-4251816714
Opcode ID: da8556de90869a4ae65d3b245f6cfdc6dd1118d517655778815209fc65a41924
Instruction ID: 848c2a3f793d0416c2762b474e1c10b0812821f2ca41a4e5b6913f1fb315162e
Opcode Fuzzy Hash: da8556de90869a4ae65d3b245f6cfdc6dd1118d517655778815209fc65a41924
Instruction Fuzzy Hash: BB112A7260474197EB28DF26FA5436AB3A0F788BC4F048136DA5A47B58DF3CD551CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000C4E44 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000C4E6B
GetProcAddress.KERNEL32 ref: 000C4E7B
OpenProcess.KERNEL32 ref: 000C4E9B
CloseHandle.KERNEL32 ref: 000C4EC9

Strings

IsWow64Process, xrefs: 000C4E71
KERNEL32.DLL, xrefs: 000C4E64

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Handle$AddressCloseModuleOpenProcProcess
String ID: IsWow64Process$KERNEL32.DLL
API String ID: 4274107956-1193389583
Opcode ID: a86e69095386edcf9bad0b8f2929fa474666828085c7faeb35f56046dea924c3
Instruction ID: 8ea2103b1ec379ff619e5bac876df4fcb28f7cd7f4560199b6ca475d7df6149a
Opcode Fuzzy Hash: a86e69095386edcf9bad0b8f2929fa474666828085c7faeb35f56046dea924c3
Instruction Fuzzy Hash: 26015E35211B4283EF649F1AF8907A963B1BB89B84F194139DA4D47B64EF3DC8548700

Uniqueness

Uniqueness Score: -1.00%

Function 000D8280 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 29stringCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32 ref: 000D829E
lstrcatA.KERNEL32 ref: 000D82B0
lstrcatA.KERNEL32 ref: 000D82C6
OpenEventA.KERNEL32 ref: 000D82D6
CloseHandle.KERNEL32 ref: 000D82E9

Strings

OPR, xrefs: 000D8290

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: lstrcat$CloseEventHandleOpenlstrcpy
String ID: OPR
API String ID: 821562950-3143204451
Opcode ID: e93e3b8730947920845de9bef2dec16ec32d09cb199acf6196c7f8932d3af157
Instruction ID: 621879402986daed3c4cb72218065617ce2f4fd5077fa0360e5adf14f40249b5
Opcode Fuzzy Hash: e93e3b8730947920845de9bef2dec16ec32d09cb199acf6196c7f8932d3af157
Instruction Fuzzy Hash: D4013C32304947D2EF318B25F8803FA7321FB8CB89F448122965E47A68DE3DC25AD704

Uniqueness

Uniqueness Score: -1.00%

Function 000DA450 Relevance: 9.2, APIs: 6, Instructions: 182COMMON

Download Yara Rule

APIs

Part of subcall function 000D9A9C: WaitForSingleObject.KERNEL32(?,?,00000000,000DF0EA,?,?,?,00000000,00000000,000C88F8,?,?,?,?,?,000C1F66), ref: 000D9AAA

GetParent.USER32 ref: 000DA4A8
GetWindowLongPtrA.USER32 ref: 000DA4BA
GetWindowRect.USER32 ref: 000DA5AE
IsRectEmpty.USER32 ref: 000DA618
MapWindowPoints.USER32 ref: 000DA658
SetWindowPos.USER32(?,?,00000000,?,00008001,00000000), ref: 000DA6B3

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Window$Rect$EmptyLongObjectParentPointsSingleWait
String ID:
API String ID: 1971925979-0
Opcode ID: 841176dc96a463b6425bb9ac51faffa0a35048ff3eb762f4a88a7d350c43dc07
Instruction ID: 2d54cdd52a68d53783f6e57c32063b1d5fdbcfe5b90c19bc5a0b5af7f8d09c39
Opcode Fuzzy Hash: 841176dc96a463b6425bb9ac51faffa0a35048ff3eb762f4a88a7d350c43dc07
Instruction Fuzzy Hash: E361AD73B00B11CBDB64CF66D5486AC3BB5F385BA8B06821BDE1A13B48DB38CA44C750

Uniqueness

Uniqueness Score: -1.00%

Function 000C9918 Relevance: 9.1, APIs: 6, Instructions: 131COMMON

Download Yara Rule

APIs

SetWindowLongPtrA.USER32 ref: 000C99E6
GetClassNameA.USER32 ref: 000C99CC

Part of subcall function 000DCD80: GetClassNameA.USER32 ref: 000DCDB6
Part of subcall function 000DCD80: lstrcmpiA.KERNEL32(?,?,?,?,00000000,000C9A25), ref: 000DCDCC

SetWindowLongPtrA.USER32 ref: 000C9A35
GetClassNameA.USER32 ref: 000C9A83
CallNextHookEx.USER32 ref: 000C9AC5
CallNextHookEx.USER32 ref: 000C9AF2

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: ClassName$CallHookLongNextWindow$lstrcmpi
String ID:
API String ID: 1853066352-0
Opcode ID: 3833dd6d48041f8b1a887a5cfda42075e5f8e968be246675a2fb19493f7b1efb
Instruction ID: 3667a2f7e6f6bd0cf5526a3812f2085a51da108dd5443606baee41e23c886fa7
Opcode Fuzzy Hash: 3833dd6d48041f8b1a887a5cfda42075e5f8e968be246675a2fb19493f7b1efb
Instruction Fuzzy Hash: 6141C03520478186EB64DF669948BBD77A1FB88BC4F09402ADE4983B55EF78C445C742

Uniqueness

Uniqueness Score: -1.00%

Function 000E05F4 Relevance: 9.1, APIs: 6, Instructions: 105memorystringsynchronizationCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 000E0617

Part of subcall function 000D8CE4: lstrlenA.KERNEL32(?,?,?,?,00000000,000D9783), ref: 000D8D35
Part of subcall function 000D8CE4: lstrlenA.KERNEL32(?,?,?,?,00000000,000D9783), ref: 000D8D45
Part of subcall function 000D8CE4: HeapAlloc.KERNEL32(?,?,?,?,00000000,000D9783), ref: 000D8D59
Part of subcall function 000D8CE4: lstrcpyA.KERNEL32(?,?,?,?,00000000,000D9783), ref: 000D8D75
Part of subcall function 000D8CE4: lstrcatA.KERNEL32(?,?,?,?,00000000,000D9783), ref: 000D8D81
Part of subcall function 000D8CE4: lstrcatA.KERNEL32(?,?,?,?,00000000,000D9783), ref: 000D8D92
Part of subcall function 000D8CE4: HeapFree.KERNEL32(?,?,?,?,00000000,000D9783), ref: 000D8DA4

lstrlenA.KERNEL32(?,?,?,000CD017), ref: 000E0643
HeapAlloc.KERNEL32(?,?,?,000CD017), ref: 000E065F
CreateMutexA.KERNEL32(?,?,?,000CD017), ref: 000E068C

Part of subcall function 000DE68C: CreateDesktopA.USER32 ref: 000DE6D0
Part of subcall function 000DE68C: GetLastError.KERNEL32 ref: 000DE6DE
Part of subcall function 000DE68C: CloseDesktop.USER32 ref: 000DE7E1

Part of subcall function 000D970C: GetUserObjectInformationA.USER32 ref: 000D9752
Part of subcall function 000D970C: CreateEventA.KERNEL32 ref: 000D9851
Part of subcall function 000D970C: CreateEventA.KERNEL32 ref: 000D9874
Part of subcall function 000D970C: CreateMutexExA.KERNEL32 ref: 000D9893

Part of subcall function 000E039C: EnterCriticalSection.KERNEL32(?,?,00000000,000E06DB,?,?,?,000CD017), ref: 000E03AC

Part of subcall function 000DED60: GetVersion.KERNEL32(?,?,?,000E06F1,?,?,?,000CD017), ref: 000DED83
Part of subcall function 000DED60: GetCurrentThreadId.KERNEL32 ref: 000DED89
Part of subcall function 000DED60: GetThreadDesktop.USER32(?,?,?,000E06F1,?,?,?,000CD017), ref: 000DED94
Part of subcall function 000DED60: SetThreadDesktop.USER32(?,?,?,000E06F1,?,?,?,000CD017), ref: 000DEDA1
Part of subcall function 000DED60: GetLastError.KERNEL32(?,?,?,000E06F1,?,?,?,000CD017), ref: 000DEDAB

Part of subcall function 000E42C4: CreateThread.KERNEL32 ref: 000E42F5

Part of subcall function 000DE2B8: CreateMutexA.KERNEL32(?,?,?,?,00000000,000E0707,?,?,?,000CD017), ref: 000DE2CE
Part of subcall function 000DE2B8: CreateEventA.KERNEL32(?,?,?,?,00000000,000E0707,?,?,?,000CD017), ref: 000DE2EA
Part of subcall function 000DE2B8: CreateThread.KERNEL32 ref: 000DE313
Part of subcall function 000DE2B8: GetLastError.KERNEL32(?,?,?,?,00000000,000E0707,?,?,?,000CD017), ref: 000DE325
Part of subcall function 000DE2B8: CloseHandle.KERNEL32(?,?,?,?,00000000,000E0707,?,?,?,000CD017), ref: 000DE33D
Part of subcall function 000DE2B8: CloseHandle.KERNEL32(?,?,?,?,00000000,000E0707,?,?,?,000CD017), ref: 000DE357

GetLastError.KERNEL32(?,?,?,000CD017), ref: 000E0715
HeapFree.KERNEL32(?,?,?,000CD017), ref: 000E072E

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Create$Thread$DesktopErrorHeapLast$CloseEventMutexlstrlen$AllocFreeHandlelstrcat$CountCriticalCurrentEnterInformationObjectSectionTickUserVersionlstrcpy
String ID:
API String ID: 1223596557-0
Opcode ID: 7fa52b080a43f9fe80fdf6d3f3c572b1464bdd91d0764be44272ea71d6fa5b59
Instruction ID: 95adc52b5e844b5698e1ce2e578541672883ea678ab29773355642d53036fcc4
Opcode Fuzzy Hash: 7fa52b080a43f9fe80fdf6d3f3c572b1464bdd91d0764be44272ea71d6fa5b59
Instruction Fuzzy Hash: 70310835709B8286EF58DBB7A59077A63D1BB89BC0F444431DE4857B55EFB8D4828B00

Uniqueness

Uniqueness Score: -1.00%

Function 000E474C Relevance: 9.1, APIs: 6, Instructions: 68timeCOMMON

Download Yara Rule

APIs

GetWindowLongPtrA.USER32 ref: 000E4775
DefWindowProcA.USER32 ref: 000E47BB
KillTimer.USER32 ref: 000E47E7
KillTimer.USER32 ref: 000E47F5
DeleteObject.GDI32 ref: 000E4807
SetWindowLongPtrA.USER32 ref: 000E481A

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Window$KillLongTimer$DeleteObjectProc
String ID:
API String ID: 209327671-0
Opcode ID: 001fc644af7ac317a4efd769f16a4c0d5a584951b3d58ef9f9e0ace9f804a2eb
Instruction ID: d6d442b5718cb0e1e5ac288f8dabec9ef65333a7db123cce0d8efdff6de15126
Opcode Fuzzy Hash: 001fc644af7ac317a4efd769f16a4c0d5a584951b3d58ef9f9e0ace9f804a2eb
Instruction Fuzzy Hash: 8611B4317087C1C9DA289F23B9043AEA261BB86FD1F1841319E5B27B64DE7CC9429340

Uniqueness

Uniqueness Score: -1.00%

Function 000C2520 Relevance: 9.1, APIs: 6, Instructions: 65COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,000C1EEA,?,?,?,000C204A), ref: 000C2537
GetVersion.KERNEL32(?,?,?,000C1EEA,?,?,?,000C204A), ref: 000C254A
GetCurrentProcessId.KERNEL32(?,?,?,000C1EEA,?,?,?,000C204A), ref: 000C255C
StrRChrA.SHLWAPI(?,?,?,000C1EEA,?,?,?,000C204A), ref: 000C25B6
CreateEventA.KERNEL32(?,?,?,000C1EEA,?,?,?,000C204A), ref: 000C25E6
GetLastError.KERNEL32(?,?,?,000C1EEA,?,?,?,000C204A), ref: 000C25F8

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: CreateCurrentErrorEventHandleLastModuleProcessVersion
String ID:
API String ID: 3503360540-0
Opcode ID: f11c60afb87085c193316d5a3d23d8102b23c6ad1b72346ed75128a700e20f26
Instruction ID: d0a4cdc399fdf8e4de94f743ea3f0c0ebc217cd833296edabc3bdb626dac7924
Opcode Fuzzy Hash: f11c60afb87085c193316d5a3d23d8102b23c6ad1b72346ed75128a700e20f26
Instruction Fuzzy Hash: 4C2162B1202B0387F7699B6AF9E67AE33A4BB44705F45803C9B4542A65DFB8C4C4D710

Uniqueness

Uniqueness Score: -1.00%

Function 000DE2B8 Relevance: 9.0, APIs: 6, Instructions: 49synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(?,?,?,?,00000000,000E0707,?,?,?,000CD017), ref: 000DE2CE
CreateEventA.KERNEL32(?,?,?,?,00000000,000E0707,?,?,?,000CD017), ref: 000DE2EA
CreateThread.KERNEL32 ref: 000DE313
GetLastError.KERNEL32(?,?,?,?,00000000,000E0707,?,?,?,000CD017), ref: 000DE325
CloseHandle.KERNEL32(?,?,?,?,00000000,000E0707,?,?,?,000CD017), ref: 000DE33D
CloseHandle.KERNEL32(?,?,?,?,00000000,000E0707,?,?,?,000CD017), ref: 000DE357

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Create$CloseHandle$ErrorEventLastMutexThread
String ID:
API String ID: 2796074661-0
Opcode ID: 45b552b1d324b1bf169d83386254b519cb88ef708c45f2157f7c495d1eac5eef
Instruction ID: 5e03f18004d399772a464a2eb5b04e78122ba5e13c7bd075e19e6cebf07a2fdd
Opcode Fuzzy Hash: 45b552b1d324b1bf169d83386254b519cb88ef708c45f2157f7c495d1eac5eef
Instruction Fuzzy Hash: 95119E32A19F81D2EB65DF75E4143BA32E1FB84B48F084539CE4A0AB14DF3DD500C624

Uniqueness

Uniqueness Score: -1.00%

Function 000CA198 Relevance: 9.0, APIs: 6, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,000C87E9,?,?,?,?,000C2152), ref: 000CA1A9
LeaveCriticalSection.KERNEL32(?,?,?,000C87E9,?,?,?,?,000C2152), ref: 000CA1CD
SetWindowLongPtrA.USER32 ref: 000CA1E8
HeapFree.KERNEL32(?,?,?,000C87E9,?,?,?,?,000C2152), ref: 000CA201
EnterCriticalSection.KERNEL32(?,?,?,000C87E9,?,?,?,?,000C2152), ref: 000CA20E
LeaveCriticalSection.KERNEL32(?,?,?,000C87E9,?,?,?,?,000C2152), ref: 000CA227

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$FreeHeapLongWindow
String ID:
API String ID: 1749895167-0
Opcode ID: 8792c8e882a862dfe5ef36068bb71b536f0ee487e9582a80263131d3de139e81
Instruction ID: b04fb1e8545257811c07fb537378de050cc179d0ddf4d0a3c819fa0943462762
Opcode Fuzzy Hash: 8792c8e882a862dfe5ef36068bb71b536f0ee487e9582a80263131d3de139e81
Instruction Fuzzy Hash: E9110C75250A15C2EB10CF21EC903E83370F788B99F488221DA4F43668CF79C9A9D340

Uniqueness

Uniqueness Score: -1.00%

Function 000E4844 Relevance: 9.0, APIs: 6, Instructions: 37windowsynchronizationthreadCOMMON

Download Yara Rule

APIs

SetThreadDesktop.USER32 ref: 000E4854

Part of subcall function 000E3E60: GetModuleHandleA.KERNEL32 ref: 000E3EAB
Part of subcall function 000E3E60: RegisterClassA.USER32 ref: 000E3ED1
Part of subcall function 000E3E60: CreateFontA.GDI32 ref: 000E3F1A
Part of subcall function 000E3E60: GetWindowRect.USER32 ref: 000E3F82

Part of subcall function 000E4D04: GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000E486A), ref: 000E4D15
Part of subcall function 000E4D04: CreateWindowExA.USER32 ref: 000E4D51
Part of subcall function 000E4D04: SetClipboardViewer.USER32(?,?,?,?,?,?,?,?,?,?,?,000E486A), ref: 000E4D66

GetMessageA.USER32 ref: 000E4883
TranslateMessage.USER32 ref: 000E4892
DispatchMessageA.USER32 ref: 000E489D
WaitForSingleObject.KERNEL32 ref: 000E48A9
DestroyWindow.USER32 ref: 000E48C2

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: MessageWindow$CreateHandleModule$ClassClipboardDesktopDestroyDispatchFontObjectRectRegisterSingleThreadTranslateViewerWait
String ID:
API String ID: 2444732902-0
Opcode ID: 687acb24aee2fdb956028cbc75a7c9c68bfaedbc3794f7d85447fc62f8d752e2
Instruction ID: fc134f454e6f056c2bf80fad93933879079fdcac04d165119bbec8953b2b4460
Opcode Fuzzy Hash: 687acb24aee2fdb956028cbc75a7c9c68bfaedbc3794f7d85447fc62f8d752e2
Instruction Fuzzy Hash: BE017C316049C2C6EB20EF62E9597B923A1FBD8F89F480130C94A96924CF39C445D700

Uniqueness

Uniqueness Score: -1.00%

Function 000DF5DC Relevance: 9.0, APIs: 6, Instructions: 31synchronizationthreadCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32 ref: 000DF5EB
GetCurrentProcessId.KERNEL32 ref: 000DF5F5
OpenProcess.KERNEL32 ref: 000DF60A
TerminateProcess.KERNEL32 ref: 000DF61D
WaitForSingleObject.KERNEL32 ref: 000DF62B
CloseHandle.KERNEL32 ref: 000DF634

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Process$CloseCurrentHandleObjectOpenSingleTerminateThreadWaitWindow
String ID:
API String ID: 127232891-0
Opcode ID: 8c8510bd7c0cd373601f818a486a9b9b9bb1269f355d6c090ed73b8045830fb8
Instruction ID: d74e5d3f99b7e5bc0f6f20c2d481331ccc3516001c03801cc06c240687f6b5dd
Opcode Fuzzy Hash: 8c8510bd7c0cd373601f818a486a9b9b9bb1269f355d6c090ed73b8045830fb8
Instruction Fuzzy Hash: FFF03A71714742C2EB649B62A8443B963A2AB88B81F4C9434E90786F64EF79C9999620

Uniqueness

Uniqueness Score: -1.00%

Function 000DD89C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 158COMMON

Download Yara Rule

APIs

Part of subcall function 000DCED0: IsWindow.USER32 ref: 000DCEEA
Part of subcall function 000DCED0: GetAncestor.USER32(?,?,?,000DD01D), ref: 000DCF13

Part of subcall function 000DCFB4: IsWindowVisible.USER32 ref: 000DCFC1
Part of subcall function 000DCFB4: GetWindowLongPtrA.USER32 ref: 000DCFD3

GetWindowInfo.USER32 ref: 000DD900

Part of subcall function 000DC84C: GetClassNameA.USER32 ref: 000DC85E

GetWindowTextA.USER32 ref: 000DD92C
ShowWindow.USER32 ref: 000DD93B
GetClassLongPtrA.USER32 ref: 000DD9D2

Strings

<, xrefs: 000DD8F8

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Window$ClassLong$AncestorInfoNameShowTextVisible
String ID: <
API String ID: 2975856901-4251816714
Opcode ID: e288f24720f4cf13916de21b3b1f3abdff09d520ebdeb60fcf9dad97b05b199e
Instruction ID: 6aa72e1e5568480b54970537c29e5186e2447f9dd2838a15cac1d507c3573af1
Opcode Fuzzy Hash: e288f24720f4cf13916de21b3b1f3abdff09d520ebdeb60fcf9dad97b05b199e
Instruction Fuzzy Hash: 9D517D736187408AD764CF39D8506ADB7A5F384B98F549127FE8697B09DB39C882CB10

Uniqueness

Uniqueness Score: -1.00%

Function 000DDE40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 000DDE58
GetWindowLongPtrA.USER32 ref: 000DDE89
GetScrollBarInfo.USER32(?,?,?,?,?,?,?,?,?,000DDCF7), ref: 000DDEAC
GetScrollBarInfo.USER32(?,?,?,?,?,?,?,?,?,000DDCF7), ref: 000DDEDE

Strings

<, xrefs: 000DDEA4

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: InfoScrollWindow$LongRect
String ID: <
API String ID: 4167475372-4251816714
Opcode ID: 732de1caf1109ef2dacc02eacb81084117e375e29bbaf6249f72e3f319b902ce
Instruction ID: 7266bc23e0f1987e83065d698c6f95907a0a759333fed9ad21ebf7978a156c90
Opcode Fuzzy Hash: 732de1caf1109ef2dacc02eacb81084117e375e29bbaf6249f72e3f319b902ce
Instruction Fuzzy Hash: 5A415732600681CBD764CF39D28475D77E0F354B59F18822AE7198BB88DB78D9A1CF50

Uniqueness

Uniqueness Score: -1.00%

Function 000E2A50 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

IsWindow.USER32 ref: 000E2A74
HeapAlloc.KERNEL32 ref: 000E2AC7
GetWindowInfo.USER32 ref: 000E2B3B

Part of subcall function 000DCED0: IsWindow.USER32 ref: 000DCEEA
Part of subcall function 000DCED0: GetAncestor.USER32(?,?,?,000DD01D), ref: 000DCF13

HeapAlloc.KERNEL32 ref: 000E2B0A

Strings

<, xrefs: 000E2B28

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Window$AllocHeap$AncestorInfo
String ID: <
API String ID: 1744794226-4251816714
Opcode ID: 9f1ae09fc7ea9bb2892e3827364dcd028c1ab90342a530956aa0c61df00f4886
Instruction ID: a7c5547e4cc1a16c15e7d834e477962f2b65653f05e57bfeaa2cf99b1a213227
Opcode Fuzzy Hash: 9f1ae09fc7ea9bb2892e3827364dcd028c1ab90342a530956aa0c61df00f4886
Instruction Fuzzy Hash: 84317672300B488AEB64DF23E9407A973A9F788FC4F49802A9E4E97B14EF38C545C700

Uniqueness

Uniqueness Score: -1.00%

Function 000C22A4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 78libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,000C24B0,?,?,00000008,000C33C8,?,?,00000000,000C3282), ref: 000C22C2
LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,000C24B0,?,?,00000008,000C33C8,?,?,00000000,000C3282), ref: 000C2379
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,000C24B0,?,?,00000008,000C33C8,?,?,00000000,000C3282), ref: 000C2387

Strings

NTDLL.DLL, xrefs: 000C22BB
ntdsapi.dll, xrefs: 000C236F

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Library$FreeHandleLoadModule
String ID: NTDLL.DLL$ntdsapi.dll
API String ID: 2140536961-4180381668
Opcode ID: c4afc7861d01175b27c331c95c3b7eb6baf417b41b7dc8bd2995baa3b60a6f9f
Instruction ID: 8d9e6e7adae2248e4411244377f2a016e34b28858379f13d9a71f5024fab6f1b
Opcode Fuzzy Hash: c4afc7861d01175b27c331c95c3b7eb6baf417b41b7dc8bd2995baa3b60a6f9f
Instruction Fuzzy Hash: A5311676B11B54CAEB508FA1E8403AD37B4F748B98F44452ADB8D57B18EB38C661C750

Uniqueness

Uniqueness Score: -1.00%

Function 000C2440 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58libraryloaderCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(?,?,00000008,000C33C8,?,?,00000000,000C3282,?,?,?,?,?,000C18B6), ref: 000C2462
GetModuleHandleW.KERNEL32(?,?,00000008,000C33C8,?,?,00000000,000C3282,?,?,?,?,?,000C18B6), ref: 000C2473
GetProcAddress.KERNEL32(?,?,00000008,000C33C8,?,?,00000000,000C3282,?,?,?,?,?,000C18B6), ref: 000C2483

Strings

LdrRegisterDllNotification, xrefs: 000C2479
NTDLL.DLL, xrefs: 000C246C

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProcVersion
String ID: LdrRegisterDllNotification$NTDLL.DLL
API String ID: 3310240892-3368964806
Opcode ID: 164d9ea437c975d8153ff0603ccf67c86708c2d0a5c9df891987d11c49d3b926
Instruction ID: 37c9cc5d031fd84f5fe5c60a2abe696efcad9111035c2b2a0a16928f7b7a1490
Opcode Fuzzy Hash: 164d9ea437c975d8153ff0603ccf67c86708c2d0a5c9df891987d11c49d3b926
Instruction Fuzzy Hash: 53212931201F81C6EB589F95F99076D76A5FB88B80F598439DB8D43B95EF78C8A1D300

Uniqueness

Uniqueness Score: -1.00%

Function 000D8B88 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45memorystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,000C5844), ref: 000D8BCA
HeapAlloc.KERNEL32(?,?,?,000C5844), ref: 000D8BEA
SetLastError.KERNEL32(?,?,?,000C5844), ref: 000D8BFB
wsprintfW.USER32 ref: 000D8C15

Strings

%S_%s, xrefs: 000D8C05

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: AllocErrorHeapLastlstrlenwsprintf
String ID: %S_%s
API String ID: 2242173294-1352953545
Opcode ID: 3447668ccb79bd62f22865d2937eaa677e331b3f947f4feb37e0849b8f018dd0
Instruction ID: 4eefe969a3222bdb71d69724a97582a552f1feb4962d018b0c2486baee9bba29
Opcode Fuzzy Hash: 3447668ccb79bd62f22865d2937eaa677e331b3f947f4feb37e0849b8f018dd0
Instruction Fuzzy Hash: 2A01ADB4312B81C6DB24CB13E8483A9B3A1FB88FD0F489031DE0A47B19DE3DC5828B10

Uniqueness

Uniqueness Score: -1.00%

Function 000DC108 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 000DC7A8: FindWindowExA.USER32 ref: 000DC7EE

Sleep.KERNEL32 ref: 000DC125
Sleep.KERNEL32 ref: 000DC154
SetWindowLongPtrA.USER32 ref: 000DC180

Strings

Start, xrefs: 000DC15A
Shell_TrayWnd, xrefs: 000DC12B

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: SleepWindow$FindLong
String ID: Shell_TrayWnd$Start
API String ID: 1352427482-2327449929
Opcode ID: caaf623c645af85065b8399550e8461b00002e738efed85008fb1c73de1b67f6
Instruction ID: 70eb635f1a140ea7951f6139e40c6200594b0f0b27123325c9afd4d83b9645b0
Opcode Fuzzy Hash: caaf623c645af85065b8399550e8461b00002e738efed85008fb1c73de1b67f6
Instruction Fuzzy Hash: 4601AD38311753C2FF289BA5B804BB833E2AB49780F5411369A1A06B91DF7CC498C760

Uniqueness

Uniqueness Score: -1.00%

Function 000C4FC8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,?,?,000C1811,?,?,?,000C1F8A,?,?,?,000C204A), ref: 000C4FDC
lstrcpyA.KERNEL32(?,?,?,000C1811,?,?,?,000C1F8A,?,?,?,000C204A), ref: 000C4FF8
StrRChrA.SHLWAPI(?,?,?,000C1811,?,?,?,000C1F8A,?,?,?,000C204A), ref: 000C5007
lstrcatA.KERNEL32(?,?,?,000C1811,?,?,?,000C1F8A,?,?,?,000C204A), ref: 000C5034

Strings

.dll, xrefs: 000C5027

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: lstrcatlstrcpylstrlen
String ID: .dll
API String ID: 3050337572-2738580789
Opcode ID: cc1fe7ecbbab87fbbc811432d013562c9f63509ccc53e8c5afe418956dbacfe6
Instruction ID: b70f03296cf5505e44e329eafdb97ed70ca17f5703062af731a31f15a5918f7f
Opcode Fuzzy Hash: cc1fe7ecbbab87fbbc811432d013562c9f63509ccc53e8c5afe418956dbacfe6
Instruction Fuzzy Hash: C901D625702A4181EF669F56EC4576D62A0EF48BE5F588238CA2A837E0DE3C9485C740

Uniqueness

Uniqueness Score: -1.00%

Function 000C23C8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34libraryloaderCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(?,?,?,000C2AD0,?,?,?,000C2846,?,?,?,?,000C214D), ref: 000C23DA
GetModuleHandleW.KERNEL32(?,?,?,000C2AD0,?,?,?,000C2846,?,?,?,?,000C214D), ref: 000C23EB
GetProcAddress.KERNEL32(?,?,?,000C2AD0,?,?,?,000C2846,?,?,?,?,000C214D), ref: 000C23FB

Strings

LdrUnregisterDllNotification, xrefs: 000C23F1
NTDLL.DLL, xrefs: 000C23E4

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProcVersion
String ID: LdrUnregisterDllNotification$NTDLL.DLL
API String ID: 3310240892-3940208311
Opcode ID: 5adef21852d0d744b449034d566701be83f1671ca3740fdba317d4f4ecd7bedf
Instruction ID: cd69c43004c5c027a8d05928a1b76949adc1780d962b671f8f444f11559a6bba
Opcode Fuzzy Hash: 5adef21852d0d744b449034d566701be83f1671ca3740fdba317d4f4ecd7bedf
Instruction Fuzzy Hash: 48F0F931615B45C2EB68DB5AFA947BC63A1FB48B80F944039DA4D83B61DF78C8A6C340

Uniqueness

Uniqueness Score: -1.00%

Function 000E0904 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,?,00000000,000CD586,?,?,?,?,00000008,000C8C91), ref: 000E0911
GetModuleHandleA.KERNEL32(?,?,00000000,000CD586,?,?,?,?,00000008,000C8C91), ref: 000E091E
GetProcAddress.KERNEL32(?,?,00000000,000CD586,?,?,?,?,00000008,000C8C91), ref: 000E092E

Strings

user32, xrefs: 000E0917
MessageBoxTimeoutA, xrefs: 000E0924

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: AddressCriticalHandleInitializeModuleProcSection
String ID: MessageBoxTimeoutA$user32
API String ID: 1068892330-2395250267
Opcode ID: 6c715ffcf26fb970e38f6f9d95bdf7161c7a85ef441913505cc3a6d8f37c6c89
Instruction ID: b6e5ae1fc2dd5c9638751864361c6eeb7caf76db039305d3e63b675c9687488b
Opcode Fuzzy Hash: 6c715ffcf26fb970e38f6f9d95bdf7161c7a85ef441913505cc3a6d8f37c6c89
Instruction Fuzzy Hash: 89F03030A01A8BC6FF21BBB6F8953FC2264BB54740F400031995962763EEACC5D9D361

Uniqueness

Uniqueness Score: -1.00%

Function 000DCDE0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27stringCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 000DCDF4
GetClassNameA.USER32 ref: 000DCE08
lstrcmpiA.KERNEL32 ref: 000DCE1A
GetParent.USER32 ref: 000DCE27

Strings

mdiclient, xrefs: 000DCE0E

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Parent$ClassNamelstrcmpi
String ID: mdiclient
API String ID: 132458742-1999401180
Opcode ID: c636a0dc3d40ac801fe3ec7f9c9eb2d1f4120273aefd87f80856564458f75812
Instruction ID: 44ce6d4f47336d97112f4fa4f1f8c839ff9ebf1896764723beb79afad1004853
Opcode Fuzzy Hash: c636a0dc3d40ac801fe3ec7f9c9eb2d1f4120273aefd87f80856564458f75812
Instruction Fuzzy Hash: C9F03964356B4782FF749B2AF814BB923A0AB45B85F4800358D4A8BB61EE2CD189E710

Uniqueness

Uniqueness Score: -1.00%

Function 000D8210 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25stringCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32 ref: 000D8228
lstrcatA.KERNEL32 ref: 000D823A
lstrcatA.KERNEL32 ref: 000D8250
CreateEventA.KERNEL32 ref: 000D8264

Strings

OPR, xrefs: 000D821C

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: lstrcat$CreateEventlstrcpy
String ID: OPR
API String ID: 3695347688-3143204451
Opcode ID: 2ae483a689adf9ffdbcf451d6e24b85368d2ccab5059ce312b1d70f111d85708
Instruction ID: 96dec3e3860cc21b6f62ae801d32d2dcdfc8ae721308ed12dbeba98c357b40bd
Opcode Fuzzy Hash: 2ae483a689adf9ffdbcf451d6e24b85368d2ccab5059ce312b1d70f111d85708
Instruction Fuzzy Hash: 00F0587230090BD3EF358F24E8557EA2321FB8C789F804122964E46A68DE3EC25DDB00

Uniqueness

Uniqueness Score: -1.00%

Function 000D7D90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25stringCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32 ref: 000D7DA8
lstrcatA.KERNEL32 ref: 000D7DBA
lstrcatA.KERNEL32 ref: 000D7DD0
CreateEventA.KERNEL32 ref: 000D7DE4

Strings

OPRN, xrefs: 000D7D9C

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: lstrcat$CreateEventlstrcpy
String ID: OPRN
API String ID: 3695347688-2540104326
Opcode ID: 34da0ee4a2461a8231f0011412b49e67daa361e27679f4e843de002fbc8fc16a
Instruction ID: e60a9bd593a46cc08f4b95ab6b4a07e78def4527d59032a1c9f9be405e0a8bd6
Opcode Fuzzy Hash: 34da0ee4a2461a8231f0011412b49e67daa361e27679f4e843de002fbc8fc16a
Instruction Fuzzy Hash: 97F0587230094BD3EF348F24E8557EA2320FB8C789F804126964E86968DE3DC25DDB00

Uniqueness

Uniqueness Score: -1.00%

Function 001170B0 Relevance: 7.8, APIs: 5, Instructions: 276COMMONLIBRARYCODE

Download Yara Rule

APIs

_ValidateScopeTableHandlers.LIBCMT ref: 001171C0
__FindPESection.LIBCMT ref: 001171DA

Memory Dump Source

Source File: 00000002.00000002.2631715851.000000000010C000.00000040.80000000.00040000.00000000.sdmp, Offset: 0010C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10c000_svchost.jbxd

Yara matches

Similarity

API ID: FindHandlersScopeSectionTableValidate
String ID:
API String ID: 876702719-0
Opcode ID: 8bc92cd720ef00609098ffb6b9e9814e12efc582b7b6c18401bb48d7b34630a5
Instruction ID: e6089b9989301f5fd93d5c03e9171d607e6fce2c92dceda35947fb72580200e1
Opcode Fuzzy Hash: 8bc92cd720ef00609098ffb6b9e9814e12efc582b7b6c18401bb48d7b34630a5
Instruction Fuzzy Hash: 7BA1AB71A086159FDB19CF68C880AEDB7B5FB48320F254279EC55AB391E731EC81CB91

Uniqueness

Uniqueness Score: -1.00%

Function 000CF025 Relevance: 7.6, APIs: 5, Instructions: 148memorywindowCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 000CF063
HeapAlloc.KERNEL32 ref: 000CF07B
GetDC.USER32 ref: 000CF08F
GetSystemPaletteEntries.GDI32 ref: 000CF0A8
ReleaseDC.USER32 ref: 000CF0B5

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$AllocEntriesFreePaletteReleaseSystem
String ID:
API String ID: 3186361210-0
Opcode ID: 31d9b3c4809d10384fe1378f0f6be2271eab83f9288edd74bfc0471dcd53eea3
Instruction ID: 794d2f6e995d06b82ba678ceb4ad51c8616ea239297f436f07ff8f61b8a924c0
Opcode Fuzzy Hash: 31d9b3c4809d10384fe1378f0f6be2271eab83f9288edd74bfc0471dcd53eea3
Instruction Fuzzy Hash: A2415A733145E482D759CB29D825BFD2BE6E349B80F49913AEE898B741D93DC949C700

Uniqueness

Uniqueness Score: -1.00%

Function 000CE6E8 Relevance: 7.6, APIs: 5, Instructions: 137memorywindowCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 000CE72B
HeapAlloc.KERNEL32 ref: 000CE741
GetDC.USER32 ref: 000CE755
GetSystemPaletteEntries.GDI32 ref: 000CE76E
ReleaseDC.USER32 ref: 000CE77B

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$AllocEntriesFreePaletteReleaseSystem
String ID:
API String ID: 3186361210-0
Opcode ID: aedfa8f8a16ab79914e147a8d5a700ed02afb6420801628eb0e43e6e0623eb86
Instruction ID: fc5c7db043be931d27a41d88154ae40720b97daf0b096a2cf56b38a43bc4542c
Opcode Fuzzy Hash: aedfa8f8a16ab79914e147a8d5a700ed02afb6420801628eb0e43e6e0623eb86
Instruction Fuzzy Hash: 5A4137737046D482D719CB29E814BED7FE6F759B84F49812AEB898B701DA38C94AC740

Uniqueness

Uniqueness Score: -1.00%

Function 000CDE48 Relevance: 7.6, APIs: 5, Instructions: 126memorywindowCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 000CDE83
HeapAlloc.KERNEL32 ref: 000CDE97
GetDC.USER32 ref: 000CDEAB
GetSystemPaletteEntries.GDI32 ref: 000CDEC4
ReleaseDC.USER32 ref: 000CDED1

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$AllocEntriesFreePaletteReleaseSystem
String ID:
API String ID: 3186361210-0
Opcode ID: f4b9019eaba3bf245c06d9056ec9d89b83527e159dc44690a1e4299cb5a0ca2d
Instruction ID: ff9e3122da8ca7fd1aa4a61cc87d57a036d8a6a5196183f8384d9e9e19abdeb3
Opcode Fuzzy Hash: f4b9019eaba3bf245c06d9056ec9d89b83527e159dc44690a1e4299cb5a0ca2d
Instruction Fuzzy Hash: 9441677331569482D729CB2AE8147EC77E5F399B80F09D13AEE8A8B711DA3CC54AC740

Uniqueness

Uniqueness Score: -1.00%

Function 000C2FDC Relevance: 7.6, APIs: 5, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00000002,000C3334,?,?,00000004,000C320A), ref: 000C30D0
VirtualProtect.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00000002,000C3334,?,?,00000004,000C320A), ref: 000C3120
EnterCriticalSection.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00000002,000C3334,?,?,00000004,000C320A), ref: 000C3134
LeaveCriticalSection.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00000002,000C3334,?,?,00000004,000C320A), ref: 000C3161
GetLastError.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00000002,000C3334,?,?,00000004,000C320A), ref: 000C317F

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: CriticalProtectSectionVirtual$EnterErrorLastLeave
String ID:
API String ID: 653387826-0
Opcode ID: 8bd59a6fb2fc165edfa2f8da51c777b83b9af9e086c9aeb54d042dbc01101951
Instruction ID: 5ae93941f7393dc84ca89feff09518abae72d847b34c531c63fb6662db2d6d15
Opcode Fuzzy Hash: 8bd59a6fb2fc165edfa2f8da51c777b83b9af9e086c9aeb54d042dbc01101951
Instruction Fuzzy Hash: F2519D32225B51D6EB64CF16E990BAD73A4F748B80F55812ADF8D43B14EF39CAA1C740

Uniqueness

Uniqueness Score: -1.00%

Function 000E9D30 Relevance: 7.6, APIs: 5, Instructions: 93COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 000E9D92
_isleadbyte_l.LIBCMT ref: 000E9DC2
MultiByteToWideChar.KERNEL32 ref: 000E9E01
MultiByteToWideChar.KERNEL32 ref: 000E9E4F
_errno.LIBCMT ref: 000E9E59

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::__errno_isleadbyte_l
String ID:
API String ID: 2998201375-0
Opcode ID: 94ba72ba195363dd6fa540d92c7ce6dcf5453e622e5dac3659fbafc985ab50c7
Instruction ID: afb5ee80e6196cd73963fa82035ca10a0bee30a0b312dff55feb0f8cffa8eeba
Opcode Fuzzy Hash: 94ba72ba195363dd6fa540d92c7ce6dcf5453e622e5dac3659fbafc985ab50c7
Instruction Fuzzy Hash: 4C31C5722047C08ADB60CF17E580769BBA5FB85FD4F184126EB8967B66DB38C851C700

Uniqueness

Uniqueness Score: -1.00%

Function 000DB1A8 Relevance: 7.6, APIs: 5, Instructions: 76memorystringCOMMON

Download Yara Rule

APIs

PathRemoveBlanksA.SHLWAPI ref: 000DB1D8
PathRemoveArgsA.SHLWAPI ref: 000DB1E1
lstrlenA.KERNEL32 ref: 000DB1F4
MultiByteToWideChar.KERNEL32 ref: 000DB242
HeapFree.KERNEL32 ref: 000DB285

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: PathRemove$ArgsBlanksByteCharFreeHeapMultiWidelstrlen
String ID:
API String ID: 1571430455-0
Opcode ID: 68e883e5efbad8f7610cff9b7e97fdbd144d008e165586cf82833899d366af34
Instruction ID: 7924150282e83e5007a656ee7692f57fda8eefd5cf14acbaea8a9b1bb99ffd8b
Opcode Fuzzy Hash: 68e883e5efbad8f7610cff9b7e97fdbd144d008e165586cf82833899d366af34
Instruction Fuzzy Hash: 2B21BF33311B41C6DB649F62A880BAD73A5FB49BE4F494726EE6A07B94DF38C459C310

Uniqueness

Uniqueness Score: -1.00%

Function 000C9B74 Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 000C9B18: EnterCriticalSection.KERNEL32 ref: 000C9B2E
Part of subcall function 000C9B18: LeaveCriticalSection.KERNEL32 ref: 000C9B60

Part of subcall function 000C9D98: GetClassLongPtrA.USER32 ref: 000C9DB5

GetWindowLongPtrA.USER32 ref: 000C9BE2

Part of subcall function 000C2670: VirtualProtect.KERNEL32 ref: 000C26B7

EnterCriticalSection.KERNEL32 ref: 000C9C12
LeaveCriticalSection.KERNEL32 ref: 000C9C3F
SetWindowLongPtrA.USER32 ref: 000C9C4E
GetWindowLongPtrA.USER32 ref: 000C9C5D

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: CriticalLongSection$Window$EnterLeave$ClassProtectVirtual
String ID:
API String ID: 3135882583-0
Opcode ID: 9b06b61f2d83df3b62778cfd4d4567b48a2ac290c0318cca052fca38d57ece12
Instruction ID: 1003022d0c66ab1a89c109220cf2affa7ee3b15e92d4bf106eef3cd8bc8e85ec
Opcode Fuzzy Hash: 9b06b61f2d83df3b62778cfd4d4567b48a2ac290c0318cca052fca38d57ece12
Instruction Fuzzy Hash: 18213971601B5182EB50DF16B88879D73A8F798F80F55412AEE4A87765EF78C4968300

Uniqueness

Uniqueness Score: -1.00%

Function 000C4EE0 Relevance: 7.6, APIs: 5, Instructions: 70fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32 ref: 000C4F1A
GetFileSize.KERNEL32 ref: 000C4F2E
ReadFile.KERNEL32 ref: 000C4F65
GetLastError.KERNEL32 ref: 000C4F8A
CloseHandle.KERNEL32 ref: 000C4F9B

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: File$CloseCreateErrorHandleLastReadSize
String ID:
API String ID: 3577853679-0
Opcode ID: 67e4fecaa68f4ca5fcf52603ee140cbdbf6af7db246a46d635f35ca24b5683e0
Instruction ID: df92338637220846a875f5ac72a01d8f1967bbc9d0e605f3aff7bf8a24a6a4f7
Opcode Fuzzy Hash: 67e4fecaa68f4ca5fcf52603ee140cbdbf6af7db246a46d635f35ca24b5683e0
Instruction Fuzzy Hash: B6217F3130474187E7608F66A5A8B6DA6E4B799BF0F15833D9E2947BE4EB38C8478700

Uniqueness

Uniqueness Score: -1.00%

Function 000C2BEC Relevance: 7.6, APIs: 5, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,000C2B4E,?,?,?,000C284D,?,?,?,?,000C214D), ref: 000C2C3A
VirtualProtect.KERNEL32(?,?,?,000C2B4E,?,?,?,000C284D,?,?,?,?,000C214D), ref: 000C2C5C
VirtualProtect.KERNEL32(?,?,?,000C2B4E,?,?,?,000C284D,?,?,?,?,000C214D), ref: 000C2C76
VirtualProtect.KERNEL32(?,?,?,000C2B4E,?,?,?,000C284D,?,?,?,?,000C214D), ref: 000C2CAE
GetLastError.KERNEL32(?,?,?,000C2B4E,?,?,?,000C284D,?,?,?,?,000C214D), ref: 000C2CB6

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$ErrorLast
String ID:
API String ID: 1469625949-0
Opcode ID: 4dcc671b45f5aa8f4eca118eccde9929eb3942500addd3c0063507ce4de67774
Instruction ID: 503b571c7ef67d5ad09dbaa580c9b4682b4310395b490ed5004d6054bef700d1
Opcode Fuzzy Hash: 4dcc671b45f5aa8f4eca118eccde9929eb3942500addd3c0063507ce4de67774
Instruction Fuzzy Hash: E7215A32615A56C7DB64CF26E48076DB7B0F388F84F504016EB8A93B24CF39D896CB40

Uniqueness

Uniqueness Score: -1.00%

Function 000D6ED4 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32 ref: 000D6EE9
HeapAlloc.KERNEL32 ref: 000D6F0D
HeapFree.KERNEL32 ref: 000D6F2F
HeapAlloc.KERNEL32 ref: 000D6F4E

Part of subcall function 000D6DAC: HeapFree.KERNEL32(?,?,00000000,000D6F6D), ref: 000D6DC6

Strings

1.1.4, xrefs: 000D6F7B

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Alloc$Free
String ID: 1.1.4
API String ID: 1549400367-362073112
Opcode ID: 64024c7d9693760184c3401414d4db0e7c18ea2ab1c9ded04b5d3f08a38fbcc6
Instruction ID: 962ed88f16a9c96553f94cb67fbe9c04e5d1d316fc54ba94a4d60a4d43590d83
Opcode Fuzzy Hash: 64024c7d9693760184c3401414d4db0e7c18ea2ab1c9ded04b5d3f08a38fbcc6
Instruction Fuzzy Hash: 922179B2A11F0182FB64CF22F85036823E4FB9CB89F144636CA0D96798EF7AC5518354

Uniqueness

Uniqueness Score: -1.00%

Function 000C8DD4 Relevance: 7.5, APIs: 5, Instructions: 48memorysynchronizationwindowCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,00000000,000C95D8), ref: 000C8E06
CreateCompatibleDC.GDI32 ref: 000C8E1C
CreateCompatibleBitmap.GDI32 ref: 000C8E2E
SelectObject.GDI32 ref: 000C8E40
CreateMutexA.KERNEL32(?,?,00000000,000C95D8), ref: 000C8E51

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Create$Compatible$AllocBitmapHeapMutexObjectSelect
String ID:
API String ID: 533441823-0
Opcode ID: ad4af58a44212d75ef5e2141ac14bf3debb79554ac77a0086842194d3e0efd06
Instruction ID: abae3097fb84c6109d14db85ac4d30e0cd1191f6652c817b93b4a9fb5d3779f1
Opcode Fuzzy Hash: ad4af58a44212d75ef5e2141ac14bf3debb79554ac77a0086842194d3e0efd06
Instruction Fuzzy Hash: E3112276611B90C2EB28CF66E84472977A4F788FC0F088029DE4E47B18DF78C4A1CB04

Uniqueness

Uniqueness Score: -1.00%

Function 000D8AE0 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 44memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 000E531C: _errno.LIBCMT ref: 000E532E
Part of subcall function 000E531C: _invalid_parameter_noinfo.LIBCMT ref: 000E5339

lstrlenA.KERNEL32(?,?,?,000C5910), ref: 000D8B22
HeapAlloc.KERNEL32(?,?,?,000C5910), ref: 000D8B3F
SetLastError.KERNEL32(?,?,?,000C5910), ref: 000D8B50
wsprintfA.USER32 ref: 000D8B6A

Strings

%s_%s, xrefs: 000D8B5A

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: AllocErrorHeapLast_errno_invalid_parameter_noinfolstrlenwsprintf
String ID: %s_%s
API String ID: 3062859849-4036411895
Opcode ID: 13e451a74d379131444e1defa41cf64d337f13b37fd013cc74f4c362a6be03a9
Instruction ID: aa3182927e66be620dece5bc8caaa4c782341a0f7714bcdba507c1f56f85b6c9
Opcode Fuzzy Hash: 13e451a74d379131444e1defa41cf64d337f13b37fd013cc74f4c362a6be03a9
Instruction Fuzzy Hash: 770180B5711B81C5DB24CB53E9043A9A7A1FB88FD0F488432DE4A47B24DF39D5418700

Uniqueness

Uniqueness Score: -1.00%

Function 000CBD78 Relevance: 7.5, APIs: 5, Instructions: 41networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 000CBD91
connect.WS2_32 ref: 000CBDAC
setsockopt.WS2_32 ref: 000CBDD5

Part of subcall function 000CD5FC: setsockopt.WS2_32 ref: 000CD620
Part of subcall function 000CD5FC: setsockopt.WS2_32 ref: 000CD641

shutdown.WS2_32 ref: 000CBDF6
closesocket.WS2_32 ref: 000CBDFF

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: setsockopt$closesocketconnectshutdownsocket
String ID:
API String ID: 3842021557-0
Opcode ID: 27328ef431486e4ccd6150fe7aee5901bcc8977da78e430dc3619fe71a473cf2
Instruction ID: 3844f342b50f71216971cd611169f9cd1b7d400d6bdced559224d3b2dca73331
Opcode Fuzzy Hash: 27328ef431486e4ccd6150fe7aee5901bcc8977da78e430dc3619fe71a473cf2
Instruction Fuzzy Hash: 3801403130454686EB209F16E8057A9B361F785BF8F584334DA760BBE4EF7DC5599B00

Uniqueness

Uniqueness Score: -1.00%

Function 000E9C9C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_get_osfhandle.LIBCMT ref: 000E9CB6

Part of subcall function 000E9BFC: __doserrno.LIBCMT ref: 000E9C05
Part of subcall function 000E9BFC: _errno.LIBCMT ref: 000E9C0D

_errno.LIBCMT ref: 000E9CC1

Part of subcall function 000E6944: _getptd_noexit.LIBCMT ref: 000E6948

SetFilePointerEx.KERNEL32(?,?,?,000E8F5B,?,?,00000000,000E8C1E,?,?,00000000,000E8BAD,?,?,00000001,000E8CF9), ref: 000E9CE0
GetLastError.KERNEL32(?,?,?,000E8F5B,?,?,00000000,000E8C1E,?,?,00000000,000E8BAD,?,?,00000001,000E8CF9), ref: 000E9CEA
_dosmaperr.LIBCMT ref: 000E9CF2

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: _errno$ErrorFileLastPointer__doserrno_dosmaperr_get_osfhandle_getptd_noexit
String ID:
API String ID: 1079722437-0
Opcode ID: f4bb9f9a174562d7989314af53ac5af829ca1966b2fd7a02a521ac8b9e14a618
Instruction ID: 14575432cc9c4b463b8a677631113f41192e128dfce6552bb8f86586da48cc7b
Opcode Fuzzy Hash: f4bb9f9a174562d7989314af53ac5af829ca1966b2fd7a02a521ac8b9e14a618
Instruction Fuzzy Hash: BB01B121714BC081DF209B2BF8443AD6661EB84BF0F695326EA7A17BE5DE38C4818300

Uniqueness

Uniqueness Score: -1.00%

Function 000D7AD4 Relevance: 7.5, APIs: 5, Instructions: 29stringCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32 ref: 000D7AF2
lstrcatA.KERNEL32 ref: 000D7B04
lstrcatA.KERNEL32 ref: 000D7B1A
OpenEventA.KERNEL32 ref: 000D7B2A
CloseHandle.KERNEL32 ref: 000D7B3D

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: lstrcat$CloseEventHandleOpenlstrcpy
String ID:
API String ID: 821562950-0
Opcode ID: f7905ba8173c9a26a703ab2d41602f9b630bf911d23cd512afd113fb6448507e
Instruction ID: c9103575d78fd9b7eecf314097c3139ed3d4db95b3497c02d3dc444e28b31dc1
Opcode Fuzzy Hash: f7905ba8173c9a26a703ab2d41602f9b630bf911d23cd512afd113fb6448507e
Instruction Fuzzy Hash: 18013C3230494BD2EF718B25F8403EA7321FB88B89F444122965E47A68DE3DC25AD740

Uniqueness

Uniqueness Score: -1.00%

Function 000DE374 Relevance: 7.5, APIs: 5, Instructions: 28synchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?,00000000,000E0576,?,?,00000000,000E0745,?,?,?,000CD017), ref: 000DE389
WaitForSingleObject.KERNEL32(?,?,00000000,000E0576,?,?,00000000,000E0745,?,?,?,000CD017), ref: 000DE39E
CloseHandle.KERNEL32(?,?,00000000,000E0576,?,?,00000000,000E0745,?,?,?,000CD017), ref: 000DE3AB
CloseHandle.KERNEL32(?,?,00000000,000E0576,?,?,00000000,000E0745,?,?,?,000CD017), ref: 000DE3C5
CloseHandle.KERNEL32(?,?,00000000,000E0576,?,?,00000000,000E0745,?,?,?,000CD017), ref: 000DE3DF

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: CloseHandle$EventObjectSingleWait
String ID:
API String ID: 2857295742-0
Opcode ID: 9da7092445767f6cdfc375947ef314cd69ae2369c2f0856b58fe605773d1f08c
Instruction ID: b655e4bb30c4958a77657d01e8a235574f71f2409b26fd20bc86863567576a81
Opcode Fuzzy Hash: 9da7092445767f6cdfc375947ef314cd69ae2369c2f0856b58fe605773d1f08c
Instruction Fuzzy Hash: 69F0AF22A06EC4C2EF959FA1D8983B82360FB84F45F0802319D1F4E650CF6D40448625

Uniqueness

Uniqueness Score: -1.00%

Function 000E41C4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 000E41E7

Part of subcall function 000DCCD4: GetWindowRect.USER32 ref: 000DCCDD

MoveWindow.USER32 ref: 000E4294
RedrawWindow.USER32 ref: 000E42AC

Strings

gfff, xrefs: 000E422A

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Window$Rect$MoveRedraw
String ID: gfff
API String ID: 3281031154-1553575800
Opcode ID: 85e0a66b6aba8cd476713c219c731bf53a0671a9afbd3529f2bf9d0d071645cf
Instruction ID: c481a3a7514ca51a9468d6b734ed5f64ca3377ffbfaff24596b7df969d5f0d75
Opcode Fuzzy Hash: 85e0a66b6aba8cd476713c219c731bf53a0671a9afbd3529f2bf9d0d071645cf
Instruction Fuzzy Hash: 8921B73662868187D768CF26F444B5EBB61F3C8794F549214FBAA53F64CB38E9058F00

Uniqueness

Uniqueness Score: -1.00%

Function 000C21B8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(00000000,000C20BA), ref: 000C21FC
RegQueryValueExW.ADVAPI32 ref: 000C223D
RegCloseKey.ADVAPI32 ref: 000C225B

Strings

SYSTEM\CurrentControlSet\services\Disk\Enum, xrefs: 000C21D1

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: SYSTEM\CurrentControlSet\services\Disk\Enum
API String ID: 3677997916-1303479782
Opcode ID: e72b78577c0b3bde5d0eaf64f9ac777a64888cb4f0ac3daf75c6b03967d93ba0
Instruction ID: 016155cf66d6f56162bf57eee510ca66c46ca23b47a57a000aa97029523f0b5e
Opcode Fuzzy Hash: e72b78577c0b3bde5d0eaf64f9ac777a64888cb4f0ac3daf75c6b03967d93ba0
Instruction Fuzzy Hash: 7B011E72614B8196D7709B10F888B9A73A4F784784F409125DA8D42E6AEF7CC159DB00

Uniqueness

Uniqueness Score: -1.00%

Function 000C98A0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

Part of subcall function 000DC9D0: GetParent.USER32 ref: 000DCB18

GetWindowInfo.USER32 ref: 000C98C9
SetWindowLongPtrA.USER32 ref: 000C98F4
SetLayeredWindowAttributes.USER32 ref: 000C990B

Strings

<, xrefs: 000C98C1

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Window$AttributesInfoLayeredLongParent
String ID: <
API String ID: 1120277486-4251816714
Opcode ID: 20affd0adb45122e2ec8be1764d4cc8b664c7c8bb4dc1c7879897b04f90f9245
Instruction ID: 41e884108fe3e18f33233cbf4a912a7d939473849ab3df3f45c6996cf377fd11
Opcode Fuzzy Hash: 20affd0adb45122e2ec8be1764d4cc8b664c7c8bb4dc1c7879897b04f90f9245
Instruction Fuzzy Hash: BAF0BE7030430282EB30AF19A818BAD6370FB96BC4F180138EE864BB94EB3DC645DB00

Uniqueness

Uniqueness Score: -1.00%

Function 000C8B70 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,000C889E,?,?,?,?,?,000C1F66,?,?,?,000C204A), ref: 000C8B7B
GetProcAddress.KERNEL32(?,?,?,?,000C889E,?,?,?,?,?,000C1F66,?,?,?,000C204A), ref: 000C8B8B

Strings

RtlSetUnhandledExceptionFilter, xrefs: 000C8B81
NTDLL.DLL, xrefs: 000C8B74

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: NTDLL.DLL$RtlSetUnhandledExceptionFilter
API String ID: 1646373207-97048080
Opcode ID: 2b1a07f8fd3cbea2bf185a2339138796587865f851aa36ac580925af8caf9a9c
Instruction ID: 61e818504303650822b600c250f701e575bd9953434ce3c915bfb21fc707b591
Opcode Fuzzy Hash: 2b1a07f8fd3cbea2bf185a2339138796587865f851aa36ac580925af8caf9a9c
Instruction Fuzzy Hash: 6AE0E230601B07C1EE64EB51FC843A423A0B794740F800125800E82B70EF3C829AE340

Uniqueness

Uniqueness Score: -1.00%

Function 000DB000 Relevance: 6.4, APIs: 5, Instructions: 122memorystringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(?,?,?,?,?,00000000,?,?,?,000C8A8A,?,?,?,?,?,000C1F66), ref: 000DB0A6
HeapFree.KERNEL32(?,?,?,?,?,00000000,?,?,?,000C8A8A,?,?,?,?,?,000C1F66), ref: 000DB13A
HeapFree.KERNEL32(?,?,?,?,?,00000000,?,?,?,000C8A8A,?,?,?,?,?,000C1F66), ref: 000DB152
HeapFree.KERNEL32(?,?,?,?,?,00000000,?,?,?,000C8A8A,?,?,?,?,?,000C1F66), ref: 000DB16A
HeapFree.KERNEL32(?,?,?,?,?,00000000,?,?,?,000C8A8A,?,?,?,?,?,000C1F66), ref: 000DB182

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: FreeHeap$lstrcmpi
String ID:
API String ID: 3326462632-0
Opcode ID: 68bff36b3ad4194a11ada9d1a9c7f33619823fc426f2538995029bd18271a8ac
Instruction ID: 30e3c8698ceaa63c29f71b9303dc0104b024b0aeabde06abbf2e3e555c705a15
Opcode Fuzzy Hash: 68bff36b3ad4194a11ada9d1a9c7f33619823fc426f2538995029bd18271a8ac
Instruction Fuzzy Hash: E7418C3A600B41D6EB64DF22A8413AA37F4F748BC8F8A8417DE4853B18DF79C995C360

Uniqueness

Uniqueness Score: -1.00%

Function 000C9ECC Relevance: 6.1, APIs: 4, Instructions: 76COMMON

Download Yara Rule

APIs

CallNextHookEx.USER32 ref: 000C9F06

Part of subcall function 000C9E08: EnterCriticalSection.KERNEL32 ref: 000C9E2D
Part of subcall function 000C9E08: LeaveCriticalSection.KERNEL32 ref: 000C9E72
Part of subcall function 000C9E08: SetWindowLongPtrA.USER32 ref: 000C9E95
Part of subcall function 000C9E08: HeapFree.KERNEL32 ref: 000C9EAE

GetClassNameA.USER32 ref: 000C9F5A
CallNextHookEx.USER32 ref: 000C9FA9
CallNextHookEx.USER32 ref: 000C9FE9

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: CallHookNext$CriticalSection$ClassEnterFreeHeapLeaveLongNameWindow
String ID:
API String ID: 2202591129-0
Opcode ID: afea448b4c49635677af2669b42b90faf46ca819d5aaa2acead1ce2f748412a2
Instruction ID: c34b2d5de9d3a3cec930780bbe152c065b2881a264bb6ac3b953d3781a35e660
Opcode Fuzzy Hash: afea448b4c49635677af2669b42b90faf46ca819d5aaa2acead1ce2f748412a2
Instruction Fuzzy Hash: A831C17520424186DB348F66E9587AEB3A1F799BC8F14402EEE8D8BB65DF3DC5068704

Uniqueness

Uniqueness Score: -1.00%

Function 000ED220 Relevance: 6.1, APIs: 4, Instructions: 73registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 000ED25B
RegQueryValueExW.ADVAPI32 ref: 000ED288
RegQueryValueExW.ADVAPI32 ref: 000ED2C0
RegCloseKey.ADVAPI32 ref: 000ED300

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: QueryValue$CloseOpen
String ID:
API String ID: 1586453840-0
Opcode ID: 78bf997ce8e1cfdf057aa069ba562a2e25ceb01fb0fe141f1b9152788ee51a93
Instruction ID: db81ec201fa27d6777fba222a5e113314568dee597c0d5faa470e0b5fcaf8fd9
Opcode Fuzzy Hash: 78bf997ce8e1cfdf057aa069ba562a2e25ceb01fb0fe141f1b9152788ee51a93
Instruction Fuzzy Hash: 3C314736B01B918AEB10CFA6D494BAC73B4F758BC8F04442AEE5963B18DF79C545C700

Uniqueness

Uniqueness Score: -1.00%

Function 000D8DC8 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71memoryCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,?,?,?,00000000,000D8D25,?,?,?,?,00000000,000D9783), ref: 000D8DEE
wsprintfA.USER32 ref: 000D8EB8

Strings

%08X-%04X-%04X-%04X-%08X%04X, xrefs: 000D8E00
{%08X-%04X-%04X-%04X-%08X%04X}, xrefs: 000D8DF6

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: AllocHeapwsprintf
String ID: %08X-%04X-%04X-%04X-%08X%04X${%08X-%04X-%04X-%04X-%08X%04X}
API String ID: 578682255-2243025055
Opcode ID: f5b679cb887ae7abfcc6cb4f8353a77b26a1e8a7a8db184a4b0177752ad9c99d
Instruction ID: 45813f88c58096e9ab90ac4b172267672bd35de8627a344b043711f6aed41177
Opcode Fuzzy Hash: f5b679cb887ae7abfcc6cb4f8353a77b26a1e8a7a8db184a4b0177752ad9c99d
Instruction Fuzzy Hash: CF21F8A36182E05EE7618F3AA8503B97FE1E384786F048065FAE586F49E62CC750DF10

Uniqueness

Uniqueness Score: -1.00%

Function 000E40B8 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 000E40F2
GetWindowRect.USER32 ref: 000E40FF
GetWindowRect.USER32 ref: 000E410C

Part of subcall function 000DCCD4: GetWindowRect.USER32 ref: 000DCCDD

MoveWindow.USER32 ref: 000E41A2

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Window$Rect$Move
String ID:
API String ID: 460932116-0
Opcode ID: ce5d2a683b0fe1e8f2afb4cad0290f620068e48d33bd4a58d01f41bc5b130d1a
Instruction ID: 19eb995c3494297412946fd488f29f199284a13697793a593405b0fcd2b8989a
Opcode Fuzzy Hash: ce5d2a683b0fe1e8f2afb4cad0290f620068e48d33bd4a58d01f41bc5b130d1a
Instruction Fuzzy Hash: C4314936B10655CEEB24CF6AD844BAC77B1F34CB88F548121DE1923B18CB39D946CB40

Uniqueness

Uniqueness Score: -1.00%

Function 000C2728 Relevance: 6.1, APIs: 4, Instructions: 69stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32 ref: 000C277D
lstrcpyA.KERNEL32 ref: 000C279A
StrChrA.SHLWAPI ref: 000C27A6
GetModuleHandleA.KERNEL32 ref: 000C27CD

Part of subcall function 000C2DAC: VirtualProtect.KERNEL32 ref: 000C2E17
Part of subcall function 000C2DAC: VirtualProtect.KERNEL32 ref: 000C2EED

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$HandleModulelstrcpylstrlen
String ID:
API String ID: 763936189-0
Opcode ID: c793f19eff1310ccc7a10bea58b6b8a73a737f63ad6c375f54f14c6db99cd2d4
Instruction ID: 96819fb0b9681374590608f2b177d7f71b75a7a8d678a1545301eabdf0a349c0
Opcode Fuzzy Hash: c793f19eff1310ccc7a10bea58b6b8a73a737f63ad6c375f54f14c6db99cd2d4
Instruction Fuzzy Hash: 7B21283260AB85C6DB60CB52E584BAD73A4F788B84F044539EF8E43B45DF38D869C740

Uniqueness

Uniqueness Score: -1.00%

Function 000C4B24 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

Part of subcall function 000C4598: GetModuleFileNameA.KERNEL32(?,?,0000001B,000C259E,?,?,?,000C1EEA,?,?,?,000C204A), ref: 000C45D5

Part of subcall function 000C4138: lstrcmpA.KERNEL32(?,00000001,00000000,000C2DF5,?,?,?,?,00000001,00000000,?,000C2D79,?,?,00000000,00000000), ref: 000C4197

CreateFileA.KERNEL32 ref: 000C4B9A
SetFilePointer.KERNEL32 ref: 000C4BB4
ReadFile.KERNEL32 ref: 000C4BDA
CloseHandle.KERNEL32 ref: 000C4BFB

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleModuleNamePointerReadlstrcmp
String ID:
API String ID: 3110218675-0
Opcode ID: 3703b193619ba3877231efbc32648f8fed4b28c185970b99229e89b535b6a8e3
Instruction ID: 3b8055bfd9aecaacca705febde50f9b38f8d30d951331c71846d3b4f7625ddfc
Opcode Fuzzy Hash: 3703b193619ba3877231efbc32648f8fed4b28c185970b99229e89b535b6a8e3
Instruction Fuzzy Hash: 1821993130468182EB609F65A954BAEB391F785BD4F548229DE9D47F95DF39C8098B00

Uniqueness

Uniqueness Score: -1.00%

Function 000E2958 Relevance: 6.1, APIs: 4, Instructions: 62COMMON

Download Yara Rule

APIs

VkKeyScanA.USER32 ref: 000E2993
ToAscii.USER32 ref: 000E29DF
ToAscii.USER32 ref: 000E2A06
GetKeyboardLayoutList.USER32 ref: 000E2A2A

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Ascii$KeyboardLayoutListScan
String ID:
API String ID: 2414790098-0
Opcode ID: 225b82fe78cc94311d30feed47b55b4fc23d9cb4f7058e36b7181ee5992e6bc5
Instruction ID: 012d41570344dccdb772f9fa19d3f52eecd778863dcbc266eec47a7f4672362b
Opcode Fuzzy Hash: 225b82fe78cc94311d30feed47b55b4fc23d9cb4f7058e36b7181ee5992e6bc5
Instruction Fuzzy Hash: 0B21D632618AC087E721CB26E8547DA77A1F389754F484225D7DD43A99CB7CC14ECB40

Uniqueness

Uniqueness Score: -1.00%

Function 000DCC24 Relevance: 6.1, APIs: 4, Instructions: 57threadCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32 ref: 000DCC4C
OpenProcess.KERNEL32 ref: 000DCC67
StrRChrA.SHLWAPI ref: 000DCC94
CloseHandle.KERNEL32 ref: 000DCCB7

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Process$CloseHandleOpenThreadWindow
String ID:
API String ID: 1586161098-0
Opcode ID: 8387f70dc9ccfaa95054f32409066c9edb4ef1e94d5bcd655037c96d70a142e9
Instruction ID: 079a0e1dacd354a2d0c164654df1b788475d70f189d1bef16b9997ef2872f369
Opcode Fuzzy Hash: 8387f70dc9ccfaa95054f32409066c9edb4ef1e94d5bcd655037c96d70a142e9
Instruction Fuzzy Hash: 9F11513171170586EB54DFAB9440B6977A1AB88FC0F099039DF1D83B15EF35C846C750

Uniqueness

Uniqueness Score: -1.00%

Function 000C8CC4 Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32 ref: 000C8D3E

Part of subcall function 000D9AC0: UnmapViewOfFile.KERNEL32(?,?,?,000D99B7), ref: 000D9AD2
Part of subcall function 000D9AC0: CloseHandle.KERNEL32(?,?,?,000D99B7), ref: 000D9AE6
Part of subcall function 000D9AC0: UnmapViewOfFile.KERNEL32(?,?,?,000D99B7), ref: 000D9AFA
Part of subcall function 000D9AC0: CloseHandle.KERNEL32(?,?,?,000D99B7), ref: 000D9B0E
Part of subcall function 000D9AC0: FindCloseChangeNotification.KERNELBASE(?,?,?,000D99B7), ref: 000D9B22
Part of subcall function 000D9AC0: CloseHandle.KERNEL32(?,?,?,000D99B7), ref: 000D9B35
Part of subcall function 000D9AC0: CloseHandle.KERNEL32(?,?,?,000D99B7), ref: 000D9B48

GetCurrentProcessId.KERNEL32 ref: 000C8D6A
OpenProcess.KERNEL32 ref: 000C8D78
TerminateProcess.KERNEL32 ref: 000C8D88

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Close$Handle$Process$FileUnmapView$ChangeCurrentFindMultipleNotificationObjectsOpenTerminateWait
String ID:
API String ID: 1069760962-0
Opcode ID: b8d212c5873c390e99d5bae5cd925ac68b656f630ebf7b4afc16071683bb4617
Instruction ID: d8ee75d2c0ac401842fa0490313f3cce69dbf271c8f3963ab21ce5763e236dd5
Opcode Fuzzy Hash: b8d212c5873c390e99d5bae5cd925ac68b656f630ebf7b4afc16071683bb4617
Instruction Fuzzy Hash: BA117F36304B44C6DB64DF6AE8847AD33E1F788B90F188539CA5A87BA0DF74C855C700

Uniqueness

Uniqueness Score: -1.00%

Function 000C9E08 Relevance: 6.1, APIs: 4, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 000C9E2D
LeaveCriticalSection.KERNEL32 ref: 000C9E72
SetWindowLongPtrA.USER32 ref: 000C9E95
HeapFree.KERNEL32 ref: 000C9EAE

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveLongWindow
String ID:
API String ID: 3319364134-0
Opcode ID: fadda7e58cbb0c03c9e582249ef85208ea3749f840e6d54bb3c5a839d58f8d71
Instruction ID: 81745035954c16b299fdf295acf9e78b43a5a679460a9e713e2dcdc5dffb15ac
Opcode Fuzzy Hash: fadda7e58cbb0c03c9e582249ef85208ea3749f840e6d54bb3c5a839d58f8d71
Instruction Fuzzy Hash: B7115836204B54C2EB10DF62E8843AD73A1F798F94F498529EE5E47B69DF78C995C300

Uniqueness

Uniqueness Score: -1.00%

Function 000E11CC Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 000E1210
CreateFileW.KERNEL32(?,?,?,?,?,?,?,000E1000), ref: 000E1244
GetLastError.KERNEL32(?,?,?,?,?,?,?,000E1000), ref: 000E1253
CloseHandle.KERNEL32 ref: 000E1271

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: CreateFile$CloseErrorHandleLast
String ID:
API String ID: 77722140-0
Opcode ID: 18e16db841135ef8f56aa0ffe254a567ae49a37e9e46eb574bbcbf3a38cd108f
Instruction ID: 80b69f551cb59431e2e84e993b864248d2adbd022e4f9aef466677f7cbd7a781
Opcode Fuzzy Hash: 18e16db841135ef8f56aa0ffe254a567ae49a37e9e46eb574bbcbf3a38cd108f
Instruction Fuzzy Hash: B411BB32710B80CAE7108F52E9487A97AA0F388FF4F144324EB6943FD4CB78C5598740

Uniqueness

Uniqueness Score: -1.00%

Function 000DB934 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 000DB941
GetWindowRect.USER32 ref: 000DB952
GetWindowRect.USER32 ref: 000DB960
SetWindowPos.USER32 ref: 000DB9C4

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Window$Rect$Parent
String ID:
API String ID: 1036685349-0
Opcode ID: 71284c73ac5ec776bd2bd381f4a38013b24bb69c50c71c270dcd03c637c7c945
Instruction ID: 4403d865340c24d4820713413dccf4d860e61d0786425ac7606db234272f7f8e
Opcode Fuzzy Hash: 71284c73ac5ec776bd2bd381f4a38013b24bb69c50c71c270dcd03c637c7c945
Instruction Fuzzy Hash: 9D111C323145428BC724CF7DFA4575ABBA1F789BD5F585224AB8587A98CE7DE0448F00

Uniqueness

Uniqueness Score: -1.00%

Function 001319AD Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 001319D1

Part of subcall function 001320B8: __fltout2.LIBCMT ref: 001320E1

__cftog_l.LIBCMT ref: 001319F7
__cftoe_l.LIBCMT ref: 00131A29

Memory Dump Source

Source File: 00000002.00000002.2631715851.000000000010C000.00000040.80000000.00040000.00000000.sdmp, Offset: 0010C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10c000_svchost.jbxd

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 8a64d0ee3c9a4aec172fb350b9a3d5502bf6e520ae0a837e8e8543a6d75671ef
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: D601493610118EBBCF166E84CC518EE3F22BB1D355F598515FE1859031D336C9B6AB81

Uniqueness

Uniqueness Score: -1.00%

Function 000CA37C Relevance: 6.0, APIs: 4, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,000C2000), ref: 000CA398
LeaveCriticalSection.KERNEL32(?,?,?,000C2000), ref: 000CA3D7
UnhookWindowsHookEx.USER32 ref: 000CA3EB
HeapFree.KERNEL32(?,?,?,000C2000), ref: 000CA3FD

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterFreeHeapHookLeaveUnhookWindows
String ID:
API String ID: 3224164451-0
Opcode ID: 96b5ea01c7c229123dfaa2a26c629d103379b449ec50e5ae4f274b864bc89a04
Instruction ID: e0e14050d07a02510b2c44f2d48c166d44716b9f22db3b23b2df35794490c5e9
Opcode Fuzzy Hash: 96b5ea01c7c229123dfaa2a26c629d103379b449ec50e5ae4f274b864bc89a04
Instruction Fuzzy Hash: 2E115A36704A48C2EB649F41E8907AD7361FBD9F84F098026EB8E43724CFB8C981E341

Uniqueness

Uniqueness Score: -1.00%

Function 000C8474 Relevance: 6.0, APIs: 4, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,00000000,000C8680,?,?,?,000C1F98,?,?,?,000C204A), ref: 000C84B5
VirtualProtect.KERNEL32(?,?,00000000,000C8680,?,?,?,000C1F98,?,?,?,000C204A), ref: 000C84D0
VirtualProtect.KERNEL32(?,?,00000000,000C8680,?,?,?,000C1F98,?,?,?,000C204A), ref: 000C84F5
VirtualProtect.KERNEL32(?,?,00000000,000C8680,?,?,?,000C1F98,?,?,?,000C204A), ref: 000C8513

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 64516a80fe14f39ab41b1a0556666e7b4fbb1f0bcb2de505d703b9674936bf98
Instruction ID: 1ce68510409df73a1b8142714a9af1a7ac23b79b4354180aa369c502c6465723
Opcode Fuzzy Hash: 64516a80fe14f39ab41b1a0556666e7b4fbb1f0bcb2de505d703b9674936bf98
Instruction Fuzzy Hash: DA114F36725A46D7DB50CF26E444B9D7721FB88B84F889126EB4A07B68CF3DD456CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000DE210 Relevance: 6.0, APIs: 4, Instructions: 42sleepCOMMON

Download Yara Rule

APIs

IsWindow.USER32 ref: 000DE239
RedrawWindow.USER32 ref: 000DE251
PrintWindow.USER32 ref: 000DE260
Sleep.KERNEL32 ref: 000DE26C

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Window$PrintRedrawSleep
String ID:
API String ID: 1013652024-0
Opcode ID: a094066401594b8f525c82b33f830ce8205924a9bda7a60e5a4d46974fe331a0
Instruction ID: 5d16c65863384dad8f1d2df64d726ed336e670a6a208c8fc1418cb993fcbd7cd
Opcode Fuzzy Hash: a094066401594b8f525c82b33f830ce8205924a9bda7a60e5a4d46974fe331a0
Instruction Fuzzy Hash: 27016231314B9082E764AF57A88073A76A4F788FC0F445035DE4987F14CE39D8539704

Uniqueness

Uniqueness Score: -1.00%

Function 000DC52C Relevance: 6.0, APIs: 4, Instructions: 42threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000DC541
GetWindowThreadProcessId.USER32 ref: 000DC556
AttachThreadInput.USER32 ref: 000DC581
AttachThreadInput.USER32 ref: 000DC59F

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Thread$AttachInput$CurrentProcessWindow
String ID:
API String ID: 3335540525-0
Opcode ID: 15f8318374c15a0e550e646c658af9f7c7e43a8e5e8d8347b6a9de50acc708c5
Instruction ID: 46c3d7aed885ca651587c9f34c49d2c18a7b9f0cb56d85826426fab102de273a
Opcode Fuzzy Hash: 15f8318374c15a0e550e646c658af9f7c7e43a8e5e8d8347b6a9de50acc708c5
Instruction Fuzzy Hash: FC115E36710B82C7E7688B26E54476AB3B1F788B81F548129EB1587B48DF39D8A1CF10

Uniqueness

Uniqueness Score: -1.00%

Function 000E4D04 Relevance: 6.0, APIs: 4, Instructions: 35clipboardCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000E486A), ref: 000E4D15
CreateWindowExA.USER32 ref: 000E4D51
SetClipboardViewer.USER32(?,?,?,?,?,?,?,?,?,?,?,000E486A), ref: 000E4D66
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000E486A), ref: 000E4D75

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: ClipboardCreateErrorHandleLastModuleViewerWindow
String ID:
API String ID: 123401665-0
Opcode ID: e01bc4f7c28d23fb1d10dc18237a84c7cd8c55c353e2deadb34bd21000efe962
Instruction ID: 44c4fc656b96f6def524fa1c4d0d49ffd7aff8859c8468d1cc6772fe64278a66
Opcode Fuzzy Hash: e01bc4f7c28d23fb1d10dc18237a84c7cd8c55c353e2deadb34bd21000efe962
Instruction Fuzzy Hash: 52012C32609B85C7D764CF69F59435AB7E0F78C790F144139AB8A83B18DF78C0A48B00

Uniqueness

Uniqueness Score: -1.00%

Function 000DFCC4 Relevance: 6.0, APIs: 4, Instructions: 32windowCOMMON

Download Yara Rule

APIs

CreateBitmap.GDI32 ref: 000DFCE4
CreatePatternBrush.GDI32 ref: 000DFCF0
DeleteObject.GDI32 ref: 000DFD00
GetStockObject.GDI32 ref: 000DFD0B

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: CreateObject$BitmapBrushDeletePatternStock
String ID:
API String ID: 247950882-0
Opcode ID: 121a78163c96de422b795f701aab229a31baba2f4f2fac68a39544ef5ed6e7ac
Instruction ID: 789a962f30a0bc848cca5181bbd9a83d7054823c9ec68c5a25417fcf97764bbe
Opcode Fuzzy Hash: 121a78163c96de422b795f701aab229a31baba2f4f2fac68a39544ef5ed6e7ac
Instruction Fuzzy Hash: FD013770B05B42DAEB589F15F8587A973A5F388740F404039EA8E87BA0EF7CC489CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000DC4B8 Relevance: 6.0, APIs: 4, Instructions: 28windowthreadCOMMON

Download Yara Rule

APIs

SetThreadDesktop.USER32 ref: 000DC4C8

Part of subcall function 000DC108: SetWindowLongPtrA.USER32 ref: 000DC180

GetMessageA.USER32 ref: 000DC4F3
TranslateMessage.USER32 ref: 000DC502
DispatchMessageA.USER32 ref: 000DC50D

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Message$DesktopDispatchLongThreadTranslateWindow
String ID:
API String ID: 2425733056-0
Opcode ID: 7bf2022790ea841b912408c05d4e273f7b04ce75c980e038f53f0bf5e18e4150
Instruction ID: 6fe5fdc2567a28a721f21cd7378c721666b9b2686f7f2efd41d2ca8a1ea442b9
Opcode Fuzzy Hash: 7bf2022790ea841b912408c05d4e273f7b04ce75c980e038f53f0bf5e18e4150
Instruction Fuzzy Hash: A4F05432614A42D2FB309F61F958BB933E0F798B89F4801319A4945A59DF39C589DB14

Uniqueness

Uniqueness Score: -1.00%

Function 000DF578 Relevance: 6.0, APIs: 4, Instructions: 28threadwindowCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32 ref: 000DF58F
GetCurrentProcessId.KERNEL32 ref: 000DF59B
PostMessageA.USER32 ref: 000DF5B4
PostThreadMessageA.USER32 ref: 000DF5C6

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: MessagePostProcessThread$CurrentWindow
String ID:
API String ID: 791361056-0
Opcode ID: 16675ad8babd353257615f5dead4c70a7afc87a274af98c0e2d0f779e21e9c8f
Instruction ID: 95279644790364422ce14225296af9f066203e0788f8737bd601d266b7980dcd
Opcode Fuzzy Hash: 16675ad8babd353257615f5dead4c70a7afc87a274af98c0e2d0f779e21e9c8f
Instruction Fuzzy Hash: B5F05E32224B83C3E7649F25F494BAA73A1FBC87C1F54A431EA4246E58DF39C494CB10

Uniqueness

Uniqueness Score: -1.00%

Function 000DB790 Relevance: 6.0, APIs: 4, Instructions: 27memorysynchronizationthreadCOMMON

Download Yara Rule

APIs

PostThreadMessageA.USER32 ref: 000DB7B5
WaitForSingleObject.KERNEL32(?,?,00000000,000D7711), ref: 000DB7C7
CloseHandle.KERNEL32(?,?,00000000,000D7711), ref: 000DB7D1
HeapFree.KERNEL32(?,?,00000000,000D7711), ref: 000DB7E3

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: CloseFreeHandleHeapMessageObjectPostSingleThreadWait
String ID:
API String ID: 1797912655-0
Opcode ID: a96590d19b2ea91cf18c10446d8dae1dfa0f7ab6269d5660847915524c0903cd
Instruction ID: 66de1dcf0cf4cf4d5f98464dfb0b44120ec13c3aae303c212d9466650100fbea
Opcode Fuzzy Hash: a96590d19b2ea91cf18c10446d8dae1dfa0f7ab6269d5660847915524c0903cd
Instruction Fuzzy Hash: 6DF05E36202641C3EB68DF62E8947B53361EFC8B96F184625CE1646B60CF65C4869610

Uniqueness

Uniqueness Score: -1.00%

Function 0012DE5A Relevance: 6.0, APIs: 4, Instructions: 26COMMONLIBRARYCODE

Download Yara Rule

APIs

___crtCorExitProcess.LIBCMT ref: 0012DE60
__FF_MSGBANNER.LIBCMT ref: 0012DE73

Part of subcall function 0012E005: __NMSG_WRITE.LIBCMT ref: 0012E02C
Part of subcall function 0012E005: __NMSG_WRITE.LIBCMT ref: 0012E036

__NMSG_WRITE.LIBCMT ref: 0012DE7B

Part of subcall function 0012E062: ___crtMessageBoxW.LIBCMT ref: 0012E1A2

Part of subcall function 0012DE8C: _doexit.LIBCMT ref: 0012DE96

Memory Dump Source

Source File: 00000002.00000002.2631715851.000000000010C000.00000040.80000000.00040000.00000000.sdmp, Offset: 0010C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10c000_svchost.jbxd

Yara matches

Similarity

API ID: ___crt$ExitMessageProcess_doexit
String ID:
API String ID: 3013061184-0
Opcode ID: a7a3077baa2f95853782cab798f794634b66fae93efadf64e57ae21c422a6640
Instruction ID: a377e221477cbdacf20933aaeb2c0657e6ad5aee3d64a9d2d5f93958a550db51
Opcode Fuzzy Hash: a7a3077baa2f95853782cab798f794634b66fae93efadf64e57ae21c422a6640
Instruction Fuzzy Hash: 35E0463114021CBBEA243B55FC0BB993F5EDB20B60F504024FA0C0C5A2EFA2AAB25585

Uniqueness

Uniqueness Score: -1.00%

Function 000D7358 Relevance: 6.0, APIs: 4, Instructions: 25stringCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32 ref: 000D7370
lstrcatA.KERNEL32 ref: 000D7382
lstrcatA.KERNEL32 ref: 000D7398
CreateEventA.KERNEL32 ref: 000D73AC

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: lstrcat$CreateEventlstrcpy
String ID:
API String ID: 3695347688-0
Opcode ID: 23e2a34a143a102bc3317d535559aaf95573ef1b564a7c877e5403099376cc8a
Instruction ID: 35be8a80829b7bfebc4eab5e5ffed4bed865d5113dc3da1d2ccb56bfacbc792b
Opcode Fuzzy Hash: 23e2a34a143a102bc3317d535559aaf95573ef1b564a7c877e5403099376cc8a
Instruction Fuzzy Hash: DEF0587230090BD3EF348F24E8557EA2321FB8C789F804122964E4AA68DE3DC25DDB00

Uniqueness

Uniqueness Score: -1.00%

Function 000D7B58 Relevance: 6.0, APIs: 4, Instructions: 25stringCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32 ref: 000D7B70
lstrcatA.KERNEL32 ref: 000D7B82
lstrcatA.KERNEL32 ref: 000D7B98
CreateEventA.KERNEL32 ref: 000D7BAC

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: lstrcat$CreateEventlstrcpy
String ID:
API String ID: 3695347688-0
Opcode ID: d318a8aa054aef7a63438d57dd70576a16a4cf6b553e3d453202f35f42b2766b
Instruction ID: 4f403de59161f86a5942bbcb42ce0a357534b9839171c9ee66109b23b54c86fa
Opcode Fuzzy Hash: d318a8aa054aef7a63438d57dd70576a16a4cf6b553e3d453202f35f42b2766b
Instruction Fuzzy Hash: 53F0587231090BD3EF348F24E8557EA2320FB8C789F804122964E46968DE3DC25DDB00

Uniqueness

Uniqueness Score: -1.00%

Function 000CB460 Relevance: 6.0, APIs: 4, Instructions: 25stringCOMMON

Download Yara Rule

APIs

StrDupA.SHLWAPI(?,?,0000001B,000C25CE,?,?,?,000C1EEA,?,?,?,000C204A), ref: 000CB471
_strupr.LIBCMT ref: 000CB482

Part of subcall function 000E5080: _errno.LIBCMT ref: 000E509A
Part of subcall function 000E5080: _invalid_parameter_noinfo.LIBCMT ref: 000E50A5

lstrlenA.KERNEL32(?,?,0000001B,000C25CE,?,?,?,000C1EEA,?,?,?,000C204A), ref: 000CB48A
LocalFree.KERNEL32(?,?,0000001B,000C25CE,?,?,?,000C1EEA,?,?,?,000C204A), ref: 000CB49F

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: FreeLocal_errno_invalid_parameter_noinfo_struprlstrlen
String ID:
API String ID: 1091608643-0
Opcode ID: 5e0b63674e621998c6422e9311f537dc19b88a6d497fd570c4d053cad3e3aca8
Instruction ID: 3a13cec121363e111c6ccd525c87410dd9ca501a93662dc8bd0351c8e67b39cb
Opcode Fuzzy Hash: 5e0b63674e621998c6422e9311f537dc19b88a6d497fd570c4d053cad3e3aca8
Instruction Fuzzy Hash: 8CE0922470578182EE58ABE66AA577C61946F88BD0F040438DE0643B16DE3CC8444200

Uniqueness

Uniqueness Score: -1.00%

Function 000E35FC Relevance: 6.0, APIs: 4, Instructions: 23synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageA.USER32 ref: 000E361D
WaitForSingleObject.KERNEL32 ref: 000E362D
CloseHandle.KERNEL32 ref: 000E363A
DeleteCriticalSection.KERNEL32 ref: 000E365B

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: CloseCriticalDeleteHandleMessageObjectPostSectionSingleThreadWait
String ID:
API String ID: 3840051195-0
Opcode ID: 388bd53345f4971da03b954d61f3096a0ca3502bec0398369de34c0c607cab8e
Instruction ID: 4c9e61e83ed659f32402004e7020902ab23d3f63c17ec147d9168613925862e1
Opcode Fuzzy Hash: 388bd53345f4971da03b954d61f3096a0ca3502bec0398369de34c0c607cab8e
Instruction Fuzzy Hash: 59F08C32611A81C6F7609F76D89E7F833A1FB88B58F084230CE250AAA4CF35409AD310

Uniqueness

Uniqueness Score: -1.00%

Function 000C31C4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,000C18B6,?,?,?,000C1F8A,?,?,?,000C204A), ref: 000C31F3

Part of subcall function 000C32B0: GetModuleHandleA.KERNEL32(?,?,00000004,000C320A,?,?,?,?,?,000C18B6,?,?,?,000C1F8A), ref: 000C32F0

GetCurrentProcess.KERNEL32(?,?,?,?,?,000C18B6,?,?,?,000C1F8A,?,?,?,000C204A), ref: 000C321B

Strings

ADVAPI32.DLL, xrefs: 000C31E4

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: HandleModule$CurrentProcess
String ID: ADVAPI32.DLL
API String ID: 2298500976-33758204
Opcode ID: 5bf9a0dbe52de0bb160c6a536e305c1291d2907d56fca7566381474659fd25a3
Instruction ID: a363e7da9eb444439fa4c1b4456c6a48f7ac85348af2716c8fa38d34e45a525b
Opcode Fuzzy Hash: 5bf9a0dbe52de0bb160c6a536e305c1291d2907d56fca7566381474659fd25a3
Instruction Fuzzy Hash: 54218432314B8186DF20DF56A441BAEB7A1F7C8FD4F58812AAE8957B19CE78C641C740

Uniqueness

Uniqueness Score: -1.00%

Function 000C18CC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000C18F9

Part of subcall function 000C4B24: CreateFileA.KERNEL32 ref: 000C4B9A
Part of subcall function 000C4B24: SetFilePointer.KERNEL32 ref: 000C4BB4
Part of subcall function 000C4B24: ReadFile.KERNEL32 ref: 000C4BDA
Part of subcall function 000C4B24: CloseHandle.KERNEL32 ref: 000C4BFB

Part of subcall function 000C14F8: ReadProcessMemory.KERNEL32 ref: 000C15BB
Part of subcall function 000C14F8: ReadProcessMemory.KERNEL32 ref: 000C15E6
Part of subcall function 000C14F8: ReadProcessMemory.KERNEL32 ref: 000C163E
Part of subcall function 000C14F8: ReadProcessMemory.KERNEL32 ref: 000C1678

Strings

KERNEL32.DLL, xrefs: 000C18E7
CreateProcessA, xrefs: 000C18FF

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Read$MemoryProcess$File$Handle$CloseCreateModulePointer
String ID: CreateProcessA$KERNEL32.DLL
API String ID: 3174565021-1218825259
Opcode ID: f06a28c0f55200e4a31778d443dcc7dd22ff3b0f62d5e18cc90376fec3981a31
Instruction ID: 2e09704e859b3841bffe59f8d800e6570710003f641e261e4e8ddce8f12a2c86
Opcode Fuzzy Hash: f06a28c0f55200e4a31778d443dcc7dd22ff3b0f62d5e18cc90376fec3981a31
Instruction Fuzzy Hash: 5F112632304B8186DB60CB16B880B9AB7A4F389BD0F544529EE9C43B19DF39C5568B40

Uniqueness

Uniqueness Score: -1.00%

Function 000C808C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlInitUnicodeString.NTDLL ref: 000C80BE
RtlCompareUnicodeString.NTDLL ref: 000C80D8

Strings

\ThemeApiPort, xrefs: 000C80B3

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: StringUnicode$CompareInit
String ID: \ThemeApiPort
API String ID: 2360956377-4099707584
Opcode ID: 52cc1e049058bea77c8c8fccb77b563d7197bfa10398d401ec71671868733306
Instruction ID: 2a89a91a4978ab0aa6cb6f73c0f2a2a81b9e5a4c4528d356a69b79c41617d5dd
Opcode Fuzzy Hash: 52cc1e049058bea77c8c8fccb77b563d7197bfa10398d401ec71671868733306
Instruction Fuzzy Hash: B5112736205F85C6DA608B12F94039AB3A4F798FD4F588125DF8D87B29EF38D596CB40

Uniqueness

Uniqueness Score: -1.00%

Function 000E3054 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28stringCOMMON

Download Yara Rule

APIs

Part of subcall function 000DC84C: GetClassNameA.USER32 ref: 000DC85E

GetWindowTextA.USER32 ref: 000E3097
lstrcmpA.KERNEL32 ref: 000E30A9

Strings

#hvnc, xrefs: 000E309D

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: ClassNameTextWindowlstrcmp
String ID: #hvnc
API String ID: 876077961-3244826380
Opcode ID: b8bb0d14f63f63ca77428e2a720fd46599dbfb3aa34b6ce65e5641b3e7336bb1
Instruction ID: b2472b4ed8fa5a7ff7d64015c15a1273aef023a18d5d771dbaaf0f452429543b
Opcode Fuzzy Hash: b8bb0d14f63f63ca77428e2a720fd46599dbfb3aa34b6ce65e5641b3e7336bb1
Instruction Fuzzy Hash: 24F0903130868686DF708F1AF5947B97361F758BC9F944039DA4847915CE79C649C701

Uniqueness

Uniqueness Score: -1.00%

Function 000DCD80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON

Download Yara Rule

APIs

GetClassNameA.USER32 ref: 000DCDB6
lstrcmpiA.KERNEL32(?,?,?,?,00000000,000C9A25), ref: 000DCDCC

Strings

#32770, xrefs: 000DCDC5

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: ClassNamelstrcmpi
String ID: #32770
API String ID: 1927859406-463685578
Opcode ID: 461d0feb4b0c2a0f9ee989a2ce6abfe189ad0e0b4d6270644f362e42658785a3
Instruction ID: 44cf5967b75b52a5ce1bda9f606f64398659d5c235a0015d2131b9b9c0507e0d
Opcode Fuzzy Hash: 461d0feb4b0c2a0f9ee989a2ce6abfe189ad0e0b4d6270644f362e42658785a3
Instruction Fuzzy Hash: 0CF0546621528286D7318F75A8403AA77A0F75C704F440176D9CCC2A24EB1CC209DB28

Uniqueness

Uniqueness Score: -1.00%

Function 000DCBE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18threadCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32 ref: 000DCC06
GetGUIThreadInfo.USER32 ref: 000DCC13

Strings

H, xrefs: 000DCBFE

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Thread$InfoProcessWindow
String ID: H
API String ID: 1382771001-2852464175
Opcode ID: c7792e4502fdac46cb300815084c4e4c952587461c51f597c5e46c91ed502e05
Instruction ID: fa778e4e99a8ce225428700fa54fa3f7dc1437761e37a9414d9b8aa22d2a5656
Opcode Fuzzy Hash: c7792e4502fdac46cb300815084c4e4c952587461c51f597c5e46c91ed502e05
Instruction Fuzzy Hash: 1EE04FA171054982DF209B66D50539D6361FBC8B49F584121A65D43A64DF3CC659CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000CC6E8 Relevance: 5.3, APIs: 4, Instructions: 268memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000CCAAC: recv.WS2_32 ref: 000CCADD
Part of subcall function 000CCAAC: GetLastError.KERNEL32 ref: 000CCB09

HeapAlloc.KERNEL32 ref: 000CC7A7
HeapAlloc.KERNEL32 ref: 000CC99C
HeapFree.KERNEL32 ref: 000CC9DA

Part of subcall function 000CCB38: HeapAlloc.KERNEL32 ref: 000CCB6D

HeapFree.KERNEL32 ref: 000CCA77

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Alloc$Free$ErrorLastrecv
String ID:
API String ID: 1246853186-0
Opcode ID: b9672399cf218efeaf6b7ffb979cf0efa6e13491316099b7cc44a921da295aca
Instruction ID: 2692455edca3da6d7416caea3c285b78f850d05fb677d91aa5697ed5efb5433e
Opcode Fuzzy Hash: b9672399cf218efeaf6b7ffb979cf0efa6e13491316099b7cc44a921da295aca
Instruction Fuzzy Hash: D8A1C4266146D19AF768DB67C510BBC77E2F785B84B08801EEFA983B45EF38D615C700

Uniqueness

Uniqueness Score: -1.00%

Function 000C44D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,000C4C70,00000000,?,00000000,000C176F), ref: 000C44E7

Part of subcall function 000C4B24: CreateFileA.KERNEL32 ref: 000C4B9A
Part of subcall function 000C4B24: SetFilePointer.KERNEL32 ref: 000C4BB4
Part of subcall function 000C4B24: ReadFile.KERNEL32 ref: 000C4BDA
Part of subcall function 000C4B24: CloseHandle.KERNEL32 ref: 000C4BFB

Strings

LoadLibraryA, xrefs: 000C44ED
KERNEL32.DLL, xrefs: 000C44E0

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: File$Handle$CloseCreateModulePointerRead
String ID: KERNEL32.DLL$LoadLibraryA
API String ID: 3967805679-1423781741
Opcode ID: 1f030ab547a996270804c6ec1db2925122fc6ac09c0e7860db79f2d95476f941
Instruction ID: 78edb20fff0a24bc73df4243a8b57e6c8a50bcdbd9577ba40da92f976cc58bf8
Opcode Fuzzy Hash: 1f030ab547a996270804c6ec1db2925122fc6ac09c0e7860db79f2d95476f941
Instruction Fuzzy Hash: 7DD01774603B06C2EF24AB06E890BA923E07B09741F850438C80C02721EF7CC58A9310

Uniqueness

Uniqueness Score: -1.00%

Function 000DCD44 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON

Download Yara Rule

APIs

GetClassNameA.USER32 ref: 000DCD56
lstrcmpiA.KERNEL32 ref: 000DCD68

Strings

ConsoleWindowClass, xrefs: 000DCD5C

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: ClassNamelstrcmpi
String ID: ConsoleWindowClass
API String ID: 1927859406-1331846550
Opcode ID: 26e4d4f3e94fe65db5a1d3c98626bac0fb67057912be5ac731c27d7aa2388931
Instruction ID: 5a083a534d3be7d6740ad4dbe88b60ccb990f71637d27b4c25d03e54c9fea319
Opcode Fuzzy Hash: 26e4d4f3e94fe65db5a1d3c98626bac0fb67057912be5ac731c27d7aa2388931
Instruction Fuzzy Hash: FAD05E35311D03C2FB705724E8517F52360B744344F804135946986DB4DF2CC20FEB00

Uniqueness

Uniqueness Score: -1.00%

Function 000CCDC8 Relevance: 5.1, APIs: 4, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 000CCDEA
HeapAlloc.KERNEL32 ref: 000CCDFF
LeaveCriticalSection.KERNEL32 ref: 000CCE9B
HeapFree.KERNEL32 ref: 000CCEB2

Part of subcall function 000CCBC8: select.WS2_32 ref: 000CCC57
Part of subcall function 000CCBC8: send.WS2_32 ref: 000CCC75

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: CriticalHeapSection$AllocEnterFreeLeaveselectsend
String ID:
API String ID: 4130084627-0
Opcode ID: fd1b3a71b012f1222bcbe133fdab8157e54cc3a572b9097ca8c2eb505f5d8424
Instruction ID: b7ecfcdc2a6c69f46539515c02e0e8150b75d4b43eed876eb9913b77734465aa
Opcode Fuzzy Hash: fd1b3a71b012f1222bcbe133fdab8157e54cc3a572b9097ca8c2eb505f5d8424
Instruction Fuzzy Hash: AF21B32230478186EB259B53E840BAEA761FB8D7E4F44402AEF8D47F15EA7DC586D700

Uniqueness

Uniqueness Score: -1.00%

Function 000D9674 Relevance: 5.0, APIs: 4, Instructions: 35memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 000D968E
HeapFree.KERNEL32 ref: 000D96C6
LeaveCriticalSection.KERNEL32 ref: 000D96DF
InitializeCriticalSection.KERNEL32 ref: 000D96EC

Memory Dump Source

Source File: 00000002.00000002.2631594931.00000000000C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: true

Associated: 00000002.00000002.2631571657.00000000000C0000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.00000000000FE000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631660369.0000000000107000.00000004.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.0000000000108000.00000002.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.2631688197.000000000010B000.00000002.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c0000_svchost.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterFreeHeapInitializeLeave
String ID:
API String ID: 1934031791-0
Opcode ID: 84d0dddf0008fe909c8ff3d6f8f9fb8a454f9278653882a39a5191fa92d7ced9
Instruction ID: 818919c1b7a5d2ee31452437a2908dc49db846ab9216efb49a37ca652a62c3bb
Opcode Fuzzy Hash: 84d0dddf0008fe909c8ff3d6f8f9fb8a454f9278653882a39a5191fa92d7ced9
Instruction Fuzzy Hash: B4111072204A01E2EB10DF11F9903A833B1F788B85F848022DA8E43B74CFBDC999C310

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	Command: Command Execution, Process: Process Creation, User Account: User Account Creation
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
Tactics:	Lateral Movement
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 5U5ouw7ryf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Protection of GUI

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Imports

Network Behavior

Network Port Distribution

TCP Packets

Statistics

CPU Usage

Windows Analysis Report
5U5ouw7ryf.exe

Function 001A35A8 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 193
librarynativeloaderCOMMON

Function 001A3417 Relevance: 12.1, APIs: 8, Instructions: 133
threadsleepmemoryCOMMON

Function 001A289B Relevance: 9.1, APIs: 6, Instructions: 82
COMMON

Function 001A3268 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37
librarynativeloaderCOMMON

Function 001A321E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26
librarynativeloaderCOMMON

Function 001A2612 Relevance: 6.1, APIs: 4, Instructions: 80
nativeCOMMON

Function 001A14B0 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 116
processCOMMON

Function 001A1905 Relevance: 15.1, APIs: 10, Instructions: 137
threadsleepinjectionCOMMON

Function 001A2C96 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 119
memorystringCOMMON

Function 001A32E9 Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42
COMMON

Function 001A2140 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 122
COMMON

Function 001A3097 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 47
libraryloaderCOMMON

Function 001A1EF2 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 55
COMMON

Function 001A1B72 Relevance: 6.2, APIs: 4, Instructions: 154
COMMON

Function 001A227B Relevance: 6.1, APIs: 4, Instructions: 118
threadsleepCOMMON